Configuring McAfee Disk Encryption

This topic describes how to configure McAfee® Endpoint Encryption for PC (McAfee EEPC) with Imprivata Enterprise Access Management (formerly Imprivata OneSign).

NOTE: McAfee renamed McAfee EEPC to McAfee Drive Encryption (MDE). These instructions are valid for both versions.

Before You Begin

Review the following before you begin:

See Imprivata Supported Components to identify the supported versions of McAfee EEPC and McAfee Drive Encryption:

  • Imprivata OneSign desktop authentication supports a McAfee deployment in which:
    • Pre-boot authentication is enabled.
    • Automatic booting is enabled (pre-boot authentication is disabled).
  • Password synchronization between Imprivata Enterprise Access Management and McAfee is supported.

NOTE: Password synchronization is not supported if users change their password during pre–boot authentication.

Several McAfee policy configurations can affect the integration with Imprivata Enterprise Access Management:

  1. From the McAfee ePolicy Orchestrator Console, go to the Policy Catalog.
  2. For the Product Settings category, click My Default.
  3. Click Logon and go to the Enable SSO section. Review the following:
    • Polling interval (minutes) – This interval determines the time it takes to synchronize an Imprivata Enterprise Access Management–initiated password change with McAfee . Balance the frequency at which passwords must be synchronized with the load that polling places on the domain controller.
    • Allow user to cancel SSOImprivata recommends disabling this setting. If a user cancels SSO during pre-boot authentication, Imprivata Enterprise Access Management prompts the user for credentials after pre–boot authentication.
  4. Click Policy Catalog.
  5. For the User Based Policies category, click My Default.
  6. Click Password and go to the Password change section.
  7. Verify that Prevent change is selected. Enabling Prevent change prevents users from changing their password during pre-boot authentication. A password that is changed during pre–boot authentication is not synchronized with Imprivata Enterprise Access Management.

Streamlining Authentication Workflows

The steps required to streamline the authentication workflows depend on how the McAfee environment is configured:

  • If McAfee pre–boot authentication is enabled, streamlining the authentication workflows requires that you:
    1. Configure the McAfee Credential Provider filter.
    2. Enable the Imprivata agent for McAfee pre-boot authentication.
  • If McAfee automatic booting is enabled (pre–boot authentication is disabled), streamlining the authentication workflows requires that you configure the McAfee Credentials Provider filter only.

Configuring the McAfee Credential Provider filter allows the Imprivata agent and McAfee to run concurrently on the endpoint computer.

  1. On all endpoint computers locate and open EpePcCP.ini. The location of the file depends on the McAfee version.

  2. McAfee Drive Encryption 7 example — C:\Program Files\McAfee\Endpoint Encryption.
  3. Locate the [CredentialProvider.Filter.Providers] section and enter the following lines:
    • {11660363-781C-617B-0100-128274950001}=Enable
    • {11660363-781C-617B-0100-128274950011}=Enable
      NOTE:

      The first entry identifies the Imprivata OneSign Password Credential Provider Wrapper.

      The second entry identifies the Imprivata OneSign Credential Provider.

  4. Save the file and restart the computer.

This step is only required if the McAfee deployment is configured for pre–boot authentication.

  1. On all endpoint computers, create the ThirdPartyCPs registry keys with a subkey {31348146-f794-4beb-9d39-e411bff979ee} in the following location:

    • 64–bit - HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\CredentialProvider\ThirdPartyCPs{FDEF1242-8B8B-4D0E-AE73-257CEB8776A5}

  2. Configure the {31348146-f794-4beb-9d39-e411bff979ee} subkey as follows:
    1. Set the Default value to MfeEpeCredentialProvider
    2. Add the SupportsPrebootAuth value with a Data Type of REG_DWORD and set it to 1.

Windows Desktop Authentication Workflows

The following workflows apply to:

  • Microsoft 8.1 endpoint computers.
  • The Imprivata single–user computer agent (type 1).
  • A McAfee deployment that is synchronized with the same user directory domain controller as the appliance.

McAfee Pre-boot Authentication Enabled

When McAfee pre-boot authentication is configured, the user logs into a Windows computer 1 time:

  1. The Windows endpoint computer starts.
  2. The user enters their McAfee credentials in the McAfee logon dialog.
  3. McAfee authenticates the user.
    • If the Imprivata Enterprise Access Management user policy is configured for a password only, the Windows desktop opens.
    • If the Imprivata Enterprise Access Management user policy is configured for a second factor, Imprivata Enterprise Access Management prompts the user for the second factor, and the Windows desktop opens.

After the desktop opens, Imprivata Enterprise Access Management continues to manage the desktop lock and unlock functionality.

McAfee Automatic Booting Enabled

When McAfee automatic booting is enabled, the user logs into a Windows computer 1 time.

  1. The Windows endpoint computer starts.
  2. The user enters their Imprivata credentials in the Imprivata OneSign login dialog.
  3. Imprivata Enterprise Access Management authenticates the user and the Windows desktop opens.

After the desktop opens, Imprivata Enterprise Access Management continues to manage the desktop lock and unlock functionality.