McAfee Encrypted USB 1.2 User Guide

McAfee Encrypted USB 1.2User Guide

COPYRIGHT

Copyright © 2009 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCEEXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

Refer to the product Release Notes.

McAfee Encrypted USB 1.2 User Guide2

ContentsIntroducing Encrypted USB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

How Encrypted USB works?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Encrypted USB features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Supported McAfee devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Target audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Encrypted USB Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Installing the Encrypted USB software using ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Checking in portable content packages in ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installing Encrypted USB 1.2 extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Configuring Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes. . . . . . . . . . 10

Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes. . . . . . . 10

Administering McAfee Encrypted USB - powered by SanDisk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Setting up policies for McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator. . . 11

Recycling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Revoking a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Administering other supported Encrypted USB devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Setting up policies for other supported Encrypted USB devices using ePolicy Orchestrator. . . . . . . 17

Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Upgrading Encrypted USB client with anti-virus portable content packages. . . . . . . . . . . . . . . . . . . . 28

Revoking a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Recycling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Recovering data from the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Assigning multiple policies to a managed node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Using the Encrypted USB device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Lifecycle of the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Setting up the Encrypted USB - powered by SanDisk device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Setting up other supported Encrypted USB device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3McAfee Encrypted USB 1.2 User Guide

Using the Encrypted USB - powered by SanDisk Portable Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Logging on to the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Disconnecting the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Managing McAfee anti-virus scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

McAfee Encrypted USB settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Formatting McAfee Encrypted USB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Restoring data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Rescuing the device through Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Using other supported Encrypted USB Portable Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

LED states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Security options in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Logging on to the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Disconnecting the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Viewing hardware and software information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Managing authentication methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Managing backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Managing the Antivirus Scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Self rescuing the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Rescuing the device through Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Appendix A — Restricting the device use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Restricting the device use to home network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Restricting the device use to specified network(s). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Appendix B — Device management states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55


Contents

Introducing Encrypted USBEncrypted Universal Serial Bus (USB) devices use the Universal Serial bus standard to interfaceto a host computer using a standardized USB interface socket. McAfee Encrypted USB version1.2 is a scalable software solution for managing large and small deployments of McAfee's USBstorage devices.

McAfee Encrypted USB 1.2 supports Encrypted USB devices powered by SanDisk along withEncrypted USB 1.1 and 1.0 devices. A Encrypted USB administrator can select the device typehe wants to manage in his network before deploying it on the managed systems.

McAfee Encrypted USB 1.2 includes a management console, a client component, an anti-virusscanner, and an administration utility (optional). It controls the USB device lifecycle includinginitialization, personalization, usage, rescue, recovery, and recycling.

Contents

How Encrypted USB works?

Encrypted USB features

System requirements

Supported McAfee devices

About this guide

How Encrypted USB works?McAfee Encrypted USB 1.2 offers data protection in the form of powerful encryption technologycombined with strong authentication controls, so that only authorized users can accessinformation.

It helps you maintain a virus-free environment by scanning the private partition of the USBdevice and system folders and processes running on the client system on startup. Each time afile is copied to the device, it scans the file comparing it with a list of known viruses andintercepts/cleans the infected file. It updates the virus definition from a configurable signatureupdate site every time the user logs on to the device.

NOTE: The Encrypted USB Antivirus feature only scans the system folders and the processesrunning on the client system. It does not completely protect the client system from malware.

McAfee Encrypted USB 1.2 integrates with McAfee ePolicy Orchestrator version 4.0 (patch 5minimum) or version 4.5.

NOTE: McAfee Encrypted USB 1.2 does not support downgrade to Encrypted USB version 1.0.

Protecting the device from malware

McAfee Encrypted USB 1.2 includes an anti-virus scanner that prevents malware from beingcopied to the device. McAfee Encrypted USB Antivirus Scanner constantly monitors file transfers


to the device, automatically detecting and cleaning/deleting any malware. It also supportson-demand scan that enables the device user to initiate a scan when required.

Refer to the Managing the Antivirus Scanner section for more details.

Restricting devices to trusted network for some users

McAfee Encrypted USB 1.2 allows you to restrict the use of the device to trusted networks. Youcan create and configure different Foreign Device policies for each group of managed systemsrestricting them to specified network.

NOTE: This feature is not available for all device types.

Refer to the Appendix A — Restricting device use section for more details.

Revoking a device in emergency

Revoking a device blocks the usage of a device. McAfee Encrypted USB 1.2 allows theadministrator to revoke the device when it is lost, when the password is disclosed, or duringan audit. Encrypted USB administrators can revoke or revoke and wipe the device as requiredfrom ePolicy Orchestrator. The device can be reused after reinstating.

Refer to the Revoking a device section for more details.

Encrypted USB features• Centralized management — Provides support for deploying and managing McAfee

Encrypted USB devices using ePolicy Orchestrator version 4.0 (patch 5 minimum) or version4.5.

• Data protection with powerful encryption — Offers data protection through powerfulencryption technology along with strong access controls, so that only authenticated userscan access data stored on the USB device.

• Two-factor authentication — Allows you to use one of these authentication modes tounlock the USB device:

• Password and/or biometric

• Common Access Card (CAC) or Personal Identity Verification (PIV) card with security PINand/or biometric

NOTE: The authentication modes available depends on the device type.

• Protection from malware — Offers protection from malware by scanning files copied tothe device, detecting threats and taking action as required.

• Device type selection — Provides an option for selecting the device type to be managedin the network before deploying the Encrypted USB client on the managed systems.

System requirementsOperating systems:

• Microsoft Windows XP Professional SP2 and SP3

• Windows Vista Business SP1 or later and Enterprise SP1 or later

• Windows XP Home SP3

Introducing Encrypted USBEncrypted USB features


• Windows Vista Ultimate

McAfee Encrypted USB 1.2 prerequisites:

• Microsoft .NET Framework 2.0

• Windows Installer 3.1

• McAfee Agent 3.6 (patch 3) or above

Supported McAfee devicesDescriptionDeviceImage

McAfee Encrypted USB -powered by SanDisk

• Supports password authentication mode.

• Can have private and read-only disk partitions.

McAfee Encrypted USBStandard version 2

• Supports password and CAC/PIV cardauthentication mode.


McAfee Zero FootprintBiometric Encrypted USB

• Supports biometric and/or passwordauthentication mode.

• Supports biometric and/or CAC/PIV cardauthentication mode.

• Can have public, private, and read-only diskpartitions.

McAfee Zero FootprintNon-Biometric Encrypted USB


• Can have public, private, and read-only diskpartitions.

McAfee Encrypted USB HardDisk

• Supports biometric and/or passwordauthentication mode.

• Supports biometric and/or CAC/PIV cardauthentication mode.

• Can have public, private, and read-only diskpartitions. Available in various hard drive sizes.

McAfee Encrypted USBStandard Driverless



About this guideThis guide provides detailed instructions for installing and managing Encrypted USB 1.2 usingePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5.

Target audienceThis guide is intended for McAfee Encrypted USB device users and administrators.

