FAQs for Management of Native Encryption for use with MVISION ePO
Technical Articles ID:
KB91968
Last Modified: 2022-04-25 05:05:22 Etc/GMT
Environment
Management of Native Encryption (MNE) for MVISION ePO
Summary
This article provides a consolidated list of common questions and answers. It's intended for users who are new to the product, and can also be of use to all users.
Recent updates to this article
Date
Update
April 25, 2022
Minor formatting changes; no content changes.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents:
Click to expand the section you want to view:
What's the primary purpose of MNE?
MNE gives you the ability to report and manage Windows BitLocker and the macOS FileVault feature directly from MVISION ePolicy Orchestrator (ePO).
What is new in MNE?
MNE for MVISION ePO version 1910 is the first release of MNE to manage and deploy MNE to all client systems from MVISION ePO. You can use your own Customer Master Key (CMK) created on AWS to protect your data using the Tenant Key Service on MVISION ePO.
How can I obtain MNE?
MNE for use with MVISION ePO is available only on a trial basis and no license is needed. To access the trial version, perform the steps below:
Register for MVISION ePO at the MVISION Signup page. After you register with a username and password, you'll be sent an email link directed to the MVISION ePO logon page.
Log on to MVISION ePO.
Go to the Master Repository. You can then see the MVISION MNE trial.
Why's the version numbering different for MNE managed by MVISION ePO from the version numbering for ePO on-premises?
Products managed by MVISION ePO have a different numbering convention. This release of MNE for the MVISION ePO platform is identified as version 1910, where the version identifier follows a yymm convention. For more information about using MNE managed from MVISION ePO, see the MNE Product Guide for use with MVISION ePO.
The documentation and product version of MNE on ePO is identified as version 5.0.x.
The endpoint (client) version of MNE remains as 5.0.x regardless of the management platform in use. Both ePO and MVISION ePO use the same client package. This eases the migration process from ePO to MVISION ePO management of endpoints with MNE already installed.
Are there any differences in the feature set between MNE managed by MVISION ePO and ePO on-premises?
The following features, which are available with MNE 5.0.x managed by ePO on-premises, are not supported in the MNE for MIVISION ePO 1910 release:
Migrate the clients to be managed with MVISION ePO
Key recovery using the Data Protection Self-Service Portal (DPSSP) isn't supported with MNE for MVISION ePO.
Can MVISION ePO manage other encryption products, like Drive Encryption (DE) and File and Removable Media Protection?
We plan to provide MVISION ePO management for all Endpoint Encryption products in the future. These products and services are in development. All information provided is subject to change without notice at our sole discretion.
Why add management of Windows BitLocker with MNE when we already have DE or Endpoint Protection for PC (EEPC)?
MNE for BitLocker is a secondary option for our existing DE customers and new prospects. One of the goals is to provide customers an option if they want only basic encryption, especially for customers who are already using BitLocker on all or a group of endpoints. One application of MNE for a Windows system is to enable management through ePO for small clusters of systems. For example, systems that customers can't currently manage with DE today, such as Windows to Go devices or Surface Pro tablets.
For 'bring your own device' (BYOD) type assets, there's also a 'Report Only' mode. This mode is similar to what's offered in MNE 1.0 for FileVault management. In this case, ePO can report that encryption is enabled for that endpoint, but doesn't manage the endpoint.
Will DE and MNE both continue to be developed in the future?
Yes. DE is a Gartner-MQ winning Enterprise solution and offers many more features than Microsoft BitLocker.
These features include, but aren't limited to the following:
User-based preboot
Smart card
Biometric authentication
Self-recovery
Complex user-based policies
Endpoint Assistant
Support for Intel AMT and ePO Deep Command.
MNE is designed to provide a simple and easier-to-manage encryption solution that manages the built-in operating system encryption of Apple and Microsoft Windows operating systems.
What's FileVault?
FileVault is the native operating system encryption product from Apple. It encrypts the entire operating system startup volume, typically including the home directory, but not non-operating system volumes. It supports a user-based preboot.
What's BitLocker?
BitLocker is the native operating system encryption product from Microsoft. It's available on certain editions of the operating system. It can encrypt the entire operating system volume and any other volumes on the system. It doesn't support a user-based preboot, meaning that all users that share a system need to know the same password. Support for management of Windows BitLocker is added in MNE 2.0.
Compatibility - Mac (FileVault) specific
What versions of operating system does MNE Support?
MNE 4.1 provides full support of macOS 10.10.x (Yosemite) and macOS 10.11.x (El Capitan).
NOTE: For the latest information about supported operating systems supported by earlier versions of MNE, see KB79614 - FAQs for Management of Native Encryption.
Compatibility - Windows (BitLocker) specific
Is Windows 10 Enterprise Long-Term Servicing Branch (LTSB) supported with MNE?
No. MNE currently only offers support for official Windows 10 builds, which include Current Branch (CB) and Current Branch for Business (CBB).
NOTE: LTSB is Microsoft terminology for a Sustaining build that doesn't receive feature updates and is limited to security updates in general.
Does MNE support XP or Vista?
No. BitLocker support was added with the introduction of MNE on Windows 7 and later.
