Documente Academic
Documente Profesional
Documente Cultură
2
User Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Target audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes. . . . . . . . . . 10
Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes. . . . . . . 10
Setting up policies for McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator. . . 11
Recycling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Revoking a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Setting up policies for other supported Encrypted USB devices using ePolicy Orchestrator. . . . . . . 17
Revoking a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Recycling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Restoring data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
LED states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Managing backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Contents
How Encrypted USB works?
Encrypted USB features
System requirements
Supported McAfee devices
About this guide
to the device, automatically detecting and cleaning/deleting any malware. It also supports
on-demand scan that enables the device user to initiate a scan when required.
Refer to the Managing the Antivirus Scanner section for more details.
• Protection from malware — Offers protection from malware by scanning files copied to
the device, detecting threats and taking action as required.
• Device type selection — Provides an option for selecting the device type to be managed
in the network before deploying the Encrypted USB client on the managed systems.
System requirements
Operating systems:
• Microsoft Windows XP Professional SP2 and SP3
• Windows Vista Business SP1 or later and Enterprise SP1 or later
• Windows XP Home SP3
Target audience
This guide is intended for McAfee Encrypted USB device users and administrators.
Tasks
Checking in portable content packages in ePolicy Orchestrator
Configuring Server Settings
Installing Encrypted USB 1.2 extension
Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes
Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server as an administrator.
3 In the Package page, select the Package type as Product or Update (.ZIP) and browse
in File path to locate DPEUPM501100.zip.
4 Click Next. The Package Options page appears with the package information.
5 Select Branch as Current, then click Save.
NOTE: Check in DPEUPS221100.zip and DPEUPM211100.zip by repeating the same
steps. However in step 3, browse for DPEUPS221100.zip or DPEUPM211100.zip as
required.
Task
For option definitions, click ? in the interface.
1 Copy the EUC120LEN_IPEX.ZIP file to a temporary folder of your ePolicy Orchestrator
computer.
2 Log on to the ePolicy Orchestrator server as an administrator.
3 Click Configuration | Extensions | Install Extension. The Install Extension dialog
box appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Software | Extensions |
Install Extension.
4 Click Browse to select the extension file EUC120LEN_IPEX.ZIP. Click Open, then click
OK. The Install Extension page appears with the extension name and version details.
5 Click OK.
Task
For option definitions, click ? in the interface.
1 Log on to ePolicy Orchestrator as an administrator.
2 Click Configuration | Server Settings, then select Encrypted USB Settings. The
Server Settings for Encrypted USB is displayed on the right pane of the page.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Configuration | Server
Settings.
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server as an administrator.
2 Click Systems | Client Tasks. Select the required system(s) on which you want to install
Encrypted USB.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree
| Client Tasks.
4 In Description, type a Name for the task, Notes (optional), select the Type as Product
Deployment (McAfee Agent), then click Next.
5 In Configuration, select Windows as Target Platforms, Encrypted USB Client 1.2.0
as Products and components, Install as Action. Select the appropriate Language,
then click Next.
6 Schedule the task to run immediately or as required, then click Next to view a summary
of the task.
7 Click Save.
8 Send an agent wake-up call.
NOTE: To deploy Encrypted USB Administrator 1.2, repeat the same steps, however in step
5, select Encrypted USB Administrator 1.2.0 as Products and components.
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server as an administrator.
2 Click Systems | Client Tasks. Select the required system(s) from which you want to
uninstall Encrypted USB Client.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree
| Client Tasks.
4 In Description, type a Name for the task, Notes (optional), select the Type as Product
Deployment (McAfee Agent), then click Next.
5 In Configuration, select Windows as Target Platforms, Encrypted USB Client 1.2.0
as Products and components, Remove as Action. Select the appropriate Language,
then click Next.
6 Schedule the task to run immediately or as required, then click Next to view a summary
of the task.
7 Click Save.
8 Send an agent wake-up call.
NOTE: To uninstall Encrypted USB Administrator 1.2, repeat the same steps, however in
step 5, select Encrypted USB Administrator 1.2.0 as Products and components.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Authentication
Policy.
