Mcafee EPO vs Casper FV management

swapple
Contributor III

Our jump start date is quickly approaching and we are trying to work out our strategy for managing FileVault. Currently, EPO is managing FV on our Macs and holds the keys (no enterprise key). We think to get Casper to take this over, we will have to decrypt then recrypt with Casper.
Then a Dell salesman comes in pitching their management tool saying it has a way to just take over the FV key for Macs and you don't have to de/re crypt. I am skeptic about that.
Is there a way that Casper would be able to do that? Do any of the McAfee/Casper shops out there let McAfee do it rather than Casper? We will still be putting McAfee endpoint on our macs managed tied back to EPO.
We are also "enjoying" the FV password getting out of sync once our AD users (mobile acct, mac bound to AD) change their password, but that is probably a different discussion thread.

5 REPLIES 5

djrich29
New Contributor III

My company implemented Filevault last year and our Windows security team wanted/suggested to use McAfee to manage file vault. Since my team has total control of the Macs, we 100% objected to that idea because we had so many issues with McAfee and our macs in the past, we did not want to deal with one more. We knew managing file vault with casper was the most logical thing to do. We use McAfee with our macs simply because our senior management like the product and "felt" they had a good experience with the windows clients. Since, you are only using "individual" keys for your macs, I Believe you don't have to decrypt/re-encrypt, you can use JAMF's re-issue key script which will allow a new recovery key to be issued and then you can re-direct the keys to your JSS via a configuration profile. See this post for more info on this: https://jamfnation.jamfsoftware.com/discussion.html?id=14280

adamcodega
Valued Contributor

As djrich29 said, what Dell is trying to sell you is built-in to FileVault 2, there is an fdesetup command to redirected the encryption key without the labor of unencrypting and renecrypting the volume. When you have the configuration policy in place to redirect keys to the JSS, the reissued key will be redirected to the JSS.

Check out the link djrich29 posted. Elliot Jordan also did a presentation on how it all comes together here.

jason_bracy
Contributor III

We are in a similar situation and are actually moving away from having Casper Manage the keys to letting Mcafee manage them. We have tested the migration on a few machines and it is relatively painless. Once you install the MNE client (Mcafee Management of Native Encryption) and enforce it from ePO, a dialog pops up asking the user to enter their current FV password. That's it the key is then redirected to the ePO server and there is a single pane of glass for encryption management.

As far as the password sync issue I created a script to enforce the Keychain Access Preferences option for "SyncLoginPassword" now if the login password is different than the Keychain password then the user is prompted at login to sync them. This also resets the encryption password.

#!/bin/bash
defaults write com.apple.keychainaccess SyncLoginPassword -bool true
killall cfprefsd

5kinner
New Contributor III

I'll be surprised if you speak to anyone who has McAfee in there Mac environment that hasn't had problems. We have had the same discussion, Casper all the way for us!

donmontalvo
Esteemed Contributor III

While I agree that out-of-box settings for McAfee ePO is incredibly disruptive/ineffective to the OS X platform, we found the product to work quite well once settings/exclusions are configured and managed correctly. This requires collaboration between the team responsible for McAfee ePO and the team responsible for managing the Mac environment.

With that said, I've heard good stuff about McAfee ePO being used to manage native FileVault 2 recovery keys. I don't see a lot of discussion about it on this forum, for obvious reasons. :)

Don

--
https://donmontalvo.com