Introducing Encrypted USBSupported McAfee devices


Encrypted USB AdministrationThis chapter provides information on:

Installing the Encrypted USB software using ePolicy Orchestrator

Administering McAfee Encrypted USB - powered by SanDisk

Administering other supported Encrypted USB devices

Assigning multiple policies to a managed node

Reporting

Installing the Encrypted USB software using ePolicyOrchestrator

ePolicy Orchestrator provides a scalable platform for centralized policy management andenforcement on your security products and systems on which they reside. It also allows you todeploy and manage Encrypted USB storage devices.

NOTE: The instructions refer to ePolicy Orchestrator 4.0 by default. To use this chaptereffectively, you must be familiar with using ePolicy Orchestrator version 4.0 and 4.5.

Tasks

Checking in portable content packages in ePolicy Orchestrator

Configuring Server Settings

Installing Encrypted USB 1.2 extension

Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes

Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes

Checking in portable content packages in ePolicy OrchestratorUse this task to check in the Encrypted USB 1.2 portable content package to the masterrepository.

Before you begin

Copy the DPEUPM501100.zip, DPEUPS221100.zip, and DPEUPM211100.zip archivesto a temporary folder of your ePolicy Orchestrator computer.

Task

For option definitions, click ? in the interface.

1 Log on to the ePolicy Orchestrator server as an administrator.


2 Click Software | Master Repository | Check In Package. The Check In Packagewizard appears.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Software | MasterRepository, then click Actions | Check In Package.

3 In the Package page, select the Package type as Product or Update (.ZIP) and browsein File path to locate DPEUPM501100.zip.

4 Click Next. The Package Options page appears with the package information.

5 Select Branch as Current, then click Save.

NOTE: Check in DPEUPS221100.zip and DPEUPM211100.zip by repeating the samesteps. However in step 3, browse for DPEUPS221100.zip or DPEUPM211100.zip asrequired.

Installing Encrypted USB 1.2 extensionYou can install the Encrypted USB extension on the ePolicy Orchestrator 4.0 (patch 5 minimum)server using the Configuration tab.

Task


1 Copy the EUC120LEN_IPEX.ZIP file to a temporary folder of your ePolicy Orchestratorcomputer.


3 Click Configuration | Extensions | Install Extension. The Install Extension dialogbox appears.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Software | Extensions |Install Extension.

4 Click Browse to select the extension file EUC120LEN_IPEX.ZIP. Click Open, then clickOK. The Install Extension page appears with the extension name and version details.

5 Click OK.

Configuring Server SettingsVarious settings control how the ePolicy Orchestrator server behaves. You can change mostsettings at any time. But, only global administrators can access the server settings.

Use this task to configure Server Settings for McAfee Encrypted USB.

Task


1 Log on to ePolicy Orchestrator as an administrator.

2 Click Configuration | Server Settings, then select Encrypted USB Settings. TheServer Settings for Encrypted USB is displayed on the right pane of the page.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Configuration | ServerSettings.

Encrypted USB AdministrationInstalling the Encrypted USB software using ePolicy Orchestrator


3 Click Edit. The Edit Encrypted USB Settings page appears.

4 Select the device types you want manage, then click Save.

Deploying EncryptedUSBClient and EncryptedUSBAdministratoron managed nodes

Use this task to deploy Encrypted USB Client on managed nodes.

NOTE: The Encrypted USB Administrator package should be installed on client computers usedonly for administrator tasks along with physical access to the USB ports, because theadministrator tasks often require the device to be physically present.

Task



2 Click Systems | Client Tasks. Select the required system(s) on which you want to installEncrypted USB.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree| Client Tasks.

3 Click New Task. The Client Task Builder page appears.

NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Task.

4 In Description, type a Name for the task, Notes (optional), select the Type as ProductDeployment (McAfee Agent), then click Next.

5 In Configuration, select Windows as Target Platforms, Encrypted USB Client 1.2.0as Products and components, Install as Action. Select the appropriate Language,then click Next.

6 Schedule the task to run immediately or as required, then click Next to view a summaryof the task.

7 Click Save.

8 Send an agent wake-up call.

NOTE: To deploy Encrypted USB Administrator 1.2, repeat the same steps, however in step5, select Encrypted USB Administrator 1.2.0 as Products and components.

Uninstalling Encrypted USB Client and Encrypted USBAdministrator from managed nodes

Use this task to uninstall Encrypted USB Client and Encrypted USB Administrator from managednodes.

Task



Encrypted USB AdministrationInstalling the Encrypted USB software using ePolicy Orchestrator


2 Click Systems | Client Tasks. Select the required system(s) from which you want touninstall Encrypted USB Client.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree| Client Tasks.

3 Click New Task. The Client Task Builder page appears.

NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Task.

4 In Description, type a Name for the task, Notes (optional), select the Type as ProductDeployment (McAfee Agent), then click Next.

5 In Configuration, select Windows as Target Platforms, Encrypted USB Client 1.2.0as Products and components, Remove as Action. Select the appropriate Language,then click Next.

6 Schedule the task to run immediately or as required, then click Next to view a summaryof the task.

7 Click Save.


NOTE: To uninstall Encrypted USB Administrator 1.2, repeat the same steps, however instep 5, select Encrypted USB Administrator 1.2.0 as Products and components.

Administering McAfee Encrypted USB - powered bySanDisk

Use these tasks to administer McAfee Encrypted USB - powered by SanDisk using ePolicyOrchestrator.

Setting up policies for McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator

Revoking a device

Setting up policies for McAfee Encrypted USB - powered bySanDisk using ePolicy Orchestrator

The ePolicy Orchestrator console allows the administrator to configure policies for the EncryptedUSB devices from a central location. These policies vary based on the type of the device beingused.

Encrypted USB supports five policy categories:

Device Initialization Policy

Device Authentication policy

Device Backup Policy

Device Revocation List

Foreign Device Policy

Encrypted USB AdministrationAdministering McAfee Encrypted USB - powered by SanDisk


Device Initialization PolicyDevice Initialization Policy enables you to specify a public partition on the device, its size (inMB), read-only partition size (in MB), and a device management code.

NOTE: The Device Initialization Policy for McAfee Encrypted USB - powered by SanDisk is setby default and cannot be modified. The default size of read-only partition is set to 38.1 MB. Adevice is initialized when it is updated.

Device Authentication policyDevice Authentication Policy allows you to set the password policy for accesing the privatepartion of the USB device.

NOTE: Both initialization and authentication policies must be set for a device to be initialized.

Task



2 Click Systems | Policy Catalog. The Policy Catalog page appears.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog.

3 Select Product as EncryptedUSBClient 1.2.0 and Category asDevice AuthenticationPolicy.

4 Click New Policy. In Create a new policy dialog box, select the device from thedrop-down, type a name for the policy, then click OK. The following screen appears.

NOTE: This screen varies depending on the Server Settings configured.

5 Select the device type as McAfee Encrypted USB - Powered by SanDisk.



6 By default, authentication mode is set as Password only. This enables you to authenticateto a device using a password only.

7 In Password Policy, set the following parameters:

DescriptionParameter

Type the maximum number of times you can try authenticating thedevice using a wrong password, after which the device will beblocked. Select Infinite a maximum number of 10 password retries.