4 Click New Policy. In Create a new policy dialog box, select the device from the
drop-down, type a name for the policy, then click OK. The following screen appears.
6 By default, authentication mode is set as Password only. This enables you to authenticate
to a device using a password only.
7 In Password Policy, set the following parameters:
Parameter Description
Password Retry Limit Type the maximum number of times you can try authenticating the
device using a wrong password, after which the device will be
blocked. Select Infinite a maximum number of 10 password retries.
This parameter is set to 10 by default.
Minimum Password Length Type the minimum number of characters the password must have.
(between 4 and 16 characters)
Maximum Lifetime (Days) Type the maximum number of days to define the validity of a
password. Select Infinite for the password to remain valid for 65535
days.
This parameter is set to 65535 by default.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Backup
Policy.
4 Click New Policy. In Create a new policy dialog box, select McAfee Default or My
Default as the policy type.
NOTE:
• If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
• The McAfee Default policy is read-only and cannot be edited, renamed, or deleted.
5 Type a new policy name, then click OK. The following page appears.
7 In Backup Path, specify the path of your client computer where you want the backup file
to be stored, then click Save.
8 Send an agent wakeup call.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Revocation
List.
4 Click New Policy. In Create a new policy dialog box, select McAfee Default or My
Default as the policy type.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
5 Type a new policy name, then click OK. The Device Revocation List page appears.
6 Click Revoke new Device, select the serial number of the device(s) to be revoked, then
click OK.
7 Send an agent wakeup call.
NOTE:
To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devices
to be reinstated, click Reinstate, then click OK.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Foreign Device
Policy.
4 Click New Policy. In Create a new policy dialog box, select McAfee Default or My
Default as the policy type.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
6 Select the whether to allow or block managed foreign devices, then click Save.
7 Send an agent wakeup call.
Recycling a device
Recycling formats a device and returns it to a default state by deleting the user accounts and
all user data on that device. To reuse the recycled device, the administrator must re-personalize
it.
Task
1 Run recycle.exe. The Device Recycling Utility window appears.
2 Click Recycle. A warning pop-up appears asking you to confirm device recycle.
3 Click Yes. The Admin Authentication window appears.
4 Type the ePolicy Orchestrator server (by which the device is managed) IP address or name,
user name, and password, then click Login.
After the device is recycled, a recycle successful pop-up appears.
5 Re-insert the device and personalize to use the device.
Revoking a device
To revoke a device, click Systems | Encrypted USB Devices, select the devices to be revoked,
then click Revoke |OK.
NOTE:
• If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices.
• The device can not be used until it is reinstated.
To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devices
to be reinstated, click Reinstate, then click OK. Once the device is reinstated, it can be used
normally.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB
Devices.
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server as an administrator.
2 Click Systems | Policy Catalog. The Policy Catalog page appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Initialization
Policy.
4 Click New Policy. In Create a new policy dialog box, select the device from the
drop-down list, type a name for the policy, then click OK. The following page appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
6 Select the option Allow Public Partition (optional). If you select this option, specify a
size for the public partition (in MB). Default value is 32 MB.
NOTE: Public partition of the device can allow unencrypted data storage. Any user will be
able to read and write data in this partition.
We recommend you to disable the public partition and use private partition (encrypted and
authenticated), which automatically uses all remaining space on the device.
7 Specify the Read-only partition size. Default value is 200 MB, default volume name is
READONLY.
NOTE:
• Read-only partition reflects the data size (that include portable client software and
antivirus scanner) and not the size of the total space available.
• If the size of the read-only partition is less than the minimum size required, the size of
the read-only partition is set to a value higher than default size (200 MB).
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server as an administrator.
2 Click Systems | Policy Catalog. The Policy Catalog page appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Authentication
Policy.
4 Click New Policy. In Create a new policy dialog box, select the device from the
drop-down list, type a name for the policy, then click OK. The following page appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
Password Retry Limit Type the maximum number of times you can try 256
authenticating the device using a wrong password,
after which the device will be blocked. Select Infinite
for a maximum number of 256 password retries.
