Help desk operators can assist the device user by securely resetting the authentication mechanism of their device. This can be done over the phone or through email, and does not require access to the device or even network connectivity.
Device Backup Policy Device Backup Policy allows you to create automatic backups of the device content on the client computer or shared location. Automatic backups are created only if the device is unlocked and if the user logged on is the device owner. The backup feature provides protection against data loss. NOTE: Automatic back up is supported only on the system on which device was initialized and personalized.
Device Revocation List Device revocation allows an administrator to block the usage of a device in case of a security emergency. Later, the device can be reinstated, if required. NOTE: A device can be revoked only when the device is inserted in a managed node. Device Revocation List allows you to revoke devices from the ePolicy Orchestrator server based on the device serial number. It applies to groups or a single computer in ePolicy Orchestrator.
A device revoked event is sent if a device is revoked successfully. Foreign Device Policy allows you to grant and restrict access to foreign devices. Recycling a device Recycling formats a device and returns it to a default state by deleting the user accounts and all user data on that device. To reuse the recycled device, the administrator must re-personalize it. Task 1 Run recycle. The Device Recycling Utility window appears.
A warning pop-up appears asking you to confirm device recycle. The Admin Authentication window appears. After the device is recycled, a recycle successful pop-up appears.
Once the device is reinstated, it can be used normally. Based on these parameters, you can initialize your device depending on the device capability. Read-only partition of the device contains the portable client software and antivirus scanner. In Create a new policy dialog box, select the device from the drop-down list, type a name for the policy, then click OK.
The following page appears. If you select this option, specify a size for the public partition in MB. Default value is 32 MB. NOTE: Public partition of the device can allow unencrypted data storage. Any user will be able to read and write data in this partition. We recommend you to disable the public partition and use private partition encrypted and authenticated , which automatically uses all remaining space on the device.
NOTE: Device management code is used to erase the device content and its user accounts when it can not be accessed by the device user or the administrator. Device management code should not be shared with the device users.
These authentication methods can be combined to offer higher security. Device Authentication Policy allows you to set the authentication mode and recovery policy for a device. You can assign multiple policies to managed nodes in the network for a single device type. It allows to authenticate the device using a password or biometric finger enrollment. Parameter Description Default value. Select Infinite for a maximum number of password retries. NOTE: If the retry limit exceeds the maximum password retries, the device will be blocked.
The device will be in Data Recovery or Data Destruction state. Minimum Password Length Type the minimum number of characters the password 6 must have between 4 and 40 characters.
Minimum Special Characters Type the minimum number of special characters the 0 password must have for stronger password. Minimum Numeric Characters Type the minimum number of numerals the password 0 must have for stronger password.
Minimum Alphabetical Type the minimum number of alphabets the password 0 Characters must have a-z, A-Z for stronger password. Minimum Uppercase Type the minimum number of uppercase alphabets 0 Characters the password must have A-Z for stronger password. Minimum Lowercase Type the minimum number of lowercase alphabets 0 Characters the password must have a-z. Password Re-use Threshold This option prevents users from reusing old passwords 0 too often at password change intervals thus increasing the security of the device.
Type the minimum number of unique passwords that must be set before a password can be reused. Minimum Lifetime Minutes Type the minimum number of minutes you must wait 0 before modifying a recently changed password.
This prevents users from changing passwords quickly. You can log on to the device using any of the registered fingers. FMR is the probability that two different fingers are incorrectly matched. A high FMR means higher security because the device requires a closer match between two fingerprints. Therefore, "1 in 4," is more secure than "1 in 2,". However, for a small number of users it may be difficult to verify their fingerprint at higher levels. Select Infinite for a maximum number of retries.
NOTE: A larger number of retries are required for biometric authentication because an improper swipe will be registered as a failed attempt. Thus the device user may have to attempt verification two or more times before access is granted. This task can be initiated only by an administrator. All logged on user data is immediately destroyed when the device is locked. NOTE: This option offers high security, but may be inconvenient if particular users regularly have trouble authenticating the device.