This parameter is set to 10 by default.

Password Retry Limit

Type the minimum number of characters the password must have.(between 4 and 16 characters)

Minimum Password Length

Type the maximum number of days to define the validity of apassword. Select Infinite for the password to remain valid for 65535days.

This parameter is set to 65535 by default.

NOTE: Regular password updates decreases the risk of correctpassword being stolen or guessed.

Maximum Lifetime (Days)

8 Recovery Policy is set to Help Desk / Challenge Response by default.Help desk operators can assist the device user by securely resetting the authenticationmechanism of their device. This can be done over the phone or through email, and doesnot require access to the device or even network connectivity.

9 Click Save.

10 Send an agent wakeup call.

Device Backup PolicyDevice Backup Policy allows you to create automatic backups of the device content on the clientcomputer or shared location. Automatic backups are created only if the device is unlocked andif the user logged on is the device owner.The backup feature provides protection against dataloss.

Task





3 Select Product as Encrypted USB Client 1.2.0 and Category as Device BackupPolicy.

4 Click New Policy. In Create a new policy dialog box, select McAfee Default or MyDefault as the policy type.

NOTE:

• If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.

• The McAfee Default policy is read-only and cannot be edited, renamed, or deleted.

5 Type a new policy name, then click OK. The following page appears.




6 Select one of the following Backup Type options:

• None if you do not want to create a backup of the device content on your clientcomputer.

• Always on if you want the software to create a backup on your client computerautomatically on authenticating the device.

NOTE: Automatic back up is supported only on the system on which device was initializedand personalized.

7 In Backup Path, specify the path of your client computer where you want the backup fileto be stored, then click Save.


Device Revocation ListDevice revocation allows an administrator to block the usage of a device in case of a securityemergency. Later, the device can be reinstated, if required.

NOTE: A device can be revoked only when the device is inserted in a managed node.

Device Revocation List allows you to revoke devices from the ePolicy Orchestrator server basedon the device serial number. It applies to groups or a single computer in ePolicy Orchestrator.

A device revoked event is sent if a device is revoked successfully.






3 Select Product as Encrypted USB Client 1.2.0 and Category as Device RevocationList.


NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.

5 Type a new policy name, then click OK. The Device Revocation List page appears.

6 Click Revoke new Device, select the serial number of the device(s) to be revoked, thenclick OK.


NOTE:

To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devicesto be reinstated, click Reinstate, then click OK.

Foreign Device PolicyAn unmanaged USB device or a USB device managed by a different ePolicy Orchestrator serveris referred to as a foreign device.

Foreign Device Policy allows you to grant and restrict access to foreign devices.






3 Select Product as Encrypted USB Client 1.2.0 and Category as Foreign DevicePolicy.



5 Type a new policy name, then click OK.


6 Select the whether to allow or block managed foreign devices, then click Save.


Recycling a deviceRecycling formats a device and returns it to a default state by deleting the user accounts andall user data on that device. To reuse the recycled device, the administrator must re-personalizeit.

Before you begin

Download the Device Recycle Utility along with the product from the McAfee download site.



Task

1 Run recycle.exe. The Device Recycling Utility window appears.

2 Click Recycle. A warning pop-up appears asking you to confirm device recycle.

3 Click Yes. The Admin Authentication window appears.

4 Type the ePolicy Orchestrator server (by which the device is managed) IP address or name,user name, and password, then click Login.After the device is recycled, a recycle successful pop-up appears.

5 Re-insert the device and personalize to use the device.

Revoking a deviceTo revoke a device, click Systems | Encrypted USB Devices, select the devices to be revoked,then click Revoke |OK.

NOTE:

• If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices.

• The device can not be used until it is reinstated.

To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devicesto be reinstated, click Reinstate, then click OK. Once the device is reinstated, it can be usednormally.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USBDevices.

Administering other supported Encrypted USBdevices

Use these tasks to administer McAfee Encrypted USB devices using ePolicy Orchestrator.

Setting up policies for other supported Encrypted USB devices using ePolicy Orchestrator

Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1

Upgrading Encrypted USB client with anti-virus portable content packages

Revoking a device

Recycling a device

Recovering data from the device

Setting up policies for other supported Encrypted USB devicesusing ePolicy Orchestrator

The ePolicy Orchestrator console allows the administrator to configure policies for the EncryptedUSB devices from a central location. These policies vary based on the type of the device beingused.

Encrypted USB has six policy categories:

Device Initialization Policy

Device Authentication policy

Encrypted USB AdministrationAdministering other supported Encrypted USB devices


Device Backup Policy

Device Revocation List

Foreign Device Policy

General Settings Policy

Device Initialization PolicyDevice Initialization Policy enables you to specify a public partition on the device, its size (inMB), read-only partition size (in MB), and a device management code. Based on theseparameters, you can initialize your device depending on the device capability. Read-only partitionof the device contains the portable client software and antivirus scanner.

Task





3 Select Product as Encrypted USB Client 1.2.0 and Category as Device InitializationPolicy.

4 Click New Policy. In Create a new policy dialog box, select the device from thedrop-down list, type a name for the policy, then click OK. The following page appears.


5 Select the device type from the drop-down list.



6 Select the option Allow Public Partition (optional). If you select this option, specify asize for the public partition (in MB). Default value is 32 MB.

NOTE: Public partition of the device can allow unencrypted data storage. Any user will beable to read and write data in this partition.

We recommend you to disable the public partition and use private partition (encrypted andauthenticated), which automatically uses all remaining space on the device.

7 Specify the Read-only partition size. Default value is 200 MB, default volume name isREADONLY.

NOTE:

• Read-only partition reflects the data size (that include portable client software andantivirus scanner) and not the size of the total space available.

• If the size of the read-only partition is less than the minimum size required, the size ofthe read-only partition is set to a value higher than default size (200 MB).

8 Type the device management code, then click Save.

NOTE: Device management code is used to erase the device content and its user accountswhen it can not be accessed by the device user or the administrator. Device managementcode should not be shared with the device users.


NOTE: McAfee Standard Driverless Encrypted USB initialization policies cannot be edited.

Device Authentication policyAuthentication is the process of unlocking an Encrypted USB device. Encrypted USB supportsdifferent forms of authentication, including password, biometric, and CAC or PIV card withdifferent strengths. These authentication methods can be combined to offer higher security.

Device Authentication Policy allows you to set the authentication mode and recovery policy fora device. You can assign multiple policies to managed nodes in the network for a single devicetype.

NOTE: Both initialization and authentication policies must be set for a device to be initialized.

Task





3 Select Product as EncryptedUSBClient 1.2.0 and Category asDevice AuthenticationPolicy.

4 Click New Policy. In Create a new policy dialog box, select the device from thedrop-down list, type a name for the policy, then click OK. The following page appears.




5 Select the device type from the drop-down list.

6 Select the appropriate mode of authentication from the following options:

• Password or Biometric — Default option for all biometric devices. It allows toauthenticate the device using a password or biometric (finger enrollment).

• Password and Biometric — A two-factor security option that allows to authenticatethe device using both the password and biometric.

