Mcafee Encrypted Usb 1.2 User Guide

Transcript

McAfee Encrypted USB 1.2 User Guide COPYRIGHT Copyright © 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes. 2 McAfee Encrypted USB 1.2 User Guide Contents Introducing Encrypted USB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 How Encrypted USB works?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Encrypted USB features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Supported McAfee devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Target audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Encrypted USB Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Installing the Encrypted USB software using ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Checking in portable content packages in ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Installing Encrypted USB 1.2 extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Configuring Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes. . . . . . . . . . 10 Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes. . . . . . . 10 Administering McAfee Encrypted USB - powered by SanDisk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Setting up policies for McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator. . . 11 Recycling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Revoking a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Administering other supported Encrypted USB devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Setting up policies for other supported Encrypted USB devices using ePolicy Orchestrator. . . . . . . 17 Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Upgrading Encrypted USB client with anti-virus portable content packages. . . . . . . . . . . . . . . . . . . . 28 Revoking a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Recycling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Recovering data from the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Assigning multiple policies to a managed node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Using the Encrypted USB device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Lifecycle of the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Setting up the Encrypted USB - powered by SanDisk device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Setting up other supported Encrypted USB device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 McAfee Encrypted USB 1.2 User Guide 3 Contents Using the Encrypted USB - powered by SanDisk Portable Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Logging on to the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Disconnecting the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Managing McAfee anti-virus scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 McAfee Encrypted USB settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Formatting McAfee Encrypted USB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Restoring data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Rescuing the device through Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Using other supported Encrypted USB Portable Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 LED states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Security options in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Logging on to the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Disconnecting the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Viewing hardware and software information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Managing authentication methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Managing backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Managing the Antivirus Scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Self rescuing the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Rescuing the device through Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Appendix A — Restricting the device use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Restricting the device use to home network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Restricting the device use to specified network(s). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Appendix B — Device management states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 4 McAfee Encrypted USB 1.2 User Guide Introducing Encrypted USB Encrypted Universal Serial Bus (USB) devices use the Universal Serial bus standard to interface to a host computer using a standardized USB interface socket. McAfee Encrypted USB version 1.2 is a scalable software solution for managing large and small deployments of McAfee's USB storage devices. McAfee Encrypted USB 1.2 supports Encrypted USB devices powered by SanDisk along with Encrypted USB 1.1 and 1.0 devices. A Encrypted USB administrator can select the device type he wants to manage in his network before deploying it on the managed systems. McAfee Encrypted USB 1.2 includes a management console, a client component, an anti-virus scanner, and an administration utility (optional). It controls the USB device lifecycle including initialization, personalization, usage, rescue, recovery, and recycling. Contents How Encrypted USB works? Encrypted USB features System requirements Supported McAfee devices About this guide How Encrypted USB works? McAfee Encrypted USB 1.2 offers data protection in the form of powerful encryption technology combined with strong authentication controls, so that only authorized users can access information. It helps you maintain a virus-free environment by scanning the private partition of the USB device and system folders and processes running on the client system on startup. Each time a file is copied to the device, it scans the file comparing it with a list of known viruses and intercepts/cleans the infected file. It updates the virus definition from a configurable signature update site every time the user logs on to the device. NOTE: The Encrypted USB Antivirus feature only scans the system folders and the processes running on the client system. It does not completely protect the client system from malware. McAfee Encrypted USB 1.2 integrates with McAfee ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5. NOTE: McAfee Encrypted USB 1.2 does not support downgrade to Encrypted USB version 1.0. Protecting the device from malware McAfee Encrypted USB 1.2 includes an anti-virus scanner that prevents malware from being copied to the device. McAfee Encrypted USB Antivirus Scanner constantly monitors file transfers McAfee Encrypted USB 1.2 User Guide 5 Introducing Encrypted USB Encrypted USB features to the device, automatically detecting and cleaning/deleting any malware. It also supports on-demand scan that enables the device user to initiate a scan when required. Refer to the Managing the Antivirus Scanner section for more details. Restricting devices to trusted network for some users McAfee Encrypted USB 1.2 allows you to restrict the use of the device to trusted networks. You can create and configure different Foreign Device policies for each group of managed systems restricting them to specified network. NOTE: This feature is not available for all device types. Refer to the Appendix A — Restricting device use section for more details. Revoking a device in emergency Revoking a device blocks the usage of a device. McAfee Encrypted USB 1.2 allows the administrator to revoke the device when it is lost, when the password is disclosed, or during an audit. Encrypted USB administrators can revoke or revoke and wipe the device as required from ePolicy Orchestrator. The device can be reused after reinstating. Refer to the Revoking a device section for more details. Encrypted USB features • Centralized management — Provides support for deploying and managing McAfee Encrypted USB devices using ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5. • Data protection with powerful encryption — Offers data protection through powerful encryption technology along with strong access controls, so that only authenticated users can access data stored on the USB device. • Two-factor authentication — Allows you to use one of these authentication modes to unlock the USB device: • Password and/or biometric • Common Access Card (CAC) or Personal Identity Verification (PIV) card with security PIN and/or biometric NOTE: The authentication modes available depends on the device type. • Protection from malware — Offers protection from malware by scanning files copied to the device, detecting threats and taking action as required. • Device type selection — Provides an option for selecting the device type to be managed in the network before deploying the Encrypted USB client on the managed systems. System requirements Operating systems: • Microsoft Windows XP Professional SP2 and SP3 • Windows Vista Business SP1 or later and Enterprise SP1 or later • Windows XP Home SP3 6 McAfee Encrypted USB 1.2 User Guide Introducing Encrypted USB Supported McAfee devices • Windows Vista Ultimate McAfee Encrypted USB 1.2 prerequisites: • Microsoft .NET Framework 2.0 • Windows Installer 3.1 • McAfee Agent 3.6 (patch 3) or above Supported McAfee devices Image Device McAfee Encrypted USB powered by SanDisk Description • • Supports password authentication mode. Can have private and read-only disk partitions. McAfee Encrypted USB Standard version 2 • • Supports password and CAC/PIV card authentication mode. Can have private and read-only disk partitions. Supports biometric and/or password authentication