NOTE: If the retry limit exceeds the maximum
password retries, the device will be blocked. The
device will be in Data Recovery or Data Destruction
state.
Minimum Password Length Type the minimum number of characters the password 6
must have (between 4 and 40 characters).
Minimum Special Characters Type the minimum number of special characters the 0
password must have for stronger password. This
includes ~ ' ! @ # $ % ^ * ( ) _ - + = { }[ ] | \ : ' "
,./?&;<>
Minimum Numeric Characters Type the minimum number of numerals the password 0
must have (0-9) for stronger password.
Password Re-use Threshold This option prevents users from reusing old passwords 0
too often at password change intervals thus increasing
the security of the device.
Type the minimum number of unique passwords
that must be set before a password can be reused.
Minimum Lifetime (Minutes) Type the minimum number of minutes you must wait 0
before modifying a recently changed password. This
prevents users from changing passwords quickly.
Maximum Lifetime (Days) Type the maximum number of days to define the 65535
validity of a password. Select Infinite for the
password to remain valid for 65535 days.
NOTE: Regular password updates decreases the risk
of correct password being stolen or guessed.
• Biometric Retry limit — Type the maximum number of mismatched finger swipes
allowed, after which the device will be blocked. The device will be in Data Recovery or
Data Destruction state. Select Infinite for a maximum number of 256 retries.
NOTE: A larger number of retries are required for biometric authentication because an
improper swipe will be registered as a failed attempt. Thus the device user may have
to attempt verification two or more times before access is granted.
9 In Recovery Policy you can specify what happens when a user reaches an authentication
failure limit (that is, password retry limit or biometric retry limit) and when a device is
blocked. Select either of these:
• Recovery — Select these options as required to recover the data on the device after
the user has been locked,
• User Self-Rescue — Allows device user to rescue data by re-personalizing a device
with new credentials. The device user will be prompted to type a new password,
enroll biometric, or bind with their CAC/PIV card, as appropriate.
• Help Desk/Challenge Response — Help desk operators can assist the device
user by securely resetting the authentication mechanism of their device. This can
be done over the phone or through email, and does not require access to the device
or even network connectivity.
• Data Recovery — Encrypted data can be recovered without user intervention (in
cases where there may be security audits or when a user has left the organization).
This task can be initiated only by an administrator.
• Data Destruction — If you select this option, it is not possible to rescue the device
or recover data from the device. All logged on user data is immediately destroyed when
the device is locked.
NOTE: This option offers high security, but may be inconvenient if particular users
regularly have trouble authenticating the device.
10 Click Save.
11 Send an agent wake-up call.
NOTE: The device must re-personalized whenever Device Authentication policy is changed.
Refer to the Setting up the Encrypted USB device section for instructions on personalizing
the device.
Refer to theAssigning multiple policies to a managed node section for assigning multiple
initialization and authentication policies for different device types to a single managed node.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Backup
Policy.
4 Click New Policy. In Create a new policy dialog box, select McAfee Default or My
Default as the policy type.
NOTE:
• If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
• The McAfee Default policy is read-only and cannot be edited, renamed, or deleted.
5 Type a new policy name, then click OK. The following page appears.
• User On-demand if you want the user to initiate the backup process when required.
7 In Backup Path, specify the path to store the device content when taking a scheduled
backup, then click Save.
NOTE: We recommend you not to save the backups on shared network because backups
are not encrypted.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Revocation
List.
4 Click New Policy. In Create a new policy dialog box, select McAfee Default or My
Default as the policy type.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
5 Type a new policy name, then click OK. The Device Revocation List page appears.
6 Click Revoke new Device, then select the serial number of the device(s) to be revoked.
NOTE: The device cannot be revoked in malware-proof mode.
7 Select Revoke & Wipe if you want to erase the contents of the device and revoke it, then
click OK.
8 Send an agent wake-up call.
NOTE: To reinstate a revoked device, click Systems | Encrypted USB Devices, select
the devices to be reinstated, click Reinstate, then click OK.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Foreign Device
Policy.