• Password only — Default option for all non-biometric devices which enables toauthenticate the device using a password only.

• Biometric only — An option that allows you to authenticate the device using biometriconly.

• CAC/PIV+PIN only — An option that allows you to authenticate the device using aCAC or a PIV card and a security PIN.

• CAC/PIV+PIN and Biometric— An option that allows you to authenticate the deviceusing both a PIN enabled card (CAC or PIV) and Biometric.



7 In Password Policy, set the following parameters:

Default valueDescriptionParameter

256Type the maximum number of times you can tryauthenticating the device using a wrong password,

Password Retry Limit

after which the device will be blocked. Select Infinitefor a maximum number of 256 password retries.

NOTE: If the retry limit exceeds the maximumpassword retries, the device will be blocked. Thedevice will be in Data Recovery or Data Destructionstate.

6Type the minimum number of characters the passwordmust have (between 4 and 40 characters).

Minimum Password Length

0Type the minimum number of special characters thepassword must have for stronger password. This

Minimum Special Characters

includes ~ ' ! @ # $ % ^ * ( ) _ - + = { }[ ] | \ : ' ", . / ? & ; < >

0Type the minimum number of numerals the passwordmust have (0-9) for stronger password.

MinimumNumeric Characters

0Type the minimum number of alphabets the passwordmust have(a-z, A-Z) for stronger password.

Minimum AlphabeticalCharacters

0Type the minimum number of uppercase alphabetsthe password must have (A-Z) for stronger password.

Minimum UppercaseCharacters

0Type the minimum number of lowercase alphabetsthe password must have (a-z).

Minimum LowercaseCharacters

0This option prevents users from reusing old passwordstoo often at password change intervals thus increasingthe security of the device.

Type the minimum number of unique passwordsthat must be set before a password can be reused.

Password Re-use Threshold

0Type the minimum number of minutes you must waitbefore modifying a recently changed password. Thisprevents users from changing passwords quickly.

Minimum Lifetime (Minutes)

65535Type the maximum number of days to define thevalidity of a password. Select Infinite for thepassword to remain valid for 65535 days.

NOTE: Regular password updates decreases the riskof correct password being stolen or guessed.

Maximum Lifetime (Days)

8 In Biometric Policy, select the following:

• Number of Fingers — Select the number of fingers you want to register (maximumup to 6 fingers) during personalization. You can log on to the device using any of theregistered fingers.

• Biometric Security Level — Select the desired level from the drop-down list. BiometricSecurity Level is expressed as a False Match Rate (FMR) probability (such as "1 in4,500"). FMR is the probability that two different fingers are incorrectly matched. A highFMR means higher security because the device requires a closer match between twofingerprints. Therefore, "1 in 4,500" is more secure than "1 in 2,700". However, for asmall number of users it may be difficult to verify their fingerprint at higher levels.



• Biometric Retry limit — Type the maximum number of mismatched finger swipesallowed, after which the device will be blocked. The device will be in Data Recovery orData Destruction state. Select Infinite for a maximum number of 256 retries.

NOTE: A larger number of retries are required for biometric authentication because animproper swipe will be registered as a failed attempt. Thus the device user may haveto attempt verification two or more times before access is granted.

9 In Recovery Policy you can specify what happens when a user reaches an authenticationfailure limit (that is, password retry limit or biometric retry limit) and when a device isblocked. Select either of these:

• Recovery — Select these options as required to recover the data on the device afterthe user has been locked,

• User Self-Rescue — Allows device user to rescue data by re-personalizing a devicewith new credentials. The device user will be prompted to type a new password,enroll biometric, or bind with their CAC/PIV card, as appropriate.

• Help Desk/Challenge Response — Help desk operators can assist the deviceuser by securely resetting the authentication mechanism of their device. This canbe done over the phone or through email, and does not require access to the deviceor even network connectivity.

• Data Recovery — Encrypted data can be recovered without user intervention (incases where there may be security audits or when a user has left the organization).This task can be initiated only by an administrator.

• Data Destruction — If you select this option, it is not possible to rescue the deviceor recover data from the device. All logged on user data is immediately destroyed whenthe device is locked.

NOTE: This option offers high security, but may be inconvenient if particular usersregularly have trouble authenticating the device.

10 Click Save.


NOTE: The device must re-personalized whenever Device Authentication policy is changed.Refer to the Setting up the Encrypted USB device section for instructions on personalizingthe device.

Refer to theAssigning multiple policies to a managed node section for assigning multipleinitialization and authentication policies for different device types to a single managed node.

Device Backup PolicyDevice Backup Policy allows you to create backups of a user's device content on the clientcomputer or shared location. Automatic backups are created only if the device is unlocked andif the user logged on is the device owner. The backup feature provides protection against dataloss.

Task







3 Select Product as Encrypted USB Client 1.2.0 and Category as Device BackupPolicy.


NOTE:

• If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.

• The McAfee Default policy is read-only and cannot be edited, renamed, or deleted.


6 Select one of the following Backup Type options:

• None if you do not want to back up the device content on your client computer.



• Always on if you want to create a backup on your client computer automatically onauthenticating the device.

NOTE: Automatic back up is supported only on the system on which device was initializedand personalized.

• User On-demand if you want the user to initiate the backup process when required.

7 In Backup Path, specify the path to store the device content when taking a scheduledbackup, then click Save.

NOTE: We recommend you not to save the backups on shared network because backupsare not encrypted.


Device Revocation ListDevice revocation allows an administrator to block the usage of a device in case of a securityemergency. Later, the device can be reinstated, if required. The device can also be revokedand wiped, automatically erasing all logged on user data.

NOTE: A device can be revoked only when the device is inserted in a managed node.

Device Revocation List allows you to revoke devices from the ePolicy Orchestrator server basedon the device serial number. It applies to groups or a single computer in ePolicy Orchestrator.

A device revoked event is sent if a device is revoked successfully.

Task





3 Select Product as Encrypted USB Client 1.2.0 and Category as Device RevocationList.



5 Type a new policy name, then click OK. The Device Revocation List page appears.



6 Click Revoke new Device, then select the serial number of the device(s) to be revoked.

NOTE: The device cannot be revoked in malware-proof mode.

7 Select Revoke &Wipe if you want to erase the contents of the device and revoke it, thenclick OK.


NOTE: To reinstate a revoked device, click Systems | Encrypted USB Devices, selectthe devices to be reinstated, click Reinstate, then click OK.

Foreign Device PolicyAn unmanaged USB device or a USB device managed by a different ePolicy Orchestrator serveris referred to as a foreign device.

Foreign Device Policy allows you to grant and restrict access to foreign devices.

Task





3 Select Product as Encrypted USB Client 1.2.0 and Category as Foreign DevicePolicy.






6 On the Foreign Device policy page, select these options as required:

• AllowManaged Foreign Devices — Allows the use of devices managed by a differentePolicy Orchestrator server.

• Allow Other (Unmanaged) Foreign Devices — Allows the use of standalone orunmanaged foreign devices.

NOTE: This generate events in ePolicy Orchestrator when the device is used in themanaged network.