mode. Supports biometric and/or CAC/PIV card authentication mode. Can have public, private, and read-only disk partitions. Supports password and CAC/PIV card authentication mode. Can have public, private, and read-only disk partitions. Supports biometric and/or password authentication mode. Supports biometric and/or CAC/PIV card authentication mode. Can have public, private, and read-only disk partitions. Available in various hard drive sizes. Supports password and CAC/PIV card authentication mode. Can have private and read-only disk partitions. McAfee Zero Footprint Biometric Encrypted USB • • • McAfee Zero Footprint • Non-Biometric Encrypted USB • McAfee Encrypted USB Hard Disk • • • McAfee Encrypted USB Standard Driverless • • About this guide This guide provides detailed instructions for installing and managing Encrypted USB 1.2 using ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5. Target audience This guide is intended for McAfee Encrypted USB device users and administrators. McAfee Encrypted USB 1.2 User Guide 7 Encrypted USB Administration This chapter provides information on: Installing the Encrypted USB software using ePolicy Orchestrator Administering McAfee Encrypted USB - powered by SanDisk Administering other supported Encrypted USB devices Assigning multiple policies to a managed node Reporting Installing the Encrypted USB software using ePolicy Orchestrator ePolicy Orchestrator provides a scalable platform for centralized policy management and enforcement on your security products and systems on which they reside. It also allows you to deploy and manage Encrypted USB storage devices. NOTE: The instructions refer to ePolicy Orchestrator 4.0 by default. To use this chapter effectively, you must be familiar with using ePolicy Orchestrator version 4.0 and 4.5. Tasks Checking in portable content packages in ePolicy Orchestrator Configuring Server Settings Installing Encrypted USB 1.2 extension Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes Checking in portable content packages in ePolicy Orchestrator Use this task to check in the Encrypted USB 1.2 portable content package to the master repository. Before you begin Copy the DPEUPM501100.zip, DPEUPS221100.zip, and DPEUPM211100.zip archives to a temporary folder of your ePolicy Orchestrator computer. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 8 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Installing the Encrypted USB software using ePolicy Orchestrator 2 Click Software | Master Repository | Check In Package. The Check In Package wizard appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Software | Master Repository, then click Actions | Check In Package. 3 4 5 In the Package page, select the Package type as Product or Update (.ZIP) and browse in File path to locate DPEUPM501100.zip. Click Next. The Package Options page appears with the package information. Select Branch as Current, then click Save. NOTE: Check in DPEUPS221100.zip and DPEUPM211100.zip by repeating the same steps. However in step 3, browse for DPEUPS221100.zip or DPEUPM211100.zip as required. Installing Encrypted USB 1.2 extension You can install the Encrypted USB extension on the ePolicy Orchestrator 4.0 (patch 5 minimum) server using the Configuration tab. Task For option definitions, click ? in the interface. 1 2 3 Copy the EUC120LEN_IPEX.ZIP file to a temporary folder of your ePolicy Orchestrator computer. Log on to the ePolicy Orchestrator server as an administrator. Click Configuration | Extensions | Install Extension. The Install Extension dialog box appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Software | Extensions | Install Extension. 4 5 Click Browse to select the extension file EUC120LEN_IPEX.ZIP. Click Open, then click OK. The Install Extension page appears with the extension name and version details. Click OK. Configuring Server Settings Various settings control how the ePolicy Orchestrator server behaves. You can change most settings at any time. But, only global administrators can access the server settings. Use this task to configure Server Settings for McAfee Encrypted USB. Task For option definitions, click ? in the interface. 1 2 Log on to ePolicy Orchestrator as an administrator. Click Configuration | Server Settings, then select Encrypted USB Settings. The Server Settings for Encrypted USB is displayed on the right pane of the page. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Configuration | Server Settings. McAfee Encrypted USB 1.2 User Guide 9 Encrypted USB Administration Installing the Encrypted USB software using ePolicy Orchestrator 3 4 Click Edit. The Edit Encrypted USB Settings page appears. Select the device types you want manage, then click Save. Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes Use this task to deploy Encrypted USB Client on managed nodes. NOTE: The Encrypted USB Administrator package should be installed on client computers used only for administrator tasks along with physical access to the USB ports, because the administrator tasks often require the device to be physically present. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Systems | Client Tasks. Select the required system(s) on which you want to install Encrypted USB. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree | Client Tasks. 3 Click New Task. The Client Task Builder page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Task. 4 5 In Description, type a Name for the task, Notes (optional), select the Type as Product Deployment (McAfee Agent), then click Next. In Configuration, select Windows as Target Platforms, Encrypted USB Client 1.2.0 as Products and components, Install as Action. Select the appropriate Language, then click Next. Schedule the task to run immediately or as required, then click Next to view a summary of the task. Click Save. Send an agent wake-up call. NOTE: To deploy Encrypted USB Administrator 1.2, repeat the same steps, however in step 5, select Encrypted USB Administrator 1.2.0 as Products and components. 6 7 8 Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes Use this task to uninstall Encrypted USB Client and Encrypted USB Administrator from managed nodes. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 10 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering McAfee Encrypted USB - powered by SanDisk 2 Click Systems | Client Tasks. Select the required system(s) from which you want to uninstall Encrypted USB Client. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree | Client Tasks. 3 Click New Task. The Client Task Builder page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Task. 4 5 In Description, type a Name for the task, Notes (optional), select the Type as Product Deployment (McAfee Agent), then click Next. In Configuration, select Windows as Target Platforms, Encrypted USB Client 1.2.0 as Products and components, Remove as Action. Select the appropriate Language, then click Next. Schedule the task to run immediately or as required, then click Next to view a summary of the task. Click Save. Send an agent wake-up call. NOTE: To uninstall Encrypted USB Administrator 1.2, repeat the same steps, however in step 5, select Encrypted USB Administrator 1.2.0 as Products and components. 6 7 8 Administering McAfee Encrypted USB - powered by SanDisk Use these tasks to administer McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator. Setting up policies for McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator Revoking a device Setting up policies for McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator The ePolicy Orchestrator console allows the administrator to configure policies for the Encrypted USB devices from a central location. These policies vary based on the type of the device being used. Encrypted USB supports five policy categories: Device Initialization Policy Device Authentication policy Device Backup Policy Device Revocation List Foreign Device Policy McAfee Encrypted USB 1.2 User Guide 11 Encrypted USB Administration Administering McAfee Encrypted USB - powered by SanDisk Device Initialization Policy Device Initialization Policy enables you to specify a public partition on the device, its size (in MB), read-only partition size (in MB), and a device management code. NOTE: The Device Initialization Policy for McAfee Encrypted USB - powered by SanDisk is set by default and cannot be modified. The default size of read-only partition is set to 38.1 MB. A device is initialized when it is updated. Device Authentication policy Device Authentication Policy allows you to set the password policy for accesing the private partion of the USB device. NOTE: Both initialization and authentication policies must be set for a device to be initialized. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as Device Authentication Policy. Click New Policy. In Create a new policy dialog box, select the device from the drop-down, type a name for the policy, then click OK. The following screen appears. NOTE: This screen varies depending on the Server Settings configured. 5 Select the device type as McAfee Encrypted USB - Powered by SanDisk. 