4 Click New Policy. In Create a new policy dialog box, select McAfee Default or My
Default as the policy type.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
5 Type a new policy name, then click OK. The following page appears.
• Restrict device use to managed systems — Restricts the use of USB devices to
the network managed by the specified ePolicy Orchestrator server(s).
• Add — Adds ePolicy Orchestrator server(s) which are allowed to manage the device
other than the ePolicy Orchestrator server network on which it was initialized.
• Remove - Removes ePolicy Orchestrator server(s) to restrict the use of device on the
nodes managed by the selected ePolicy Orchestrator server.
NOTE:
• The ePolicy Orchestrator server added should have Encrypted USB client installed
with Device Initialization and Device Authentication policies enforced on the managed
nodes.
• If no ePolicy Orchestrator servers are added, the device can be used only in the
network in which it was initialized.
7 Click Save.
8 Send an agent wake-up call.
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server as an administrator.
2 Click Systems | Policy Catalog. The Policy Catalog page appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog.
3 Select Product as Encrypted USB Client 1.2.0 and Category as General Settings
Policy.
4 Click New Policy. In Create a new policy dialog box, select the device from the
drop-down, type a name for the policy, then click OK. The following page appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
5 Select Enable AntiVirus where available to enable the anti-virus scanner on devices
which have Encrypted USB Antivirus installed.
6 Add or remove addresses of signature update sites for the anti-virus scanner as required,
then click Save. The default update site is http://update.nai.com. McAfee Encrypted USB
Antivirus uses these sites to update its virus definitions.
NOTE:
• Enable the use of proxy server on Control Panel | Internet Options | Connections
| LAN Settings to connect to the update sites.
• If update fails using any of the added sites, the DAT files are updated from the default
update site.
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server as an administrator.
2 Copy the EUC120LEN_IPEX.ZIP file to a temporary folder of your ePolicy Orchestrator
computer, then install the extension. This upgrades the ePolicy Orchestrator extension to
1.2.
Refer to the Installing Encrypted USB 1.2 extension section for instructions.
3 Copy the DPEUPM501100.zip, DPEUPS221100.zip, and DPEUPM211100.zip archives
to a temporary folder of your ePolicy Orchestrator computer, then check in the portable
content packages to the software repository.
Refer to the Checking in portable content packages in ePolicy Orchestrator section for
instructions.
4 Deploy Encrypted USB Client or Administrator as required on the managed nodes.
Refer to the Deploying Encrypted USB Client and Encrypted USB Administrator on managed
nodes section for instructions.
5 Configure the Encrypted USB 1.2 policies, initialize and personalize the device, then restore
the data.
NOTE: The device can be initialized and personalized after the policies have been enforced
on the managed node.
Refer to Setting up policies using ePolicy Orchestrator and Setting up the Encrypted USB
device sections for instructions.
Task
For option definitions, click ? in the interface.
1 Backup the device content to a temporary location and recycle the device.
Refer to Managing backup and Recycling a device sections for instructions.
2 Log on to the ePolicy Orchestrator server as an administrator.
5 Configure and enforce the Device Initialization and Device Authentication policies on the
required managed systems in the network.
Refer to Device Initialization policy and Device Authentication policy for instructions on
configuring the Device Initialization and Device Authentication policies
6 Initialize and personalize the device on the managed system.
7 Click , then select Manage Antivirus Scanner to manage McAfee Encrypted USB
Antivirus.
Revoking a device
To revoke a device, click Systems | Encrypted USB Devices, select the devices to be revoked,
then click Revoke |OK.
NOTE:
• If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices.
• The device can not be used until it is reinstated.
Alternatively, to revoke a device and erase its contents, click Systems | Encrypted USB
Devices, select the devices to be revoked, click Revoke & Wipe, then click OK.
NOTE:
• If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices.
• This option deletes all logged on user data permanently.
To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devices
to be reinstated, click Reinstate, then click OK. Once the device is reinstated, it can be used
normally.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB
Devices.
Recycling a device
Recycling formats a device and returns it to a default state by deleting the user accounts and
all user data on that device. To reuse the recycled device, the administrator must re-personalize
it.