Refer to the Setting up the Encrypted USB device section for instructions on personalizing the device. Refer to theAssigning multiple policies to a managed node section for assigning multiple initialization and authentication policies for different device types to a single managed node.
Device Backup Policy Device Backup Policy allows you to create backups of a user's device content on the client computer or shared location. NOTE: We recommend you not to save the backups on shared network because backups are not encrypted. The device can also be revoked and wiped, automatically erasing all logged on user data. NOTE: The device cannot be revoked in malware-proof mode. Refer to ePolicy Orchestrator product documentation for instructions.
ZIP file to a temporary folder of your ePolicy Orchestrator computer, then install the extension. This upgrades the ePolicy Orchestrator extension to 1. Refer to the Checking in portable content packages in ePolicy Orchestrator section for instructions. NOTE: The device can be initialized and personalized after the policies have been enforced on the managed node.
Upgrading Encrypted USB client with anti-virus portable content packages Use this task to upgrade the Encrypted USB client with the anti-virus portable content packages. Refer to Managing backup and Recycling a device sections for instructions. NOTE: Refer to the Checking in portable content packages in ePolicy Orchestrator section for instructions on checking in the portable content packages to ePolicy Orchestrator software repository.
Refer to Device Initialization policy and Device Authentication policy for instructions on configuring the Device Initialization and Device Authentication policies 6 Initialize and personalize the device on the managed system.
Recovering data from the device Encrypted data may need to be recovered for security audits or due to employee contract termination. You can recover data on a device that belongs to a device user without the user being present. Once data is recovered from a device, the device has to be personalized again. The private partition becomes accessible and a password is generated. Additionally, the Encrypted USB client must be installed on the computer where you insert the device to recover data.
The device policy must be configured to allow data recovery, or the following warning appears. The following warning appears. The device state is unlocked and a new password is provided. NOTE: The new password generated will be used as default authentication on any system in the managed network.
This password cannot be used as default authentication on the system on which device was initialized. Assigning multiple policies to a managed node Use this task to assign multiple initialization and authentication policies for different device types to a single managed node.
All the systems within this group but not its subgroups appear in the details pane. The Policy Assignment page for that system appears. Reporting Reports are pre-defined queries which query the ePolicy Orchestrator database and generate a graphical output.
You can create, edit and manage queries through ePolicy Orchestrator 4. During this process, the portable software package is installed on the read-only partition and the private and public partitions are created. Personalization is the next phase that includes setting a new password, enrolling fingers or both, depending on the type of the USB device, or using a CAC or PIV authentication card for all devices.
Usage is the next phase where the device is in use for various functions, such as unlocking the device, updating finger enrollments or passwords, and so on. The installer detects for the connected USB devices. Once the device is detected, the Format Warning window appears. When the device is formatted, the update successful window appears. Click Options Choose Columns, then click the desired options in Available Columns to add to the existing columns. A dialog box appears stating that your device is being initialized.
Once the initialization process completes, the following dialog box appears prompting you to continue with personalizing the device. NOTE: Reinsert the device if personalization doesnot start.
One of the following screens appears depending on the Device Type and the Authentication Mode set in the Device Authentication policy. Type and verify the password. Select Use malware-proof mode read-only to use the device in read-only mode. The Enroll Biometric screen appears.
The Self Personalization dialog box appears. The Biometric Authentication screen appears. You can either swipe your finger across the device sensor or click Authenticate using Password. Encrypted USB Client prompts you to initialize and personalize a device each time you plug in a new device to the USB interface socket. It also checks for changes in Device Authentication policy each time the device is inserted and updates the device accordingly.
Any changes in the Device Authentication policy requires the device to be re-personalized. You are prompted to type your password to access the private partion of the USB device. The login window appears. A confirmation dialog box appears. It detects and deletes virus or other harmful or unwanted code in the private partition of the device.
Each time a file is copied to the device, it scans the file and intercepts or cleans the infected file. It supports both on-access and on-demand scans. In addition it scans the host for active malware when you log in and shuts down the drive to prevent infection.
Antivirus scanner depends on the information in the detection definition DAT files to identify and take action on threats. New threats appear on a regular basis.