12 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering McAfee Encrypted USB - powered by SanDisk 6 7 By default, authentication mode is set as Password only. This enables you to authenticate to a device using a password only. In Password Policy, set the following parameters: Parameter Password Retry Limit Description Type the maximum number of times you can try authenticating the device using a wrong password, after which the device will be blocked. Select Infinite a maximum number of 10 password retries. This parameter is set to 10 by default. Minimum Password Length Type the minimum number of characters the password must have. (between 4 and 16 characters) Type the maximum number of days to define the validity of a password. Select Infinite for the password to remain valid for 65535 days. This parameter is set to 65535 by default. NOTE: Regular password updates decreases the risk of correct password being stolen or guessed. Maximum Lifetime (Days) 8 Recovery Policy is set to Help Desk / Challenge Response by default. Help desk operators can assist the device user by securely resetting the authentication mechanism of their device. This can be done over the phone or through email, and does not require access to the device or even network connectivity. Click Save. 9 10 Send an agent wakeup call. Device Backup Policy Device Backup Policy allows you to create automatic backups of the device content on the client computer or shared location. Automatic backups are created only if the device is unlocked and if the user logged on is the device owner.The backup feature provides protection against data loss. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as Device Backup Policy. Click New Policy. In Create a new policy dialog box, select McAfee Default or My Default as the policy type. NOTE: • If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. • The McAfee Default policy is read-only and cannot be edited, renamed, or deleted. 5 Type a new policy name, then click OK. The following page appears. McAfee Encrypted USB 1.2 User Guide 13 Encrypted USB Administration Administering McAfee Encrypted USB - powered by SanDisk NOTE: This screen varies depending on the Server Settings configured. 6 Select one of the following Backup Type options: • None if you do not want to create a backup of the device content on your client computer. • Always on if you want the software to create a backup on your client computer automatically on authenticating the device. NOTE: Automatic back up is supported only on the system on which device was initialized and personalized. 7 8 In Backup Path, specify the path of your client computer where you want the backup file to be stored, then click Save. Send an agent wakeup call. Device Revocation List Device revocation allows an administrator to block the usage of a device in case of a security emergency. Later, the device can be reinstated, if required. NOTE: A device can be revoked only when the device is inserted in a managed node. Device Revocation List allows you to revoke devices from the ePolicy Orchestrator server based on the device serial number. It applies to groups or a single computer in ePolicy Orchestrator. A device revoked event is sent if a device is revoked successfully. 1 Log on to the ePolicy Orchestrator server as an administrator. 14 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering McAfee Encrypted USB - powered by SanDisk 2 Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as Device Revocation List. Click New Policy. In Create a new policy dialog box, select McAfee Default or My Default as the policy type. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. 5 Type a new policy name, then click OK. The Device Revocation List page appears. 6 7 Click Revoke new Device, select the serial number of the device(s) to be revoked, then click OK. Send an agent wakeup call. NOTE: To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devices to be reinstated, click Reinstate, then click OK. Foreign Device Policy An unmanaged USB device or a USB device managed by a different ePolicy Orchestrator server is referred to as a foreign device. Foreign Device Policy allows you to grant and restrict access to foreign devices. 1 Log on to the ePolicy Orchestrator server as an administrator. McAfee Encrypted USB 1.2 User Guide 15 Encrypted USB Administration Administering McAfee Encrypted USB - powered by SanDisk 2 Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as Foreign Device Policy. Click New Policy. In Create a new policy dialog box, select McAfee Default or My Default as the policy type. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. 5 Type a new policy name, then click OK. NOTE: This screen varies depending on the Server Settings configured. 6 7 Select the whether to allow or block managed foreign devices, then click Save. Send an agent wakeup call. Recycling a device Recycling formats a device and returns it to a default state by deleting the user accounts and all user data on that device. To reuse the recycled device, the administrator must re-personalize it. Before you begin Download the Device Recycle Utility along with the product from the McAfee download site. 16 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering other supported Encrypted USB devices Task 1 2 3 4 Run recycle.exe. The Device Recycling Utility window appears. Click Recycle. A warning pop-up appears asking you to confirm device recycle. Click Yes. The Admin Authentication window appears. Type the ePolicy Orchestrator server (by which the device is managed) IP address or name, user name, and password, then click Login. After the device is recycled, a recycle successful pop-up appears. Re-insert the device and personalize to use the device. 5 Revoking a device To revoke a device, click Systems | Encrypted USB Devices, select the devices to be revoked, then click Revoke |OK. NOTE: • If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices. • The device can not be used until it is reinstated. To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devices to be reinstated, click Reinstate, then click OK. Once the device is reinstated, it can be used normally. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices. Administering other supported Encrypted USB devices Use these tasks to administer McAfee Encrypted USB devices using ePolicy Orchestrator. Setting up policies for other supported Encrypted USB devices using ePolicy Orchestrator Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1 Upgrading Encrypted USB client with anti-virus portable content packages Revoking a device Recycling a device Recovering data from the device Setting up policies for other supported Encrypted USB devices using ePolicy Orchestrator The ePolicy Orchestrator console allows the administrator to configure policies for the Encrypted USB devices from a central location. These policies vary based on the type of the device being used. Encrypted USB has six policy categories: Device Initialization Policy Device Authentication policy McAfee Encrypted USB 1.2 User Guide 17 Encrypted USB Administration Administering other supported Encrypted USB devices Device Backup Policy Device Revocation List Foreign Device Policy General Settings Policy Device Initialization Policy Device Initialization Policy enables you to specify a public partition on the device, its size (in MB), read-only partition size (in MB), and a device management code. Based on these parameters, you can initialize your device depending on the device capability. Read-only partition of the device contains the portable client software and antivirus scanner. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as Device Initialization Policy. Click New Policy. In Create a new policy dialog box, select the device from the drop-down list, type a name for the policy, then click OK. The following page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. 5 Select the device type from the drop-down list. 18 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering other supported Encrypted USB devices 6 Select the option Allow Public Partition (optional). If you select this option, specify a size for the public partition (in MB). Default value is 32 MB. NOTE: Public partition of the device can allow unencrypted data storage. Any user will be able to read and write data in this partition. We recommend you to disable the public partition and use private partition (encrypted and authenticated), which automatically uses all remaining space on the device. 7 Specify the Read-only partition size. Default value is 200 MB, default volume name is READONLY. NOTE: • Read-only partition reflects the data size (that include portable client software and antivirus scanner) and not the size of the total space available. • If the size of the read-only partition is less than the minimum size required, the size of the read-only partition is set to a value higher than default size (200 MB). 8 Type the device management code, then click Save. NOTE: Device management code is used to erase the device content and its user accounts when it can not be accessed by the device user or the administrator. Device management code should not be shared with the device users. 9 Send an agent wake-up call. NOTE: McAfee Standard Driverless Encrypted USB initialization policies cannot be edited. Device Authentication policy Authentication is the process of unlocking an Encrypted USB device. Encrypted USB supports different forms of authentication, including password, biometric, and CAC or PIV card with different strengths. These authentication methods can be combined to offer higher security. Device Authentication Policy allows you to set the authentication mode and recovery policy for a device. You can assign multiple policies to managed nodes in the network for a single device type. NOTE: Both initialization and authentication policies must be set for a device to be initialized. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as Device Authentication Policy. Click New Policy. In Create a new policy dialog box, select the device from the drop-down list, type a name for the policy, then click OK. The following page appears. McAfee Encrypted USB 1.2 User Guide 19 Encrypted USB Administration Administering other supported Encrypted USB devices NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. 5 6 Select the device type from the drop-down list. Select the appropriate mode of authentication from the following options: • Password or Biometric — Default option for all biometric devices. It allows to authenticate the device using a password or biometric (finger enrollment). • Password and Biometric — A two-factor security option that allows to authenticate the device using both the password and biometric. • Password only — Default option for all non-biometric devices which enables to authenticate the device using a password only. • Biometric only — An option that allows you to authenticate the device using biometric only. • CAC/PIV+PIN only — An option that allows you to authenticate the device using a CAC or a PIV card and a security PIN. • CAC/PIV+PIN and Biometric — An option that allows you to authenticate the device using both a PIN enabled card (CAC or PIV) and Biometric. 20 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering other supported Encrypted USB devices 7 In Password Policy, set the following parameters: Parameter Password Retry Limit Description Default value Type the maximum number of times you can try 256 authenticating the device using a wrong password, after which the device will be blocked. Select Infinite for a maximum number of 256 password retries. NOTE: If the retry limit exceeds the maximum password retries, the device will be blocked. The device will be in Data Recovery or Data Destruction state. Minimum Password Length Type the minimum number of characters the password 6 must have (between 4 and 40 characters). Minimum Special Characters Type the minimum number of special characters the 0 password must have for stronger password. This includes ~ ' ! @ # $ % ^ * ( ) _ - + = { }[ ] | \ : ' " ,./?&;<> Minimum Numeric Characters Type the minimum number of numerals the password 0 must have (0-9) for stronger password. Minimum Alphabetical Characters Minimum Uppercase Characters Minimum Lowercase Characters Password Re-use Threshold Type the minimum number of alphabets the password 0 must have(a-z, A-Z) for stronger password. Type the minimum number of uppercase alphabets 0 the password must have (A-Z) for stronger password. Type the minimum number of lowercase alphabets the password must have (a-z). 0 This option prevents users from reusing old passwords 0 too often at password change intervals thus increasing the security of the device. Type the minimum number of unique passwords that must be set before a password can be reused. Minimum Lifetime (Minutes) Type the minimum number of minutes you must wait 0 before modifying a recently changed password. This prevents users from changing passwords quickly. Maximum Lifetime (Days) Type the maximum number of days to define the validity of a password. Select Infinite for the password to remain valid for 65535 days. NOTE: Regular password updates decreases the risk of correct password being stolen or guessed. 65535 8 In Biometric Policy, select the following: • Number of Fingers — Select the number of fingers you want to register (maximum up to 6 fingers) during personalization. You can log on to the device using any of the registered fingers. • Biometric Security Level — Select the desired level from the drop-down list. Biometric Security Level is expressed as a False Match Rate (FMR) probability (such as "1 in 4,500"). FMR is the probability that two different fingers are incorrectly matched. A high FMR means higher security because the device requires a closer match between two fingerprints. Therefore, "1 in 4,500" is more secure than "1 in 2,700". However, for a small number of users it may be difficult to verify their fingerprint at higher levels. McAfee Encrypted USB 1.2 User Guide 21 Encrypted USB Administration Administering other supported Encrypted USB devices • Biometric Retry limit — Type the maximum number of mismatched finger swipes allowed, after which the device will be blocked. The device will be in Data Recovery or Data Destruction state. Select Infinite for a maximum number of 256 retries. NOTE: A larger number of retries are required for biometric authentication because an improper swipe will be registered as a failed attempt. Thus the device user may have to attempt verification two or more times before access is granted. 9 In Recovery Policy you can specify what happens when a user reaches an authentication failure limit (that is, password retry limit or biometric retry limit) and when a device is blocked. Select either of these: • Recovery — Select these options as required to recover the data on the device after the user has been locked, • User Self-Rescue — Allows device user to rescue data by re-personalizing a device with new credentials. The device user will be prompted to type a new password, enroll biometric, or bind with their CAC/PIV card, as appropriate. • Help Desk/Challenge Response — Help desk operators can assist the device user by securely resetting the authentication mechanism of their device. This can be done over the phone or through email, and does not require access to the device or even network connectivity. • Data Recovery — Encrypted data can be recovered without user intervention (in cases where there may be security audits or when a user has left the organization). This task can be initiated only by an administrator. • Data Destruction — If you select this option, it is not possible to rescue the device or recover data from the device. All logged on user data is immediately destroyed when the device is locked. NOTE: This option offers high security, but may be inconvenient if particular users regularly have trouble authenticating the device. 10 Click Save. 11 Send an agent wake-up call. NOTE: The device must re-personalized whenever Device Authentication policy is changed. Refer to the Setting up the Encrypted USB device section for instructions on personalizing the device. Refer to theAssigning multiple policies to a managed node section for assigning multiple initialization and authentication policies for different device types to a single managed node. Device Backup Policy Device Backup Policy allows you to create backups of a user's device content on the client computer or shared location. Automatic backups are created only if the device is unlocked and if the user logged on is the device owner. The backup feature provides protection against data loss. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server as an administrator. 22 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering other supported Encrypted USB devices 2 Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as Device Backup Policy. Click New Policy. In Create a new policy dialog box, select McAfee Default or My Default as the policy type. NOTE: • If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. • The McAfee Default policy is read-only and cannot be edited, renamed, or deleted. 5 Type a new policy name, then click OK. The following page appears. 6 Select one of the following Backup Type options: • None if you do not want to back up the device content on your client computer. McAfee Encrypted USB 1.2 User Guide 23 Encrypted USB Administration Administering other supported Encrypted USB devices • Always on if you want to create a backup on your client computer automatically on authenticating the device. NOTE: Automatic back up is supported only on the system on which device was initialized and personalized. • User On-demand if you want the user to initiate the backup process when required. 7 In Backup Path, specify the path to store the device content when taking a scheduled backup, then click Save. NOTE: We recommend you not to save the backups on shared network because backups are not encrypted. 8 Send an agent wake-up call. Device Revocation List Device revocation allows an administrator to block the usage of a device in case of a security emergency. Later, the device can be reinstated, if required. The device can also be revoked and wiped, automatically erasing all logged on user data. NOTE: A device can be revoked only when the device is inserted in a managed node. Device Revocation List allows you to revoke devices from the ePolicy Orchestrator server based on the device serial number. It applies to groups or a single computer in ePolicy Orchestrator. A device revoked event is sent if a device is revoked successfully. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as Device Revocation List. Click New Policy. In Create a new policy dialog box, select McAfee Default or My Default as the policy type. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. 5 Type a new policy name, then click OK. The Device Revocation List page appears. 24 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering other supported Encrypted USB devices 6 Click Revoke new Device, then select the serial number of the device(s) to be revoked. NOTE: The device cannot be revoked in malware-proof mode. 7 8 Select Revoke & Wipe if you want to erase the contents of the device and revoke it, then click OK. Send an agent wake-up call. NOTE: To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devices to be reinstated, click Reinstate, then click OK. Foreign Device Policy An unmanaged USB device or a USB device managed by a different ePolicy Orchestrator server is referred to as a foreign device. Foreign Device Policy allows you to grant and restrict access to foreign devices. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 Select Product as Encrypted USB Client 1.2.0 and Category as Foreign Device Policy. McAfee Encrypted USB 1.2 User Guide 25 Encrypted USB Administration Administering other supported Encrypted USB devices 4 Click New Policy. In Create a new policy dialog box, select McAfee Default or My Default as the policy type. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. 5 Type a new policy name, then click OK. The following page appears. 6 On the Foreign Device policy page, select these options as required: • Allow Managed Foreign Devices — Allows the use of devices managed by a different ePolicy Orchestrator server. • Allow Other (Unmanaged) Foreign Devices — Allows the use of standalone or unmanaged foreign devices. NOTE: This generate events in ePolicy Orchestrator when the device is used in the managed network. • Restrict device use to managed systems — Restricts the use of USB devices to the network managed by the specified ePolicy Orchestrator server(s). • Add — Adds ePolicy Orchestrator server(s) which are allowed to manage the device other than the ePolicy Orchestrator server network on which it was initialized. • Remove - Removes ePolicy Orchestrator server(s) to restrict the use of device on the nodes managed by the selected ePolicy Orchestrator server. NOTE: • The ePolicy Orchestrator server added should have Encrypted USB client installed with Device Initialization and Device Authentication policies enforced on the managed nodes. • If no ePolicy Orchestrator servers are added, the device can be used only in the network in which it was initialized. 7 8 Click Save. Send an agent wake-up call. 26 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering other supported Encrypted USB devices General Settings Policy Use this task to configure anti-virus settings on managed Encrypted USB clients. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Click Systems | Policy Catalog. The Policy Catalog page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog. 3 4 Select Product as Encrypted USB Client 1.2.0 and Category as General Settings Policy. Click New Policy. In Create a new policy dialog box, select the device from the drop-down, type a name for the policy, then click OK. The following page appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy. 5 6 Select Enable AntiVirus where available to enable the anti-virus scanner on devices which have Encrypted USB Antivirus installed. Add or remove addresses of signature update sites for the anti-virus scanner as required, then click Save. The default update site is http://update.nai.com. McAfee Encrypted USB Antivirus uses these sites to update its virus definitions. NOTE: • Enable the use of proxy server on Control Panel | Internet Options | Connections | LAN Settings to connect to the update sites. • If update fails using any of the added sites, the DAT files are updated from the default update site. 7 Send an agent wake-up call. McAfee Encrypted USB 1.2 User Guide 27 Encrypted USB Administration Administering other supported Encrypted USB devices Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1 Use this task to upgrade from Encrypted USB 1.0 or Encrypted USB 1.1. It is recommended to upgarde only the Encrypted USB client package as there are no changes to Encrypted USB Administrator package after Encrypted USB 1.0. Before you begin • Backup any important data in the device to a temporary location to avoid data loss and recycle the device. Refer to McAfee Encrypted USB 1.0 User Guide for instructions. • Export the Encrypted USB policies to a temporary location in the required format. Refer to ePolicy Orchestrator product documentation for instructions. Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server as an administrator. Copy the EUC120LEN_IPEX.ZIP file to a temporary folder of your ePolicy Orchestrator computer, then install the extension. This upgrades the ePolicy Orchestrator extension to 1.2. Refer to the Installing Encrypted USB 1.2 extension section for instructions. Copy the DPEUPM501100.zip, DPEUPS221100.zip, and DPEUPM211100.zip archives to a temporary folder of your ePolicy Orchestrator computer, then check in the portable content packages to the software repository. Refer to the Checking in portable content packages in ePolicy Orchestrator section for instructions. Deploy Encrypted USB Client or Administrator as required on the managed nodes. Refer to the Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes section for instructions. Configure the Encrypted USB 1.2 policies, initialize and personalize the device, then restore the data. NOTE: The device can be initialized and personalized after the policies have been enforced on the managed node. Refer to Setting up policies using ePolicy Orchestrator and Setting up the Encrypted USB device sections for instructions. 3 4 5 Upgrading Encrypted USB client with anti-virus portable content packages Use this task to upgrade the Encrypted USB client with the anti-virus portable content packages. Task For option definitions, click ? in the interface. 1 2 Backup the device content to a temporary location and recycle the device. Refer to Managing backup and Recycling a device sections for instructions. Log on to the ePolicy Orchestrator server as an administrator. 28 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering other supported Encrypted USB devices 3 Copy the portable content packages with anti-virus (DPEUPM501100.zip, DPEUPS221100.zip, and DPEUPM211100.zip) to a temporary folder of your ePolicy Orchestrator computer. Check in the portable content packages to ePolicy Orchestrator software repository. NOTE: Refer to the Checking in portable content packages in ePolicy Orchestrator section for instructions on checking in the portable content packages to ePolicy Orchestrator software repository. 4 5 Configure and enforce the Device Initialization and Device Authentication policies on the required managed systems in the network. Refer to Device Initialization policy and Device Authentication policy for instructions on configuring the Device Initialization and Device Authentication policies Initialize and personalize the device on the managed system. Click , then select Manage Antivirus Scanner to manage McAfee Encrypted USB Antivirus. 6 7 Revoking a device To revoke a device, click Systems | Encrypted USB Devices, select the devices to be revoked, then click Revoke |OK. NOTE: • If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices. • The device can not be used until it is reinstated. Alternatively, to revoke a device and erase its contents, click Systems | Encrypted USB Devices, select the devices to be revoked, click Revoke & Wipe, then click OK. NOTE: • If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices. • This option deletes all logged on user data permanently. To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devices to be reinstated, click Reinstate, then click OK. Once the device is reinstated, it can be used normally. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices. Recycling a device Recycling formats a device and returns it to a default state by deleting the user accounts and all user data on that device. To reuse the recycled device, the administrator must re-personalize it. PREREQUISITE To recycle a device, the Encrypted USB Administrator package must be installed on the client computer. Task 1 Insert the Encrypted USB device to the USB interface socket. McAfee Encrypted USB 1.2 User Guide 29 Encrypted USB Administration Administering other supported Encrypted USB devices 2 Click Start | Programs | McAfee | Encrypted USB Administrator | Data Recovery. The McAfee Encrypted USB Administrator dialog box appears. 3 Click Recycle. A warning dialog box appears. 4 Click Yes. The McAfee ePO Server - Login dialog box appears. 5 Enter the user and server information, then click OK. The McAfee Encrypted USB Administrator dialog box appears. NOTE: • If Device State is Open, the device is recycled. • You can recycle a driverless device on Encrypted USB Client by clicking Recycle Device. 30 McAfee Encrypted USB 1.2 User Guide Encrypted USB Administration Administering other supported Encrypted USB devices Recovering data from the device Encrypted data may need to be recovered for security audits or due to employee contract termination. You can recover data on a device that belongs to a device user without the user being present. Once data is recovered from a device, the device has to be personalized again. The private partition becomes accessible and a password is generated. Prerequisite To recover data from a device, the ePolicy Orchestrator administrators must install the Encrypted USB Administrator package. Additionally, the Encrypted USB client must be installed on the computer where you insert the device to recover data. The device policy must be configured to allow data recovery, or the following warning appears. To recover data 1 2 Click Start | Programs | McAfee | Encrypted USB Administrator | Data Recovery. The McAfee Encrypted USB Administrator dialog box appears. Click Recover. The following warning appears. 