PREREQUISITE
To recycle a device, the Encrypted USB Administrator package must be installed on the client
computer.
Task
1 Insert the Encrypted USB device to the USB interface socket.
4 Click Yes. The McAfee ePO Server - Login dialog box appears.
5 Enter the user and server information, then click OK. The McAfee Encrypted USB
Administrator dialog box appears.
NOTE:
• If Device State is Open, the device is recycled.
• You can recycle a driverless device on Encrypted USB Client by clicking Recycle Device.
Prerequisite
To recover data from a device, the ePolicy Orchestrator administrators must install the Encrypted
USB Administrator package.
Additionally, the Encrypted USB client must be installed on the computer where you insert the
device to recover data. The device policy must be configured to allow data recovery, or the
following warning appears.
To recover data
1 Click Start | Programs | McAfee | Encrypted USB Administrator | Data Recovery.
The McAfee Encrypted USB Administrator dialog box appears.
2 Click Recover. The following warning appears.
3 Click Yes. The McAfee ePO Server - Login dialog box appears.
4 Enter the user and server information, then click OK. The device state is unlocked and a
new password is provided.
5 Log on to the device using the new password.
NOTE: The new password generated will be used as default authentication on any system
in the managed network. This password cannot be used as default authentication on the
system on which device was initialized.
Task
For option definitions, click ? in the interface.
1 Click Systems | System Tree | Systems, then select the desired group under System
Tree. All the systems within this group (but not its subgroups) appear in the details pane.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree
| Systems.
2 Select the desired system, then click Modify Policies on a Single System. The Policy
Assignment page for that system appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | Agent | Modify Policies
on a Single System.
3 Select Product as Encrypted USB Client 1.2.0. The categories of Encrypted USB Client
1.2.0 are listed with the system’s assigned policy.
4 Locate the desired Initialization or Authentication policy, then click Edit Assignments.
5 Click New Policy Instance, then edit the policy settings as required.
6 Click Save.
7 Send an agent wake-up call.
Reporting
Reports are pre-defined queries which query the ePolicy Orchestrator database and generate
a graphical output. You can create, edit and manage queries through ePolicy Orchestrator 4.0
and 4.5.
You can query the following default Encrypted USB reports and run them to see a graphical
display:
• All Encrypted USB devices sorted by their state of management (such as managed native,
managed imported, foreign unmanaged and so on).
• All Encrypted USB devices sorted by the type of the devices.
• All blocked devices to which you cannot logon using password and/or swiping finger(s).
• All devices that are not initialized.
• All devices that are not personalized.
• All devices that are revoked from the ePolicy Orchestrator server.
NOTE: For instructions on creating, editing or deleting queries, see ePolicy Orchestrator 4.0
Product Guide and ePolicy Orchestrator 4.5 Product Guide.
Tasks
Setting up the Encrypted USB - powered by SanDisk device
Setting up other supported Encrypted USB device
Tasks
1 Insert the new Encrypted USB device to the USB port, the End User License Agreement
window appears.
2 Accept the license agreement, then click Next. The installer detects for the connected USB
devices. Once the device is detected, the Format Warning window appears.
3 Click Format. When the device is formatted, the update successful window appears.
4 Select Launch, then click Next to personalize the USB device.
5 On the Select Language window, select the appropriate language, then click Next.
6 On the License Agreement window, accept the license agreement, then click Next.
7 On the Password window, type and verify the password for accessing the private partition
of the USB device, then click Next.
In Hint enter a reminder that will help you to recover your password.
8 On the Contact Information window, enter your contact details, then click Finish.
NOTE: The personalized device appears on the ePolicy Orchestrator server in Systems |
Encrypted USB Devices along with its serial number, name, user ID, status, and the
client to which it is/was connected at a particular time. Click Options | Choose Columns,
then click the desired options in Available Columns to add to the existing columns.
Task
1 Insert the new Encrypted USB device to the USB port. A dialog box appears stating that
your device is being initialized.
Once the initialization process completes, the following dialog box appears prompting you
to continue with personalizing the device.