• Restrict device use to managed systems — Restricts the use of USB devices tothe network managed by the specified ePolicy Orchestrator server(s).

• Add — Adds ePolicy Orchestrator server(s) which are allowed to manage the deviceother than the ePolicy Orchestrator server network on which it was initialized.

• Remove - Removes ePolicy Orchestrator server(s) to restrict the use of device on thenodes managed by the selected ePolicy Orchestrator server.

NOTE:

• The ePolicy Orchestrator server added should have Encrypted USB client installedwith Device Initialization and Device Authentication policies enforced on the managednodes.

• If no ePolicy Orchestrator servers are added, the device can be used only in thenetwork in which it was initialized.

7 Click Save.




General Settings PolicyUse this task to configure anti-virus settings on managed Encrypted USB clients.

Task





3 Select Product as Encrypted USB Client 1.2.0 and Category as General SettingsPolicy.

4 Click New Policy. In Create a new policy dialog box, select the device from thedrop-down, type a name for the policy, then click OK. The following page appears.


5 Select Enable AntiVirus where available to enable the anti-virus scanner on deviceswhich have Encrypted USB Antivirus installed.

6 Add or remove addresses of signature update sites for the anti-virus scanner as required,then click Save. The default update site is http://update.nai.com. McAfee Encrypted USBAntivirus uses these sites to update its virus definitions.

NOTE:

• Enable the use of proxy server on Control Panel | Internet Options | Connections| LAN Settings to connect to the update sites.

• If update fails using any of the added sites, the DAT files are updated from the defaultupdate site.




http://update.nai.com

Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1Use this task to upgrade from Encrypted USB 1.0 or Encrypted USB 1.1. It is recommended toupgarde only the Encrypted USB client package as there are no changes to Encrypted USBAdministrator package after Encrypted USB 1.0.

Before you begin

• Backup any important data in the device to a temporary location to avoid data loss andrecycle the device. Refer to McAfee Encrypted USB 1.0 User Guide for instructions.

• Export the Encrypted USB policies to a temporary location in the required format. Refer toePolicy Orchestrator product documentation for instructions.

Task



2 Copy the EUC120LEN_IPEX.ZIP file to a temporary folder of your ePolicy Orchestratorcomputer, then install the extension. This upgrades the ePolicy Orchestrator extension to1.2.Refer to the Installing Encrypted USB 1.2 extension section for instructions.

3 Copy theDPEUPM501100.zip,DPEUPS221100.zip, andDPEUPM211100.zip archivesto a temporary folder of your ePolicy Orchestrator computer, then check in the portablecontent packages to the software repository.Refer to the Checking in portable content packages in ePolicy Orchestrator section forinstructions.

4 Deploy Encrypted USB Client or Administrator as required on the managed nodes.Refer to the Deploying Encrypted USB Client and Encrypted USB Administrator on managednodes section for instructions.

5 Configure the Encrypted USB 1.2 policies, initialize and personalize the device, then restorethe data.

NOTE: The device can be initialized and personalized after the policies have been enforcedon the managed node.

Refer to Setting up policies using ePolicy Orchestrator and Setting up the Encrypted USBdevice sections for instructions.

Upgrading Encrypted USB client with anti-virus portable contentpackages

Use this task to upgrade the Encrypted USB client with the anti-virus portable content packages.

Task


1 Backup the device content to a temporary location and recycle the device.Refer to Managing backup and Recycling a device sections for instructions.




3 Copy the portable content packages with anti-virus (DPEUPM501100.zip,DPEUPS221100.zip, and DPEUPM211100.zip) to a temporary folder of your ePolicyOrchestrator computer.

4 Check in the portable content packages to ePolicy Orchestrator software repository.

NOTE: Refer to the Checking in portable content packages in ePolicy Orchestrator sectionfor instructions on checking in the portable content packages to ePolicy Orchestratorsoftware repository.

5 Configure and enforce the Device Initialization and Device Authentication policies on therequired managed systems in the network.Refer to Device Initialization policy and Device Authentication policy for instructions onconfiguring the Device Initialization and Device Authentication policies

6 Initialize and personalize the device on the managed system.

7 Click , then select Manage Antivirus Scanner to manage McAfee Encrypted USBAntivirus.

Revoking a deviceTo revoke a device, click Systems | Encrypted USB Devices, select the devices to be revoked,then click Revoke |OK.

NOTE:


• The device can not be used until it is reinstated.

Alternatively, to revoke a device and erase its contents, click Systems | Encrypted USBDevices, select the devices to be revoked, click Revoke & Wipe, then click OK.

NOTE:


• This option deletes all logged on user data permanently.

To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devicesto be reinstated, click Reinstate, then click OK. Once the device is reinstated, it can be usednormally.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USBDevices.

Recycling a deviceRecycling formats a device and returns it to a default state by deleting the user accounts andall user data on that device. To reuse the recycled device, the administrator must re-personalizeit.

PREREQUISITE

To recycle a device, the Encrypted USB Administrator package must be installed on the clientcomputer.

Task

1 Insert the Encrypted USB device to the USB interface socket.



2 Click Start | Programs | McAfee | Encrypted USB Administrator | Data Recovery.The McAfee Encrypted USB Administrator dialog box appears.

3 Click Recycle. A warning dialog box appears.

4 Click Yes. The McAfee ePO Server - Login dialog box appears.

5 Enter the user and server information, then click OK. The McAfee Encrypted USBAdministrator dialog box appears.

NOTE:

• If Device State is Open, the device is recycled.

• You can recycle a driverless device on Encrypted USB Client by clicking Recycle Device.



Recovering data from the deviceEncrypted data may need to be recovered for security audits or due to employee contracttermination. You can recover data on a device that belongs to a device user without the userbeing present. Once data is recovered from a device, the device has to be personalized again.The private partition becomes accessible and a password is generated.

Prerequisite

To recover data from a device, the ePolicy Orchestrator administrators must install the EncryptedUSB Administrator package.

Additionally, the Encrypted USB client must be installed on the computer where you insert thedevice to recover data. The device policy must be configured to allow data recovery, or thefollowing warning appears.

To recover data

1 Click Start | Programs | McAfee | Encrypted USB Administrator | Data Recovery.The McAfee Encrypted USB Administrator dialog box appears.

2 Click Recover. The following warning appears.

3 Click Yes. The McAfee ePO Server - Login dialog box appears.

4 Enter the user and server information, then click OK. The device state is unlocked and anew password is provided.

5 Log on to the device using the new password.

NOTE: The new password generated will be used as default authentication on any systemin the managed network. This password cannot be used as default authentication on thesystem on which device was initialized.



Assigning multiple policies to a managed nodeUse this task to assign multiple initialization and authentication policies for different device typesto a single managed node

Task


1 Click Systems | System Tree | Systems, then select the desired group under SystemTree. All the systems within this group (but not its subgroups) appear in the details pane.

NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree| Systems.

2 Select the desired system, then click Modify Policies on a Single System. The PolicyAssignment page for that system appears.

NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | Agent | Modify Policieson a Single System.

3 Select Product as Encrypted USB Client 1.2.0. The categories of Encrypted USB Client1.2.0 are listed with the system’s assigned policy.