To meet this challenge, McAfee releases new DAT files every day, incorporating the results of its ongoing research. You can also initiate scans to inspect the drive with newly updated virus signatures. Click icon on your taskbar, then select Scanner Console. Statistics Displays the anti-virus scan statistics, which include the last scan date and time, number of files and processes scanned, and files deleted to avoid infection.
Log — Opens the anti-virus scanner log file. Version Displays the last update date and time, scan engine, DAT, and scanner versions. Formatting erases all data on the device. Back up your files before formatting the device. Restoring data Use this task to restore backed up users's device content from the managed system.
Before you begin Back up the device content by shutting down and re-inserting the device in the managed system. Task 1 Click on the system tray, then select Restore Launch. A pop-up window appears asking you to shut down and re-insert the device. A warning message is displayed asking you to back up any important device content before restoring.
The selected back up data is scanned and restored to the device. The new password page appears. Once the device is found, ePO administrator selects the desired recovery action, which generates a One-Time Password. This One-Time Password is given to the user. A pop-up window appears with a response code. Green flashing Device is ON, waiting to verify fingerprint if the device requires biometric authentication and the user to log on.
Green delayed Device is ON and idle, waiting to verify fingerprint if the device requires biometric flash authentication and the user to log on. Red and Green Final attempt for finger print authentication.
Failing the attempt will block the device. Red flashing Device is either powering up or blocked. When blocked, no authentication methods are available to log on to the device. Contact your device administrator to unblock the device. Red Device is blocked. This is due to unauthorized or failed device access attempts. Contact your device administrator to unlock the device.
Red and Blue Device has invalid firmware. Logging on to the device 1 Once the device is initialized and personalized, Password Authentication screen appears. Select Use malware-proof mode read only if you want to use the device in read-only mode, then click Next.
The icon appears on the taskbar. The device state will be changed to locked after the user logs off from the device. Disconnecting the device 1 Click icon from your task bar, then click Eject Device. Viewing hardware and software information Click Hardware and Software Information on the Encrypted USB Client page to view information about the users, device settings, partition details, and product versions.
The Manage Authentication Methods page appears. NOTE: This page varies depending on the type of the device you use. Manage Your Password — Click this option and follow the on-screen instructions to reset your password. Manage Your Finger Enrollments — Click this option and follow the on-screen instructions to update your fingerprints.
Click icon on your taskbar, then select Backup Manager. Specify the path or click , browse for the path to store the device content, then click OK. It also allows the device user to scan the system folders and processes running on the host system on startup. Click icon on your taskbar, then select Manage Antivirus Scanner. Remove and reinsert the device after updating the DAT file. NOTE: Enable your browser proxy server settings to update your computer with the latest detection definitions from the McAfee download website.
All intrusions detected will be logged. The Device Self Rescue screen appears. The Device Self Rescue screen appears stating that your device has been successfully rescued. Rescuing the device through Help Desk The Help Desk Device Rescue option allows you to rescue your blocked device with the assistance of a Help Desk operator over telephone. NOTE: We recommend the device users to use self rescue if they have access to the managed node.
The Help Desk Device Rescue page appears prompting you to type the authorization code. Help Desk operator gives you an authorization code. The Device Reset Warning page appears asking you to note the confirmation code and new password. Data saved to the read-only partition is not available You cannot save data to the read-only partition of the device. A device revoked event is sent if a device is revoked successfully. The Device Revocation List page appears.
Foreign Device Policy allows you to grant and restrict access to foreign devices. Recycling a device Recycling formats a device and returns it to a default state by deleting the user accounts and all user data on that device. To reuse the recycled device, the administrator must re-personalize it. The Device Recycling Utility window appears.
Click Recycle. A warning pop-up appears asking you to confirm device recycle. Click Yes. The Admin Authentication window appears. Type the ePolicy Orchestrator server by which the device is managed IP address or name, user name, and password, then click Login.
After the device is recycled, a recycle successful pop-up appears. Re-insert the device and personalize to use the device. Once the device is reinstated, it can be used normally.