NOTE: Reinsert the device if personalization doesnot start.
2 Click Next. One of the following screens appears depending on the Device Type and the
Authentication Mode set in the Device Authentication policy.
• In case of non-biometric device (or a biometric device where the policy allows you to
authenticate to the device using only a password), the Set Password screen appears.
Type and verify the password.
3 Click Next. In case of biometric device, the Biometric Enrollment screen appears.
4 Select a finger to enroll by clicking on the image, then click Next. The Enroll Biometric
screen appears.
5 Swipe your finger across the device sensor three times, then click Next. The Self
Personalization dialog box appears.
6 Click Next. The Biometric Authentication screen appears.
You can either swipe your finger across the device sensor or click Authenticate using
Password.
NOTE: This screen varies if the device authentication policy is set to Biometric only or
CAC/PIV+PIN and Biometric.
Tasks
Logging on to the device
Disconnecting the device
Managing McAfee anti-virus scanner
McAfee Encrypted USB settings
Formatting McAfee Encrypted USB
Restoring data
Rescuing the device through Help Desk
McAfee Encrypted USB Antivirus scanner updates the detection definition (DAT) files from the
configured update site. The default update site ishttp://update.nai.com. You can also initiate
scans to inspect the drive with newly updated virus signatures.
Click icon on your taskbar, then select Scanner | Console. The McAfee Encrypted USB anti-virus
Scanner appears.
Option Definition
Statistics Displays the anti-virus scan statistics, which include the last scan date and
time, number of files and processes scanned, and files deleted to avoid
infection.
Log — Opens the anti-virus scanner log file.
Version Displays the last update date and time, scan engine, DAT, and scanner versions.
Actions • Check Updates — Checks for detection definition updates from the
McAfee download website.
• Start Drive Scan — Starts an on-demand scan of the USB device for
potential threats.
Option Definition
Settings • Scan host memory on log in — Scans the processes running on the
host system automatically for threats when the device is inserted.
• Scan file when saved or copied to Drive — Scans the file and
intercepts or cleans the infected file each time a file is copied to the device.
• Show messages — Shows scan details in a pop-up window.
Task
1 Click on the system tray, then select McAfee Encrypted USB Settings. The McAfee
Encrypted USB Settings page appears.
Task
1 Click on the system tray, then select Format McAfee Encrypted USB. The Format
McAfee Encrypted USB window appears with a warning.
2 Click OK.
Restoring data
Use this task to restore backed up users's device content from the managed system.
Task
1 Click on the system tray, then select Restore | Launch.
2 Browse to select the data to be restored, then click Next. A pop-up window appears asking
you to shut down and re-insert the device.
3 Click OK, then remove and re-insert the device. A warning message is displayed asking
you to back up any important device content before restoring.
4 Click OK. The selected back up data is scanned and restored to the device.
The device user will now be able to log on to the device using the new password.
Tasks
LED states
Security options in the device
Logging on to the device
Viewing hardware and software information
Managing authentication methods
Managing backup
Managing the Antivirus Scanner
Self rescuing the device
Rescuing the device through Help Desk
LED states
All McAfee Encrypted USB 1.2 devices use one or more Light Emitting Diodes (LEDs) that
indicates the state of the device.
NOTE: The USB LED flashes approximately every second.
State Description
Green (flashing) Device is ON, waiting to verify fingerprint (if the device requires biometric authentication) and
the user to log on.
Green (delayed Device is ON and idle, waiting to verify fingerprint (if the device requires biometric
flash) authentication) and the user to log on.
Red and Green Final attempt for finger print authentication. Failing the attempt will block the device.
(alternating flash)
Red (flashing) Device is either powering up or blocked. When blocked, no authentication methods are available
to log on to the device. Contact your device administrator to unblock the device.
Red Device is blocked. This is due to unauthorized or failed device access attempts. Contact your
device administrator to unlock the device.
State Description
2 Type your PIN, password, or swipe your finger depending on the authentication
mechanism(s) you have set. Select Use malware-proof mode (read only) if you want
to use the device in read-only mode, then click Next. The icon appears on the taskbar.