4 Locate the desired Initialization or Authentication policy, then click Edit Assignments.

5 Click New Policy Instance, then edit the policy settings as required.

6 Click Save.


ReportingReports are pre-defined queries which query the ePolicy Orchestrator database and generatea graphical output. You can create, edit and manage queries through ePolicy Orchestrator 4.0and 4.5.

You can query the following default Encrypted USB reports and run them to see a graphicaldisplay:

• All Encrypted USB devices sorted by their state of management (such as managed native,managed imported, foreign unmanaged and so on).

• All Encrypted USB devices sorted by the type of the devices.

• All blocked devices to which you cannot logon using password and/or swiping finger(s).

• All devices that are not initialized.

• All devices that are not personalized.

• All devices that are revoked from the ePolicy Orchestrator server.

NOTE: For instructions on creating, editing or deleting queries, see ePolicy Orchestrator 4.0Product Guide and ePolicy Orchestrator 4.5 Product Guide.

Encrypted USB AdministrationAssigning multiple policies to a managed node


Using the Encrypted USB deviceThis chapter provides information on:

Lifecycle of the device

Using the Encrypted USB - powered by SanDisk Portable Client

Using other supported Encrypted USB Portable Client

Troubleshooting

Lifecycle of the deviceDevice initialization is the first phase of deploying McAfee Encrypted USB. During this process,the portable software package is installed on the read-only partition and the private and publicpartitions are created.

Personalization is the next phase that includes setting a new password, enrolling fingers orboth, depending on the type of the USB device, or using a CAC or PIV authentication card (forall devices).

Usage is the next phase where the device is in use for various functions, such as unlocking thedevice, updating finger enrollments or passwords, and so on.

Tasks

Setting up the Encrypted USB - powered by SanDisk device

Setting up other supported Encrypted USB device

Setting up the Encrypted USB - powered by SanDisk deviceUse these tasks to initialize and personalize the Encrypted USB device.

Tasks

1 Insert the new Encrypted USB device to the USB port, the End User License Agreementwindow appears.

2 Accept the license agreement, then click Next. The installer detects for the connected USBdevices. Once the device is detected, the Format Warning window appears.


3 Click Format. When the device is formatted, the update successful window appears.

4 Select Launch, then click Next to personalize the USB device.

5 On the Select Language window, select the appropriate language, then click Next.

6 On the License Agreement window, accept the license agreement, then click Next.

7 On the Password window, type and verify the password for accessing the private partitionof the USB device, then click Next.

In Hint enter a reminder that will help you to recover your password.

8 On the Contact Information window, enter your contact details, then click Finish.

NOTE: The personalized device appears on the ePolicy Orchestrator server in Systems |Encrypted USB Devices along with its serial number, name, user ID, status, and the

Using the Encrypted USB deviceLifecycle of the device


client to which it is/was connected at a particular time. Click Options | Choose Columns,then click the desired options in Available Columns to add to the existing columns.

Setting up other supported Encrypted USB device

Before you begin

Install Encrypted USB client and enforce Device Initialization and Device Authentication on theclient system policies before initializing and personalizing the device.

Task

1 Insert the new Encrypted USB device to the USB port. A dialog box appears stating thatyour device is being initialized.

Once the initialization process completes, the following dialog box appears prompting youto continue with personalizing the device.

NOTE: Reinsert the device if personalization doesnot start.

2 Click Next. One of the following screens appears depending on the Device Type and theAuthentication Mode set in the Device Authentication policy.

• In case of non-biometric device (or a biometric device where the policy allows you toauthenticate to the device using only a password), the Set Password screen appears.Type and verify the password.



• In case you selected CAC/PIV+PIN only or CAC/PIV+PIN and Biometric asAuthentication Mode in the Device Authentication policy, CAC Authenticationscreen appears. Type the security PIN for your CAC card. Select Use malware-proofmode (read-only) to use the device in read-only mode.

3 Click Next. In case of biometric device, the Biometric Enrollment screen appears.



4 Select a finger to enroll by clicking on the image, then click Next. The Enroll Biometricscreen appears.

5 Swipe your finger across the device sensor three times, then click Next. The SelfPersonalization dialog box appears.

6 Click Next. The Biometric Authentication screen appears.



You can either swipe your finger across the device sensor or click Authenticate usingPassword.

NOTE: This screen varies if the device authentication policy is set to Biometric only orCAC/PIV+PIN and Biometric.

7 Swipe your finger across the sensor to log on to the device.

8 If you click Authenticate using Password, the Password Authentication screenappears.



9 Type your password, then click Next to log on to the device.

NOTE: The personalized device appears on the ePolicy Orchestrator server in Systems |Encrypted USB Devices along with its serial number, name, user ID, status, and theclient to which it is/was connected at a particular time. Click Options | Choose Columns,then click the desired options in Available Columns to add to the existing columns.

Using the Encrypted USB - powered by SanDiskPortable Client

Encrypted USB Client provides a high-level interface that allows Encrypted USB to integratewith the ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5 and McAfee Agent3.6 (patch 3 minimum) or above.

Encrypted USB Client prompts you to initialize and personalize a device each time you plug ina new device to the USB interface socket. It also checks for changes in Device Authenticationpolicy each time the device is inserted and updates the device accordingly. Any changes in theDevice Authentication policy requires the device to be re-personalized.

Tasks

Logging on to the device

Disconnecting the device

Managing McAfee anti-virus scanner

McAfee Encrypted USB settings

Formatting McAfee Encrypted USB

Restoring data

Rescuing the device through Help Desk

Logging on to the deviceOnce the device is initialized and personalized, you can use the McAfee Encrypted USB deviceany time. You are prompted to type your password to access the private partion of the USBdevice.

1 Insert the USB device into an available USB port. The login window appears.

Using the Encrypted USB deviceUsing the Encrypted USB - powered by SanDisk Portable Client


2 Type your password, then click Login.

3 Click icon , then select the required option to use the device.

Disconnecting the device1 Click on the system tray, then select Shut down McAfee Encrypted USB. A

confirmation dialog box appears.

2 Click OK and disconnect the device from the USB port.

Managing McAfee anti-virus scannerMcAfee Encrypted USB Antivirus protects the private partition of the device from malware. Itdetects and deletes virus or other harmful or unwanted code in the private partition of thedevice. Each time a file is copied to the device, it scans the file and intercepts or cleans theinfected file. It supports both on-access and on-demand scans. In addition it scans the host foractive malware when you log in and shuts down the drive to prevent infection.

Antivirus scanner depends on the information in the detection definition (DAT) files to identifyand take action on threats. New threats appear on a regular basis. To meet this challenge,McAfee releases new DAT files every day, incorporating the results of its ongoing research.



McAfee Encrypted USB Antivirus scanner updates the detection definition (DAT) files from theconfigured update site. The default update site ishttp://update.nai.com. You can also initiatescans to inspect the drive with newly updated virus signatures.

Click icon on your taskbar, then select Scanner | Console. The McAfee Encrypted USB anti-virusScanner appears.

DefinitionOption

Displays the anti-virus scan statistics, which include the last scan date andtime, number of files and processes scanned, and files deleted to avoidinfection.