Based on these parameters, you can initialize your device depending on the device capability. Read-only partition of the device contains the portable client software and antivirus scanner. In Create a new policy dialog box, select the device from the drop-down list, type a name for the policy, then click OK. If you select this option, specify a size for the public partition in MB. Default value is 32 MB.
NOTE: Public partition of the device can allow unencrypted data storage. Any user will be able to read and write data in this partition. We recommend you to disable the public partition and use private partition encrypted and authenticated , which automatically uses all remaining space on the device.
NOTE: Device management code is used to erase the device content and its user accounts when it can not be accessed by the device user or the administrator. Device management code should not be shared with the device users. These authentication methods can be combined to offer higher security.
Device Authentication Policy allows you to set the authentication mode and recovery policy for a device. You can assign multiple policies to managed nodes in the network for a single device type.
It allows to authenticate the device using a password or biometric finger enrollment. Select Infinite for a maximum number of password retries. NOTE: If the retry limit exceeds the maximum password retries, the device will be blocked. The device will be in Data Recovery or Data Destruction state.
Minimum Password Length Type the minimum number of characters the password 6 must have between 4 and 40 characters. Minimum Special Characters Type the minimum number of special characters the 0 password must have for stronger password. Type the minimum number of uppercase alphabets 0 the password must have A-Z for stronger password. Type the minimum number of lowercase alphabets the password must have a-z. Type the minimum number of unique passwords that must be set before a password can be reused.
Minimum Lifetime Minutes Type the minimum number of minutes you must wait 0 before modifying a recently changed password. This prevents users from changing passwords quickly. Maximum Lifetime Days Type the maximum number of days to define the validity of a password. You can log on to the device using any of the registered fingers.
FMR is the probability that two different fingers are incorrectly matched. A high FMR means higher security because the device requires a closer match between two fingerprints. Therefore, "1 in 4," is more secure than "1 in 2,". However, for a small number of users it may be difficult to verify their fingerprint at higher levels. Select Infinite for a maximum number of retries. NOTE: A larger number of retries are required for biometric authentication because an improper swipe will be registered as a failed attempt.
Thus the device user may have to attempt verification two or more times before access is granted. This task can be initiated only by an administrator. All logged on user data is immediately destroyed when the device is locked. NOTE: This option offers high security, but may be inconvenient if particular users regularly have trouble authenticating the device. Refer to the Setting up the Encrypted USB device section for instructions on personalizing the device.
Refer to theAssigning multiple policies to a managed node section for assigning multiple initialization and authentication policies for different device types to a single managed node. Device Backup Policy Device Backup Policy allows you to create backups of a user's device content on the client computer or shared location.
NOTE: We recommend you not to save the backups on shared network because backups are not encrypted. The device can also be revoked and wiped, automatically erasing all logged on user data. NOTE: The device cannot be revoked in malware-proof mode. Add or remove addresses of signature update sites for the anti-virus scanner as required, then click Save. Refer to ePolicy Orchestrator product documentation for instructions.
ZIP file to a temporary folder of your ePolicy Orchestrator computer, then install the extension. This upgrades the ePolicy Orchestrator extension to 1. Refer to the Checking in portable content packages in ePolicy Orchestrator section for instructions.
Configure the Encrypted USB 1. NOTE: The device can be initialized and personalized after the policies have been enforced on the managed node.
Refer to Managing backup and Recycling a device sections for instructions. Check in the portable content packages to ePolicy Orchestrator software repository. NOTE: Refer to the Checking in portable content packages in ePolicy Orchestrator section for instructions on checking in the portable content packages to ePolicy Orchestrator software repository.
Refer to Device Initialization policy and Device Authentication policy for instructions on configuring the Device Initialization and Device Authentication policies Initialize and personalize the device on the managed system.
A warning dialog box appears. You can recover data on a device that belongs to a device user without the user being present. Once data is recovered from a device, the device has to be personalized again. The private partition becomes accessible and a password is generated. Additionally, the Encrypted USB client must be installed on the computer where you insert the device to recover data.
The device policy must be configured to allow data recovery, or the following warning appears. Click Recover. The following warning appears. Enter the user and server information, then click OK. The device state is unlocked and a new password is provided.