NOTE:
• McAfee Encrypted USB Antivirus and Backup Manager is not supported in malware-proof
mode.
• No events are generated in ePolicy Orchestrator in malware-proof mode.
3 Click icon on your taskbar, then select Managed Device. The Encrypted USB Client
page appears.
NOTE:
• Click Logout on the Encrypted USB Client page to log off from the Encrypted USB Client.
The device state will be changed to locked after the user logs off from the device.
• Encrypted USB devices use ActivIdentity third-party software to authenticate the
device in CAC/PIV authentication mode. ePolicy Orchestrator does not generate any
event for device authentication done by ActivIdentity.
NOTE: This page varies depending on the type of the device you use.
Manage Your Password — Click this option and follow the on-screen instructions to reset
your password.
Manage Your Finger Enrollments — Click this option and follow the on-screen instructions
to update your fingerprints.
Managing backup
McAfee Encrypted USB 1.2 allows you to back up user's device content on the client computer
when required.
Click icon on your taskbar, then select Backup Manager. On the McAfee Encrypted USB
Client dialog box click Next to back up device content.
NOTE: Backup Manager option is available on the system tray if you selected Backup Type
as User On-demand in Device Backup policy.
Specify the path or click , browse for the path to store the device content, then click OK.
NOTE: We recommend you not to save the backups on shared network because backups are
not encrypted.
Click icon on your taskbar, then select Manage Antivirus Scanner. The McAfee Encrypted
USB Antivirus screen appears.
NOTE: McAfee Encrypted USB Antivirus can be managed after the DAT file is updated. Remove
and reinsert the device after updating the DAT file.
Option Definition
Private Partition • On-access scan — Scans for threats as files are read from or written to the
device.
• Scan — Select this option to start an on-demand scan on the private partition of
the device.
Host System • Scan host system on startup — Select this option to scan the system folders
and the processes running on the host system automatically for threats when the
device is inserted.
• Scan — Select this option to start an on-demand scan on the host system for
potential threats.
Intrusion log • Enabled — Enables activity logging. All intrusions detected will be logged.
• View — Select this option to view the log details.
• Clear — Clears the log details.
2 Click Next and type a new password or update your fingerprint depending on the policy
you set. The Device Self Rescue screen appears stating that your device has been
successfully rescued.
3 Click Next and log on to the device using your updated credentials.
2 Contact Help Desk and provide your identity, device serial number, and user name. Help
Desk operator gives you an authorization code.
3 Type this code on the Help Desk Device Rescue page, then click Next. The Help Desk
Device Rescue Complete page appears with a confirmation code and a new password.
4 Click Next. The Device Reset Warning page appears asking you to note the confirmation
code and new password.
5 Click Next to personalize your device.
Troubleshooting
This section provides troubleshooting information for Encrypted USB 1.2. For further technical
assistance, visit http://www.mcafee.com/us/support/index.html.
Assumptions
User group1:
User group 1 accesses client systems in finance network managed by ePolicy Orchestrator server
1.
User group 2:
User group 2 accesses client systems in executive network managed by ePolicy Orchestrator
server 2.
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server 1 as an administrator.
2 Create a new Foreign device policy.
NOTE: Refer to Foreign device policy section for instructions.
3 On the Foreign Device policy page, select Restrict device use to managed systems,
then click Save.
4 Send an agent wake-up call to enforce the policy.
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server 2 as an administrator.
3 On the Foreign Device policy page, select Restrict device use to managed systems.
4 Click Add then add the corporate identifier of the ePolicy Orchestrator server 1.
5 Click Save, then send a agent wake-up call.
Managed Native Device is initialized and managed by the same ePolicy Orchestrator
server the managed client computer belongs to.
Managed Imported Device was initialized and managed by Encrypted USB Manager.
Migrated to Encrypted USB 1.2
Foreign Managed Device was initialized and managed by a different ePolicy Orchestrator
server.
Foreign Unmanaged Device is not managed by any ePolicy Orchestrator, but the usage
is allowed by the Foreign Device Policy.
I S
initialization 33 supported devices 7