Log — Opens the anti-virus scanner log file.

Statistics

Displays the last update date and time, scan engine, DAT, and scanner versions.Version

Actions • Check Updates — Checks for detection definition updates from theMcAfee download website.

• Start Drive Scan — Starts an on-demand scan of the USB device forpotential threats.




DefinitionOption

Settings • Scan host memory on log in — Scans the processes running on thehost system automatically for threats when the device is inserted.

• Scan file when saved or copied to Drive — Scans the file andintercepts or cleans the infected file each time a file is copied to the device.

• Show messages — Shows scan details in a pop-up window.

McAfee Encrypted USB settingsUse this task to modify McAfee Encrypted USB password, contact information, or language.

Task

1 Click on the system tray, then select McAfee Encrypted USB Settings. The McAfeeEncrypted USB Settings page appears.

2 Select the settings tab you want to modify.

3 Enter appropriate information, then click OK.

Formatting McAfee Encrypted USBUse this task to fromat the USB device. Formatting erases all data on the device. Back up yourfiles before formatting the device.

Task

1 Click on the system tray, then select Format McAfee Encrypted USB. The FormatMcAfee Encrypted USB window appears with a warning.



2 Click OK.

Restoring dataUse this task to restore backed up users's device content from the managed system.

Before you begin

Back up the device content by shutting down and re-inserting the device in the managed system.

Task

1 Click on the system tray, then select Restore | Launch.

2 Browse to select the data to be restored, then click Next. A pop-up window appears askingyou to shut down and re-insert the device.

3 Click OK, then remove and re-insert the device. A warning message is displayed askingyou to back up any important device content before restoring.

4 Click OK. The selected back up data is scanned and restored to the device.

Rescuing the device through Help DeskThe Help Desk Device Rescue option allows you to rescue your blocked device with theassistance of an ePO administrator.

1 On the Login screen, click Forgot Password. The new password page appears.

2 Type and verify the new password and click Administrator Login.ePO administrator searches for the device serial number in the device list. Once the deviceis found, ePO administrator selects the desired recovery action, which generates a One-TimePassword. This One-Time Password is given to the user.

3 Type the One-Time Password without spaces on the Administrator Login page, then clickNext. A pop-up window appears with a response code.

NOTE:

• Typing wrong authorization code twice will deactivate the device.

• Provide the response code to the ePO administrator.



The device user will now be able to log on to the device using the new password.

Using other supported Encrypted USB PortableClient

Encrypted USB Client provides a high-level interface that allows Encrypted USB to integratewith the ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5 and McAfee Agent3.6 (patch 3 minimum) or above.

Encrypted USB Client prompts you to initialize and personalize a device each time you plug ina new device to the USB interface socket. It also checks for changes in Device Authenticationpolicy each time the device is inserted and updates the device accordingly. Any changes in theDevice Authentication policy requires the device to be re-personalized.

Tasks

LED states

Security options in the device

Logging on to the device

Viewing hardware and software information

Managing authentication methods

Managing backup

Managing the Antivirus Scanner

Self rescuing the device

Rescuing the device through Help Desk

LED statesAll McAfee Encrypted USB 1.2 devices use one or more Light Emitting Diodes (LEDs) thatindicates the state of the device.

NOTE: The USB LED flashes approximately every second.

DescriptionState

Device is ON for use with or without authentication.Green

Device is ON, waiting to verify fingerprint (if the device requires biometric authentication) andthe user to log on.

Green (flashing)

Device is ON and idle, waiting to verify fingerprint (if the device requires biometricauthentication) and the user to log on.

Green (delayedflash)

Failed fingerprint authentication attempt.Red (flashes once)

Final attempt for finger print authentication. Failing the attempt will block the device.Red and Green(alternating flash)

Device is either powering up or blocked. When blocked, no authentication methods are availableto log on to the device. Contact your device administrator to unblock the device.

Red (flashing)

Device is blocked. This is due to unauthorized or failed device access attempts. Contact yourdevice administrator to unlock the device.

Red

Data transfer activity.Blue

Using the Encrypted USB deviceUsing other supported Encrypted USB Portable Client


DescriptionState

Device has invalid firmware.Red and Blue(alternating flash)

Security options in the deviceSecurity options vary based on the Encrypted USB device that you use. The security optionsavailable in a device are:

• Access to the device— Uses authentication mechanisms to unlock the device that includes:

• Password only

• Biometric and password

• Biometric or password

• Biometric only

• Card with security PIN

• Card with security PIN and biometric

• Private data protection — Data related to the user is encrypted in private stores andpartitions.

Logging on to the device1 Once the device is initialized and personalized, Password Authentication screen appears.

NOTE: If Autoplay is disabled on your system, double-click the Read-Only partition of thedevice, then click Start.exe.

2 Type your PIN, password, or swipe your finger depending on the authenticationmechanism(s) you have set. Select Use malware-proof mode (read only) if you want

to use the device in read-only mode, then click Next. The icon appears on the taskbar.

NOTE:

• McAfee Encrypted USB Antivirus and Backup Manager is not supported in malware-proofmode.

• No events are generated in ePolicy Orchestrator in malware-proof mode.

3 Click icon on your taskbar, then select Managed Device. The Encrypted USB Clientpage appears.



NOTE:

• Click Logout on the Encrypted USB Client page to log off from the Encrypted USB Client.The device state will be changed to locked after the user logs off from the device.

• Encrypted USB devices use ActivIdentity third-party software to authenticate thedevice in CAC/PIV authentication mode. ePolicy Orchestrator does not generate anyevent for device authentication done by ActivIdentity.

Disconnecting the device1 Click icon from your task bar, then click Eject Device.

2 Disconnect the device from the USB port once you see the “Safe To Remove Hardware”message.

Viewing hardware and software informationClick Hardware and Software Information on the Encrypted USB Client page to viewinformation about the users, device settings, partition details, and product versions.

• Device Settings — Displays general device information such as private and public partitionstorage capacities and serial number of the device.

• Disk Partitions — Displays information about the allocation of disk space on the device.

• Product Versions — Provides hardware and software versions of the product.

Managing authentication methodsClick Manage Authentication Methods on the Encrypted USB Client page to update yourpassword or finger enrollments. The Manage Authentication Methods page appears.



NOTE: This page varies depending on the type of the device you use.

Manage Your Password — Click this option and follow the on-screen instructions to resetyour password.

Manage Your Finger Enrollments — Click this option and follow the on-screen instructionsto update your fingerprints.

Managing backupMcAfee Encrypted USB 1.2 allows you to back up user's device content on the client computerwhen required.

Click icon on your taskbar, then select Backup Manager. On the McAfee Encrypted USBClient dialog box click Next to back up device content.

NOTE: Backup Manager option is available on the system tray if you selected Backup Typeas User On-demand in Device Backup policy.

Specify the path or click , browse for the path to store the device content, then click OK.



NOTE: We recommend you not to save the backups on shared network because backups arenot encrypted.