3 4 5 Click Yes. The McAfee ePO Server - Login dialog box appears. Enter the user and server information, then click OK. The device state is unlocked and a new password is provided. Log on to the device using the new password. NOTE: The new password generated will be used as default authentication on any system in the managed network. This password cannot be used as default authentication on the system on which device was initialized. McAfee Encrypted USB 1.2 User Guide 31 Encrypted USB Administration Assigning multiple policies to a managed node Assigning multiple policies to a managed node Use this task to assign multiple initialization and authentication policies for different device types to a single managed node Task For option definitions, click ? in the interface. 1 Click Systems | System Tree | Systems, then select the desired group under System Tree. All the systems within this group (but not its subgroups) appear in the details pane. NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree | Systems. 2 Select the desired system, then click Modify Policies on a Single System. The Policy Assignment page for that system appears. NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | Agent | Modify Policies on a Single System. 3 4 5 6 7 Select Product as Encrypted USB Client 1.2.0. The categories of Encrypted USB Client 1.2.0 are listed with the system’s assigned policy. Locate the desired Initialization or Authentication policy, then click Edit Assignments. Click New Policy Instance, then edit the policy settings as required. Click Save. Send an agent wake-up call. Reporting Reports are pre-defined queries which query the ePolicy Orchestrator database and generate a graphical output. You can create, edit and manage queries through ePolicy Orchestrator 4.0 and 4.5. You can query the following default Encrypted USB reports and run them to see a graphical display: • All Encrypted USB devices sorted by their state of management (such as managed native, managed imported, foreign unmanaged and so on). • All Encrypted USB devices sorted by the type of the devices. • All blocked devices to which you cannot logon using password and/or swiping finger(s). • All devices that are not initialized. • All devices that are not personalized. • All devices that are revoked from the ePolicy Orchestrator server. NOTE: For instructions on creating, editing or deleting queries, see ePolicy Orchestrator 4.0 Product Guide and ePolicy Orchestrator 4.5 Product Guide. 32 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device This chapter provides information on: Lifecycle of the device Using the Encrypted USB - powered by SanDisk Portable Client Using other supported Encrypted USB Portable Client Troubleshooting Lifecycle of the device Device initialization is the first phase of deploying McAfee Encrypted USB. During this process, the portable software package is installed on the read-only partition and the private and public partitions are created. Personalization is the next phase that includes setting a new password, enrolling fingers or both, depending on the type of the USB device, or using a CAC or PIV authentication card (for all devices). Usage is the next phase where the device is in use for various functions, such as unlocking the device, updating finger enrollments or passwords, and so on. Tasks Setting up the Encrypted USB - powered by SanDisk device Setting up other supported Encrypted USB device Setting up the Encrypted USB - powered by SanDisk device Use these tasks to initialize and personalize the Encrypted USB device. Tasks 1 2 Insert the new Encrypted USB device to the USB port, the End User License Agreement window appears. Accept the license agreement, then click Next. The installer detects for the connected USB devices. Once the device is detected, the Format Warning window appears. McAfee Encrypted USB 1.2 User Guide 33 Using the Encrypted USB device Lifecycle of the device 3 4 5 6 7 Click Format. When the device is formatted, the update successful window appears. Select Launch, then click Next to personalize the USB device. On the Select Language window, select the appropriate language, then click Next. On the License Agreement window, accept the license agreement, then click Next. On the Password window, type and verify the password for accessing the private partition of the USB device, then click Next. In Hint enter a reminder that will help you to recover your password. 8 On the Contact Information window, enter your contact details, then click Finish. NOTE: The personalized device appears on the ePolicy Orchestrator server in Systems | Encrypted USB Devices along with its serial number, name, user ID, status, and the 34 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Lifecycle of the device client to which it is/was connected at a particular time. Click Options | Choose Columns, then click the desired options in Available Columns to add to the existing columns. Setting up other supported Encrypted USB device Before you begin Install Encrypted USB client and enforce Device Initialization and Device Authentication on the client system policies before initializing and personalizing the device. Task 1 Insert the new Encrypted USB device to the USB port. A dialog box appears stating that your device is being initialized. Once the initialization process completes, the following dialog box appears prompting you to continue with personalizing the device. NOTE: Reinsert the device if personalization doesnot start. 2 Click Next. One of the following screens appears depending on the Device Type and the Authentication Mode set in the Device Authentication policy. • In case of non-biometric device (or a biometric device where the policy allows you to authenticate to the device using only a password), the Set Password screen appears. Type and verify the password. McAfee Encrypted USB 1.2 User Guide 35 Using the Encrypted USB device Lifecycle of the device • In case you selected CAC/PIV+PIN only or CAC/PIV+PIN and Biometric as Authentication Mode in the Device Authentication policy, CAC Authentication screen appears. Type the security PIN for your CAC card. Select Use malware-proof mode (read-only) to use the device in read-only mode. 3 Click Next. In case of biometric device, the Biometric Enrollment screen appears. 36 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Lifecycle of the device 4 Select a finger to enroll by clicking on the image, then click Next. The Enroll Biometric screen appears. 5 6 Swipe your finger across the device sensor three times, then click Next. The Self Personalization dialog box appears. Click Next. The Biometric Authentication screen appears. McAfee Encrypted USB 1.2 User Guide 37 Using the Encrypted USB device Lifecycle of the device You can either swipe your finger across the device sensor or click Authenticate using Password. NOTE: This screen varies if the device authentication policy is set to Biometric only or CAC/PIV+PIN and Biometric. 7 8 Swipe your finger across the sensor to log on to the device. If you click Authenticate using Password, the Password Authentication screen appears. 38 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Using the Encrypted USB - powered by SanDisk Portable Client 9 Type your password, then click Next to log on to the device. NOTE: The personalized device appears on the ePolicy Orchestrator server in Systems | Encrypted USB Devices along with its serial number, name, user ID, status, and the client to which it is/was connected at a particular time. Click Options | Choose Columns, then click the desired options in Available Columns to add to the existing columns. Using the Encrypted USB - powered by SanDisk Portable Client Encrypted USB Client provides a high-level interface that allows Encrypted USB to integrate with the ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5 and McAfee Agent 3.6 (patch 3 minimum) or above. Encrypted USB Client prompts you to initialize and personalize a device each time you plug in a new device to the USB interface socket. It also checks for changes in Device Authentication policy each time the device is inserted and updates the device accordingly. Any changes in the Device Authentication policy requires the device to be re-personalized. Tasks Logging on to the device Disconnecting the device Managing McAfee anti-virus scanner McAfee Encrypted USB settings Formatting McAfee Encrypted USB Restoring data Rescuing the device through Help Desk Logging on to the device Once the device is initialized and personalized, you can use the McAfee Encrypted USB device any time. You are prompted to type your password to access the private partion of the USB device. 1 Insert the USB device into an available USB port. The login window appears. McAfee Encrypted USB 1.2 User Guide 39 Using the Encrypted USB device Using the Encrypted USB - powered by SanDisk Portable Client 2 3 Type your password, then click Login. Click icon , then select the required option to use the device. Disconnecting the device 1 Click on the system tray, then select Shut down McAfee Encrypted USB. A confirmation dialog box appears. 2 Click OK and disconnect the device from the USB port. Managing McAfee anti-virus scanner McAfee Encrypted USB Antivirus protects the private partition of the device from malware. It detects and deletes virus or other harmful or unwanted code in the private partition of the device. Each time a file is copied to the device, it scans the file and intercepts or cleans the infected file. It supports both on-access and on-demand scans. In addition it scans the host for active malware when you log in and shuts down the drive to prevent infection. Antivirus scanner depends on the information in the detection definition (DAT) files to identify and take action on threats. New threats appear on a regular basis. To meet this challenge, McAfee releases new DAT files every day, incorporating the results of its ongoing research. 