Whole Disk Encryption Documentation

UBC ePolicy Orchestrator: https://encrypt.it.ubc.ca:8443

• Login with ead admin account

Official Documentation from UBC IT:

• McAfee Administrative Recovery
• McAfee Agent Migration Process v2
• McAfee Agent 480 Product Guide
• McAfee Endpoint Encryption - Edge Admin Guide v3
• McAfee Install Guide Mac OSX v1
• McAfee Install Guide Windows v1
• McAfee MNE Recovery and Manual Key Import
• McAfee USB Administrative Recovery
• McAfee User Documentation - First Use
• McAfee User Experience - First Boot

Encryption, Recovery, and Decryption

• Windows Encryption
• Windows Recovery
• Windows Decryption
• Mac Encryption
• Mac Recovery
• Mac Decryption

Steps to Encrypt Windows

Pre Install Steps:

1. Run scandisk and defrag the hard disk to make sure there are no bad sectors or general hard drive issues.
2. Change the computer hostname to meet with naming convention: PHAS-somename
   • PHAS is our department code
   • somename is alphanumeric and a maximum of ten (10) characters long.
3. Update the DNS if required with the new hostname.

Install McAfee Agent:

1. Logon the ePolicy Orchestrator https://encrypt.it.ubc.ca:8443
2. Select System Tree
3. In the pane to the left select the Staging Area group
4. Click on System Tree Actions button at the bottome of left pane, select New Systems
5. On the New Systems page, select as follow:
   • How to add systems: Create url for client-side agent download
   • Url Name: leave it as default
   • Agent version: Windows: McAfee Agent for Windows 4.8.0 (Previous)
   • Assign to Agent Handlers: All Agent Handlers
6. Click on OK, Agent Deployment URL will be generated
7. Click on the URL to download the agent
   **the agent installer is currently saved under \\batta\software\McAfee Encryption Documentation\McAfeeSmartInstall_Win.exe
8. Install the McAfee Agent

Post Install Steps:

1. Add users who can access the computer
2. Move the computer from PHAS - WDE Staging Area group to PHAS - WDE Install & Encrypt - Windows - Non EAD group
3. On client computer, open McAfee Agent Monitor, click on Collect and Send Props
4. McAfee will prompt for restart twice
5. After reboot, open McAfee Agent Status Monitor and Show Endpoint Encryption Status (under Quick Settings)
6. Select Collect and Send Props and Send Events
7. When the Volume Status updates with Encrypting %, have the computer restart
8. The user will be prompted to login with their CWL user ID and password, then select 3 questions and enter 3 answers
   **NOTE: CWL passwords are not sync'd

Windows Recovery

Self-Recovery

When user selects Self-Recovery, it will ask the user to answer three questions, which are configured when the user first login.
If the user answers all three questions correct, the system will prompt to enter a new password.
If the user forgot the answers to these questions, use the Administrator Recovery.

Administrator Recovery

See document from UBC IT: McAfee Administrative Recovery

Steps to Decrypt Windows

On server side:

move the computer from PHAS - WDE Insall & Encrypt - Windows - Non EAD group to PHAS - WDE Decrypt - Windows group

On client side:

1. Open McAfee Agent Monitor, click on Collect and Send Props
2. Open McAfee Endpoint Encryption System Status (under Quick Settings), monitor until Decryption is finished
3. Reboot the computer

On server side:

1. Move the computer from PHAS - WDE Decrypt - Windows group to PHAS - WDE Uninstall - Windows group
2. Select the computer, then click on Delete button

On client side:

Open McAfee Agent Monitor, click on Collect and Send Props, McAfee Agent will be removed from the computer

Steps to Encrypt Mac

Pre Install Steps:

1. Launch Disk Utility
2. Verify Disk Permissions
3. Repair Disk Permissions
4. Verify Disk
5. Repair Disk
6. Change Host Name to meet with naming convention
   • Open Terminal Window
   • Run sudo scutil --set HostName phas-clm-xxxx
   • Enter admin password
   • Type hostname to verify host name change is successful

Install McAfee Agent:

1. Logon the ePolicy Orchestrator https://encrypt.it.ubc.ca:8443
2. Select System Tree
3. In the pane to the left select the Staging Area group
4. Click on System Tree Actions button at the bottome of left pane, select New Systems
5. On the New Systems page, select as follow:
   • How to add systems: Create url for client-side agent download
   • Url Name: leave it as default
   • Agent version: Non-Windows: McAfee Agent for Mac OS X 4.8.0 (Current)
   • Assign to Agent Handlers: All Agent Handlers
6. Click on OK, Agent Deployment URL will be generated
7. Click on the URL to download the agent
   **the agent installer is currently saved under \\batta\software\McAfee Encryption Documentation\McAfeeSmartInstall_Mac.app
8. Install the McAfee Agent

Post Install Steps:

1. Move the computer from Staging Area group to PHAS - WDE Install & Encrypt - Mac OS X group
2. To monitor the McAfee Agent logs, run command sudo tail -fF /Library/McAfee/cma/scratch/etc/log and provide the administrator when prompted
3. To force sending and collection of properties and policies run the following command in terminal sudo /Library/McAfee/cma/bin/cmdagent -p -c -f (run each switch separately
4. Enable FileVault

Mac Recovery

On Mac:

If the User forgot their login password, they need to find the serial number of the Mac

On ePo Server:

Go to FileVault recovery -> Enter Seiral number -> Next to see the Recovery key

On Mac again:

The user use the recovery key to logon Mac, then it will ask the user to change password

Mac Decryption

On server side:

1. Move the computer from PHAS - WDE Insall & Encrypt - Mac OS X group to PHAS - WDE Uninstall & Decrypt - Mac OS X group
2. Select the computer, then click on Delete button

On client side:

Remove the agent using terminal:

1. Open Terminal
2. Change to McAfee directory cd /Library/McAfee/cma
3. Type sudo sh uninstall.sh
4. Wait for the script to display Agent uninstalled

Turn off FileVault:

1. Choose Apple menu > System Preferences, click Security & Privacy, and then click FileVault.
2. Click the lock to unlock the preferences pane, and then enter an administrator name and password.
3. Click Turn Off FileVault.
4. Click Turn Off Encryption.

How to Check Your Hard Disk for Errors

1. Open Computer by clicking the Start button Picture of the Start button, and then clicking Computer.
2. Right-click the hard disk drive that you want to check, and then click Properties.
3. Click the Tools tab, and then, under Error-checking, click Check Now. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
   • To automatically repair problems with files and folders that the scan detects, select Automatically fix file system errors. Otherwise, the disk check will simply report problems but not fix them.
   • To perform a thorough disk check, select Scan for and attempt recovery of bad sectors. This scan attempts to find and repair physical errors on the hard disk itself, and it can take much longer to complete.
   • To check for both file errors and physical errors, select both Automatically fix file system errors and Scan for and attempt recovery of bad sectors.
4. Click Start.

Depending upon the size of your hard disk, this may take several minutes. For best results, don't use your computer for any other tasks while it's checking for errors.

If you select Automatically fix file system errors for a disk that is in use (for example, the partition that contains Windows), you'll be prompted to reschedule the disk check for the next time you restart your computer.

How to Defragment Your Hard Disk

1. Open Disk Defragmenter by clicking the Start button Picture of the Start button. In the search box, type Disk Defragmenter, and then, in the list of results, click Disk Defragmenter.
2. Under Current status, select the disk you want to defragment.
3. To determine if the disk needs to be defragmented or not, click Analyze disk. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
4. Once Windows is finished analyzing the disk, you can check the percentage of fragmentation on the disk in the Last Run column. If the number is above 10%, you should defragment the disk.
5. Click Defragment disk. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

Disk Defragmenter might take from several minutes to a few hours to finish, depending on the size and degree of fragmentation of your hard disk. You can still use your computer during the defragmentation process.

• If the disk is already in exclusive use by another program or is formatted using a file system other than NTFS file system, FAT, or FAT32, it can't be defragmented.
• Network locations can't be defragmented.
• If a disk that you're expecting to see under Current status is not showing up there, it might be because it contains an error. Try to repair the disk first, then return to Disk Defragmenter to try again. See Check a drive for errors for more information.