Log on to the device using the new password. NOTE: The new password generated will be used as default authentication on any system in the managed network. This password cannot be used as default authentication on the system on which device was initialized. All the systems within this group but not its subgroups appear in the details pane. The Policy Assignment page for that system appears. Locate the desired Initialization or Authentication policy, then click Edit Assignments.
Click New Policy Instance, then edit the policy settings as required. Reporting Reports are pre-defined queries which query the ePolicy Orchestrator database and generate a graphical output.
You can create, edit and manage queries through ePolicy Orchestrator 4. During this process, the portable software package is installed on the read-only partition and the private and public partitions are created.
Personalization is the next phase that includes setting a new password, enrolling fingers or both, depending on the type of the USB device, or using a CAC or PIV authentication card for all devices. Usage is the next phase where the device is in use for various functions, such as unlocking the device, updating finger enrollments or passwords, and so on.
Accept the license agreement, then click Next. The installer detects for the connected USB devices. Once the device is detected, the Format Warning window appears. When the device is formatted, the update successful window appears.
On the Select Language window, select the appropriate language, then click Next. On the License Agreement window, accept the license agreement, then click Next.
On the Password window, type and verify the password for accessing the private partition of the USB device, then click Next. In Hint enter a reminder that will help you to recover your password. Click Options Choose Columns, then click the desired options in Available Columns to add to the existing columns.
A dialog box appears stating that your device is being initialized. Once the initialization process completes, the following dialog box appears prompting you to continue with personalizing the device.
NOTE: Reinsert the device if personalization doesnot start. One of the following screens appears depending on the Device Type and the Authentication Mode set in the Device Authentication policy.
Type and verify the password. Select Use malware-proof mode read-only to use the device in read-only mode. In case of biometric device, the Biometric Enrollment screen appears.
The Enroll Biometric screen appears. The Self Personalization dialog box appears. The Biometric Authentication screen appears. If you click Authenticate using Password, the Password Authentication screen appears. Encrypted USB Client prompts you to initialize and personalize a device each time you plug in a new device to the USB interface socket. It also checks for changes in Device Authentication policy each time the device is inserted and updates the device accordingly.
Any changes in the Device Authentication policy requires the device to be re-personalized. You are prompted to type your password to access the private partion of the USB device.
The login window appears. Click icon , then select the required option to use the device. A confirmation dialog box appears. It detects and deletes virus or other harmful or unwanted code in the private partition of the device. Each time a file is copied to the device, it scans the file and intercepts or cleans the infected file. It supports both on-access and on-demand scans.
In addition it scans the host for active malware when you log in and shuts down the drive to prevent infection. Antivirus scanner depends on the information in the detection definition DAT files to identify and take action on threats. New threats appear on a regular basis. To meet this challenge, McAfee releases new DAT files every day, incorporating the results of its ongoing research.
You can also initiate scans to inspect the drive with newly updated virus signatures. Click icon on your taskbar, then select Scanner Console. Option Statistics Definition Displays the anti-virus scan statistics, which include the last scan date and time, number of files and processes scanned, and files deleted to avoid infection. Log — Opens the anti-virus scanner log file.
Scan file when saved or copied to Drive — Scans the file and intercepts or cleans the infected file each time a file is copied to the device. Show messages — Shows scan details in a pop-up window.
Enter appropriate information, then click OK. Formatting erases all data on the device. Back up your files before formatting the device. Restoring data Use this task to restore backed up users's device content from the managed system. Before you begin Back up the device content by shutting down and re-inserting the device in the managed system. Task 1 2 3 4 Click on the system tray, then select Restore Launch. Browse to select the data to be restored, then click Next.
A pop-up window appears asking you to shut down and re-insert the device. Click OK, then remove and re-insert the device. A warning message is displayed asking you to back up any important device content before restoring. The selected back up data is scanned and restored to the device.
The new password page appears. Type and verify the new password and click Administrator Login. Once the device is found, ePO administrator selects the desired recovery action, which generates a One-Time Password. This One-Time Password is given to the user. A pop-up window appears with a response code.
0コメント