40 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Using the Encrypted USB - powered by SanDisk Portable Client McAfee Encrypted USB Antivirus scanner updates the detection definition (DAT) files from the configured update site. The default update site ishttp://update.nai.com. You can also initiate scans to inspect the drive with newly updated virus signatures. Click icon on your taskbar, then select Scanner | Console. The McAfee Encrypted USB anti-virus Scanner appears. Option Statistics Definition Displays the anti-virus scan statistics, which include the last scan date and time, number of files and processes scanned, and files deleted to avoid infection. Log — Opens the anti-virus scanner log file. Version Actions Displays the last update date and time, scan engine, DAT, and scanner versions. • • Check Updates — Checks for detection definition updates from the McAfee download website. Start Drive Scan — Starts an on-demand scan of the USB device for potential threats. McAfee Encrypted USB 1.2 User Guide 41 Using the Encrypted USB device Using the Encrypted USB - powered by SanDisk Portable Client Option Settings Definition • • • Scan host memory on log in — Scans the processes running on the host system automatically for threats when the device is inserted. Scan file when saved or copied to Drive — Scans the file and intercepts or cleans the infected file each time a file is copied to the device. Show messages — Shows scan details in a pop-up window. McAfee Encrypted USB settings Use this task to modify McAfee Encrypted USB password, contact information, or language. Task 1 Click on the system tray, then select McAfee Encrypted USB Settings. The McAfee Encrypted USB Settings page appears. 2 3 Select the settings tab you want to modify. Enter appropriate information, then click OK. Formatting McAfee Encrypted USB Use this task to fromat the USB device. Formatting erases all data on the device. Back up your files before formatting the device. Task 1 Click on the system tray, then select Format McAfee Encrypted USB. The Format McAfee Encrypted USB window appears with a warning. 42 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Using the Encrypted USB - powered by SanDisk Portable Client 2 Click OK. Restoring data Use this task to restore backed up users's device content from the managed system. Before you begin Back up the device content by shutting down and re-inserting the device in the managed system. Task 1 2 3 4 Click on the system tray, then select Restore | Launch. Browse to select the data to be restored, then click Next. A pop-up window appears asking you to shut down and re-insert the device. Click OK, then remove and re-insert the device. A warning message is displayed asking you to back up any important device content before restoring. Click OK. The selected back up data is scanned and restored to the device. Rescuing the device through Help Desk The Help Desk Device Rescue option allows you to rescue your blocked device with the assistance of an ePO administrator. 1 2 On the Login screen, click Forgot Password. The new password page appears. Type and verify the new password and click Administrator Login. ePO administrator searches for the device serial number in the device list. Once the device is found, ePO administrator selects the desired recovery action, which generates a One-Time Password. This One-Time Password is given to the user. Type the One-Time Password without spaces on the Administrator Login page, then click Next. A pop-up window appears with a response code. NOTE: • Typing wrong authorization code twice will deactivate the device. • Provide the response code to the ePO administrator. 3 McAfee Encrypted USB 1.2 User Guide 43 Using the Encrypted USB device Using other supported Encrypted USB Portable Client The device user will now be able to log on to the device using the new password. Using other supported Encrypted USB Portable Client Encrypted USB Client provides a high-level interface that allows Encrypted USB to integrate with the ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5 and McAfee Agent 3.6 (patch 3 minimum) or above. Encrypted USB Client prompts you to initialize and personalize a device each time you plug in a new device to the USB interface socket. It also checks for changes in Device Authentication policy each time the device is inserted and updates the device accordingly. Any changes in the Device Authentication policy requires the device to be re-personalized. Tasks LED states Security options in the device Logging on to the device Viewing hardware and software information Managing authentication methods Managing backup Managing the Antivirus Scanner Self rescuing the device Rescuing the device through Help Desk LED states All McAfee Encrypted USB 1.2 devices use one or more Light Emitting Diodes (LEDs) that indicates the state of the device. NOTE: The USB LED flashes approximately every second. State Green Green (flashing) Green (delayed flash) Red (flashes once) Red and Green (alternating flash) Red (flashing) Red Blue Description Device is ON for use with or without authentication. Device is ON, waiting to verify fingerprint (if the device requires biometric authentication) and the user to log on. Device is ON and idle, waiting to verify fingerprint (if the device requires biometric authentication) and the user to log on. Failed fingerprint authentication attempt. Final attempt for finger print authentication. Failing the attempt will block the device. Device is either powering up or blocked. When blocked, no authentication methods are available to log on to the device. Contact your device administrator to unblock the device. Device is blocked. This is due to unauthorized or failed device access attempts. Contact your device administrator to unlock the device. Data transfer activity. 44 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Using other supported Encrypted USB Portable Client State Red and Blue (alternating flash) Description Device has invalid firmware. Security options in the device Security options vary based on the Encrypted USB device that you use. The security options available in a device are: • Access to the device — Uses authentication mechanisms to unlock the device that includes: • Password only • Biometric and password • Biometric or password • Biometric only • Card with security PIN • Card with security PIN and biometric • Private data protection — Data related to the user is encrypted in private stores and partitions. Logging on to the device 1 Once the device is initialized and personalized, Password Authentication screen appears. NOTE: If Autoplay is disabled on your system, double-click the Read-Only partition of the device, then click Start.exe. 2 Type your PIN, password, or swipe your finger depending on the authentication mechanism(s) you have set. Select Use malware-proof mode (read only) if you want to use the device in read-only mode, then click Next. The NOTE: • McAfee Encrypted USB Antivirus and Backup Manager is not supported in malware-proof mode. • No events are generated in ePolicy Orchestrator in malware-proof mode. 3 Click icon on your taskbar, then select Managed Device. The Encrypted USB Client page appears. icon appears on the taskbar. McAfee Encrypted USB 1.2 User Guide 45 Using the Encrypted USB device Using other supported Encrypted USB Portable Client NOTE: • Click Logout on the Encrypted USB Client page to log off from the Encrypted USB Client. The device state will be changed to locked after the user logs off from the device. • Encrypted USB devices use ActivIdentity third-party software to authenticate the device in CAC/PIV authentication mode. ePolicy Orchestrator does not generate any event for device authentication done by ActivIdentity. Disconnecting the device 1 2 Click icon from your task bar, then click Eject Device. Disconnect the device from the USB port once you see the “Safe To Remove Hardware” message. Viewing hardware and software information Click Hardware and Software Information on the Encrypted USB Client page to view information about the users, device settings, partition details, and product versions. • Device Settings — Displays general device information such as private and public partition storage capacities and serial number of the device. • Disk Partitions — Displays information about the allocation of disk space on the device. • Product Versions — Provides hardware and software versions of the product. Managing authentication methods Click Manage Authentication Methods on the Encrypted USB Client page to update your password or finger enrollments. The Manage Authentication Methods page appears. 