Managing the Antivirus ScannerMcAfee Encrypted USB Antivirus protects the private partition of the device from malware. Itdetects and deletes virus or other harmful or unwanted code in the private partition of thedevice. Each time a file is copied to the device, it scans the file and intercepts or cleans theinfected file. It supports both on-access and on-demand scans. It also allows the device userto scan the system folders and processes running on the host system on startup.

Antivirus scanner depends on the information in the detection definition (DAT) files to identifyand take action on threats. New threats appear on a regular basis. To meet this challenge,McAfee releases new DAT files every day, incorporating the results of its ongoing research.McAfee Encrypted USB Antivirus scanner updates the detection definition (DAT) files from theconfigured update site. The default update site is http://update.nai.com.

NOTE: If update fails using any of the added sites, the DAT files are updated from the defaultupdate site.

Click icon on your taskbar, then selectManage Antivirus Scanner. TheMcAfee EncryptedUSB Antivirus screen appears.




NOTE: McAfee Encrypted USB Antivirus can be managed after the DAT file is updated. Removeand reinsert the device after updating the DAT file.

DefinitionOption

Private Partition • On-access scan — Scans for threats as files are read from or written to thedevice.

• Scan — Select this option to start an on-demand scan on the private partition ofthe device.

Host System • Scan host system on startup — Select this option to scan the system foldersand the processes running on the host system automatically for threats when thedevice is inserted.

• Scan — Select this option to start an on-demand scan on the host system forpotential threats.

Virus Database • Automatic updates— Downloads updates of detection definitions automaticallyfrom the McAfee download website.

• Update — Select this option to download the latest detection definitions manuallyfrom the McAfee download website.

NOTE: Enable your browser proxy server settings to update your computer with thelatest detection definitions from the McAfee download website.

Intrusion log • Enabled — Enables activity logging. All intrusions detected will be logged.

• View — Select this option to view the log details.

• Clear — Clears the log details.



Self rescuing the deviceThe Self Rescue option allows you to reset your password and/or update your fingerenrollments.

NOTE: This option is available only if you insert the Encrypted USB device on the same computerwhere you initialized the device.

1 Click Self Rescue on the Encrypted USB Client page. The Device Self Rescue screenappears.

2 Click Next and type a new password or update your fingerprint depending on the policyyou set. The Device Self Rescue screen appears stating that your device has beensuccessfully rescued.

3 Click Next and log on to the device using your updated credentials.

Rescuing the device through Help DeskThe Help Desk Device Rescue option allows you to rescue your blocked device with theassistance of a Help Desk operator over telephone.

NOTE: We recommend the device users to use self rescue if they have access to the managednode.

1 On the Encrypted USB Client page, click Help Desk Device Rescue. The Help DeskDevice Rescue page appears prompting you to type the authorization code.



2 Contact Help Desk and provide your identity, device serial number, and user name. HelpDesk operator gives you an authorization code.

3 Type this code on the Help Desk Device Rescue page, then click Next. The Help DeskDevice Rescue Complete page appears with a confirmation code and a new password.

NOTE: Provide the confirmation code to the help desk operator.

4 Click Next. The Device ResetWarning page appears asking you to note the confirmationcode and new password.

5 Click Next to personalize your device.



TroubleshootingThis section provides troubleshooting information for Encrypted USB 1.2. For further technicalassistance, visit http://www.mcafee.com/us/support/index.html.

I cannot eject my USB device

Error message:

"Cannot Unmount Volume-An error was encountered trying to unmount 'Removable Disk (F:)'Check to ensure there are no open files or windows from that volume.”

This message appears and prevents you from ejecting the drive if you are not an administratoron the computer. Refer to the Microsoft article at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;192785

WORKAROUND: Log off from the device using Encrypted USB Client or safely remove thedevice using the taskbar icon.

Password or biometric access to my device is blocked

The device gets locked when you exceed the password/biometric retry limit. Contact your deviceadministrator to unlock the device.

Data saved to the read-only partition is not available

You cannot save data to the read-only partition of the device. Data saved here is stored in thecache of the Windows filesystem. It is deleted when you remove the device. Hence, save dataonly on your private partition or the public partition (if applicable).

Client system is not reporting to ePolicy Orchestrator server

Check if other client systems in the network are reporting to the ePO server. If yes, then reinstallthe Encrypted USB client on the system which was not reporting to the ePO server. If none ofthe systems in the network are reporting to the ePO server, then restart the ePO server.

Using the Encrypted USB deviceTroubleshooting


http://www.mcafee.com/us/support/index.html

http://support.microsoft.com/default.aspx?scid=kb;en-us;192785

Appendix A — Restricting the device use

Use these tasks to restrict devices to their home network or specified ePolicy Orchestrator servernetwork.

Assumptions

User group1:

User group 1 accesses client systems in finance network managed by ePolicy Orchestrator server1.

User group 2:

User group 2 accesses client systems in executive network managed by ePolicy Orchestratorserver 2.

Restricting the device use to home networkUse this task to restrict the use of device to the network managed by ePolicy Orchestrator serveron which it was initialized (ePolicy Orchestrator server 1 network).

Task


1 Log on to the ePolicy Orchestrator server 1 as an administrator.

2 Create a new Foreign device policy.

NOTE: Refer to Foreign device policy section for instructions.

3 On the Foreign Device policy page, select Restrict device use to managed systems,then click Save.

4 Send an agent wake-up call to enforce the policy.

Restricting the device use to specified network(s)Use this task to restrict the device use to other specified ePolicy Orchestrator networks includingthe ePolicy Orchestrator server network on which it was initialized.

Task


1 Log on to the ePolicy Orchestrator server 2 as an administrator.


2 Create a new Foreign device policy.

NOTE: Refer to Foreign device policy section for instructions.

3 On the Foreign Device policy page, select Restrict device use to managed systems.

4 Click Add then add the corporate identifier of the ePolicy Orchestrator server 1.

5 Click Save, then send a agent wake-up call.

Appendix A — Restricting the device useRestricting the device use to specified network(s)


Appendix B — Device management states

This section lists and describes the device management states.

DescriptionManagement State

Device is not supported.Unsupported

New device which is not initialized.Blank

Device is initialized and managed by the same ePolicy Orchestratorserver the managed client computer belongs to.

Managed Native

Device was initialized and managed by Encrypted USB Manager.Migrated to Encrypted USB 1.2

Managed Imported

Device was initialized and managed by a different ePolicy Orchestratorserver.

Foreign Managed

Device is not managed by any ePolicy Orchestrator, but the usageis allowed by the Foreign Device Policy.

Foreign Unmanaged

Device is either managed by an ePolicy Orchestrator server, but theusage is prohibited by the Foreign Device Policy, or the device is

Unmanaged

unmanaged a(stand-alone) and the usage of those devices isprohibited by the Foreign Device Policy.

Device is managed by an ePolicy Orchestrator server, but cannot berecycled.

Unmanageable


Index

Ddisconnect device 40, 46

EEncrypted USB

audience 7features 6installation 8introduction 5prerequisites 6

Iinitialization 33

introduction 5

LLED states 44

Ppersonalization 33

Rrecycle device 29

Ssupported devices 7


McAfee Encrypted USB 1.2 User Guide

Documents

Transcript of McAfee Encrypted USB 1.2 User Guide