46 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Using other supported Encrypted USB Portable Client NOTE: This page varies depending on the type of the device you use. Manage Your Password — Click this option and follow the on-screen instructions to reset your password. Manage Your Finger Enrollments — Click this option and follow the on-screen instructions to update your fingerprints. Managing backup McAfee Encrypted USB 1.2 allows you to back up user's device content on the client computer when required. Click icon on your taskbar, then select Backup Manager. On the McAfee Encrypted USB Client dialog box click Next to back up device content. NOTE: Backup Manager option is available on the system tray if you selected Backup Type as User On-demand in Device Backup policy. Specify the path or click , browse for the path to store the device content, then click OK. McAfee Encrypted USB 1.2 User Guide 47 Using the Encrypted USB device Using other supported Encrypted USB Portable Client NOTE: We recommend you not to save the backups on shared network because backups are not encrypted. Managing the Antivirus Scanner McAfee Encrypted USB Antivirus protects the private partition of the device from malware. It detects and deletes virus or other harmful or unwanted code in the private partition of the device. Each time a file is copied to the device, it scans the file and intercepts or cleans the infected file. It supports both on-access and on-demand scans. It also allows the device user to scan the system folders and processes running on the host system on startup. Antivirus scanner depends on the information in the detection definition (DAT) files to identify and take action on threats. New threats appear on a regular basis. To meet this challenge, McAfee releases new DAT files every day, incorporating the results of its ongoing research. McAfee Encrypted USB Antivirus scanner updates the detection definition (DAT) files from the configured update site. The default update site is http://update.nai.com. NOTE: If update fails using any of the added sites, the DAT files are updated from the default update site. Click icon on your taskbar, then select Manage Antivirus Scanner. The McAfee Encrypted USB Antivirus screen appears. 48 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Using other supported Encrypted USB Portable Client NOTE: McAfee Encrypted USB Antivirus can be managed after the DAT file is updated. Remove and reinsert the device after updating the DAT file. Option Private Partition Definition • • On-access scan — Scans for threats as files are read from or written to the device. Scan — Select this option to start an on-demand scan on the private partition of the device. Scan host system on startup — Select this option to scan the system folders and the processes running on the host system automatically for threats when the device is inserted. Scan — Select this option to start an on-demand scan on the host system for potential threats. Automatic updates — Downloads updates of detection definitions automatically from the McAfee download website. Update — Select this option to download the latest detection definitions manually from the McAfee download website. Host System • • Virus Database • • NOTE: Enable your browser proxy server settings to update your computer with the latest detection definitions from the McAfee download website. Intrusion log • • • Enabled — Enables activity logging. All intrusions detected will be logged. View — Select this option to view the log details. Clear — Clears the log details. McAfee Encrypted USB 1.2 User Guide 49 Using the Encrypted USB device Using other supported Encrypted USB Portable Client Self rescuing the device The Self Rescue option allows you to reset your password and/or update your finger enrollments. NOTE: This option is available only if you insert the Encrypted USB device on the same computer where you initialized the device. 1 Click Self Rescue on the Encrypted USB Client page. The Device Self Rescue screen appears. 2 Click Next and type a new password or update your fingerprint depending on the policy you set. The Device Self Rescue screen appears stating that your device has been successfully rescued. Click Next and log on to the device using your updated credentials. 3 Rescuing the device through Help Desk The Help Desk Device Rescue option allows you to rescue your blocked device with the assistance of a Help Desk operator over telephone. NOTE: We recommend the device users to use self rescue if they have access to the managed node. 1 On the Encrypted USB Client page, click Help Desk Device Rescue. The Help Desk Device Rescue page appears prompting you to type the authorization code. 50 McAfee Encrypted USB 1.2 User Guide Using the Encrypted USB device Using other supported Encrypted USB Portable Client 2 3 Contact Help Desk and provide your identity, device serial number, and user name. Help Desk operator gives you an authorization code. Type this code on the Help Desk Device Rescue page, then click Next. The Help Desk Device Rescue Complete page appears with a confirmation code and a new password. NOTE: Provide the confirmation code to the help desk operator. 4 5 Click Next. The Device Reset Warning page appears asking you to note the confirmation code and new password. Click Next to personalize your device. McAfee Encrypted USB 1.2 User Guide 51 Using the Encrypted USB device Troubleshooting Troubleshooting This section provides troubleshooting information for Encrypted USB 1.2. For further technical assistance, visit http://www.mcafee.com/us/support/index.html. I cannot eject my USB device Error message: "Cannot Unmount Volume-An error was encountered trying to unmount 'Removable Disk (F:)' Check to ensure there are no open files or windows from that volume.” This message appears and prevents you from ejecting the drive if you are not an administrator on the computer. Refer to the Microsoft article at: http://support.microsoft.com/default.aspx?scid=kb;en-us;192785 WORKAROUND: Log off from the device using Encrypted USB Client or safely remove the device using the taskbar icon. Password or biometric access to my device is blocked The device gets locked when you exceed the password/biometric retry limit. Contact your device administrator to unlock the device. Data saved to the read-only partition is not available You cannot save data to the read-only partition of the device. Data saved here is stored in the cache of the Windows filesystem. It is deleted when you remove the device. Hence, save data only on your private partition or the public partition (if applicable). Client system is not reporting to ePolicy Orchestrator server Check if other client systems in the network are reporting to the ePO server. If yes, then reinstall the Encrypted USB client on the system which was not reporting to the ePO server. If none of the systems in the network are reporting to the ePO server, then restart the ePO server. 52 McAfee Encrypted USB 1.2 User Guide Appendix A — Restricting the device use Use these tasks to restrict devices to their home network or specified ePolicy Orchestrator server network. Assumptions User group1: User group 1 accesses client systems in finance network managed by ePolicy Orchestrator server 1. User group 2: User group 2 accesses client systems in executive network managed by ePolicy Orchestrator server 2. Restricting the device use to home network Use this task to restrict the use of device to the network managed by ePolicy Orchestrator server on which it was initialized (ePolicy Orchestrator server 1 network). Task For option definitions, click ? in the interface. 1 2 Log on to the ePolicy Orchestrator server 1 as an administrator. Create a new Foreign device policy. NOTE: Refer to Foreign device policy section for instructions. 3 4 On the Foreign Device policy page, select Restrict device use to managed systems, then click Save. Send an agent wake-up call to enforce the policy. Restricting the device use to specified network(s) Use this task to restrict the device use to other specified ePolicy Orchestrator networks including the ePolicy Orchestrator server network on which it was initialized. Task For option definitions, click ? in the interface. 1 Log on to the ePolicy Orchestrator server 2 as an administrator. McAfee Encrypted USB 1.2 User Guide 53 Appendix A — Restricting the device use Restricting the device use to specified network(s) 2 Create a new Foreign device policy. NOTE: Refer to Foreign device policy section for instructions. 3 4 5 On the Foreign Device policy page, select Restrict device use to managed systems. Click Add then add the corporate identifier of the ePolicy Orchestrator server 1. Click Save, then send a agent wake-up call. 54 McAfee Encrypted USB 1.2 User Guide Appendix B — Device management states This section lists and describes the device management states. Management State Unsupported Blank Managed Native Description Device is not supported. New device which is not initialized. Device is initialized and managed by the same ePolicy Orchestrator server the managed client computer belongs to. Device was initialized and managed by Encrypted USB Manager. Migrated to Encrypted USB 1.2 Device was initialized and managed by a different ePolicy Orchestrator server. Device is not managed by any ePolicy Orchestrator, but the usage is allowed by the Foreign Device Policy. Device is either managed by an ePolicy Orchestrator server, but the usage is prohibited by the Foreign Device Policy, or the device is unmanaged a(stand-alone) and the usage of those devices is prohibited by the Foreign Device Policy. Device is managed by an ePolicy Orchestrator server, but cannot be recycled. Managed Imported Foreign Managed Foreign Unmanaged Unmanaged Unmanageable McAfee Encrypted USB 1.2 User Guide 55 Index introduction 5 D disconnect device 40, 46 L LED states 44 E Encrypted USB audience 7 features 6 installation 8 introduction 5 prerequisites 6 P personalization 33 R recycle device 29 I initialization 33 S supported devices 7 56 McAfee Encrypted USB 1.2 User Guide