Can I simply move from Microsoft BitLocker Administration and Monitoring (MBAM) client to MNE?
Yes. You need to push the MNE client software to the endpoints and enable MNE reporting policy in the first instance. After you see your systems reporting BitLocker status, you can then start removing MBAM from the endpoint and enabling the MNE management policy. For example, set the BitLocker product policy to Turn-on (enable) BitLocker with appropriate options. If you fail to remove MBAM from the endpoint, there's going to be a conflict between the two management solutions as they compete to manage BitLocker.
Can MNE manage Trusted Platform Module (TPM)?
No. MNE doesn't manage TPM. On Windows 7 systems, you need to manage TPM yourself. On Windows 8 and above, the operating system can manage TPM for you if you've not already managed it.
Does MNE support Opal drives on supported operating systems?
Yes. Support for Opal drives is included with MNE 4.1 and later.
Install or Upgrade - General:
Can I migrate MNE clients that are managed via ePO on-premises to MVISON ePO?
Yes. You can migrate MNE 4.x and later from ePO to MVISION ePO.
To migrate MNE clients that are managed via ePO on-premises to MVISION ePO, follow the steps in the "Migrating MNE to MVISION ePO" section in the MNE Encryption Product Guide for use with MVISION ePO.
When migrating to MVISION ePO, do I have to migrate all MNE installed endpoints at the same time or can I migrate over time?
An ePO administrator can select a group at a time from the System Tree and migrate this group only.
Installation or Upgrade - Mac (FileVault) specific:
What is the quickest way to go to compliant mode with MNE 4.0 macOS?
MNE 4.0 and laterprovide a standalone installer for macOS system, which installs McAfee Agent and MNE (FileVault) product. For more information about installing MNE, see the relevant Management of Native Encryption Product Guide:
What is the best practice recommended in deploying MNE and Endpoint Security for Mac (ENSM), formerly Endpoint Protection for Mac (ENPM), together?
Generally, either MNE or ESM or EPM can be deployed on macOS systems in any order. We recommend deploying ESM or EPM followed by MNE, when being deployed on large-scale enterprises.
Configuration - General:
Why must I enable key-rotation in the server settings page?
Unlike DE, BitLocker recovery keys have no random element. This setting means that until the recovery key is changed, the recovery key can continue to be used. If the recovery key falls into the wrong hands, an attacker can gain access to the system.
Outcome of enabling the server-settings key-rotation settings: This option makes sure that if anyone views the recovery key in ePO, the server instructs the endpoint to change the recovery keys at the next opportunity, thus closing this security hole.
Configuration - Mac (FileVault) specific:
macOS system is configured with Active Directory (AD) server, and AD users are also FileVault preboot logon enabled. What would be the recommended policy settings for MNE?
Issues have been seen with macOS systems. When an AD user tries to change the password on a periodic basis on the macOS system, a new password set by the user fails to sync with the FileVault preboot. The issue happens when the MNE policy Destroy FileVault key in standby mode is enabled. It's recommended to disable this policy option if macOS systems have AD users on the system. For more information, see KB81289 - User who changed their password can't authenticate at the FileVault preboot screen.
Is it possible to configure MNE for FileVault to only allow for one user at preboot?
No. After MNE enables FileVault, macOS adds the currently logged in user to the FileVault preboot. After FileVault is enabled on the system, when a new user is created on the system, macOS adds that user to FileVault preboot logon automatically. MNE does not support restricting logon for a single user on the system because FileVault user management isn't controlled with MNE.
Configuration - Windows (BitLocker) specific:
Where's the User Interface to manage FileVault users in MNE?
MNE doesn't provide support for FileVault user management. To manage Mac users, you must use the standard Apple user-management features (in System Preferences, Users & Groups), which require administrator rights. For more details, see KB79648 - How to add an Active Directory user to FileVault.
What authentication types are supported with BitLocker?
MNE supports TPM, TPM+PIN, and Password authentication. Password authentication is only available with Windows 8 and later.
Why's there no policy option for USB authentication with BitLocker MNE?
USB authentication is not supported with MNE for security reasons.
Why does MNE encrypt all volumes on a Windows system, and use the same PIN or password to unlock them all?
MNE is configured to use auto-unlock for all non-OS volumes in this release. The aim is to simplify the user experience; a user has only one password or PIN to remember. This configuration reduces the likelihood that users opt to write down their passwords.
What permissions are needed to provision the MA running in unmanaged mode when using the MNE standalone installer?
The ePO Remote Provisioning tool requires the ePO address, username, and password of the user to be entered. The user can be limited to an executive reviewer role, who has limited permissions on the ePO server. For information about how to use the Remote Provisioning tool bundled with MNE, see KB82640 - How to use the Remote Provisioning tool bundled with Management of Native Encryption.
General Functionality:
Do I have to use MVISION ePO to store my encryption keys?
MVISION ePO doesn't store the encryption keys. MNE supports data protection through a hierarchical key structure. Encryption keys are protected at the root level by a primary key. The customer's credentials control the primary key. MNE works with several services to create a primary key to protect your data:
Tenant Key Service (TKS) - An encryption key service on MVISION ePO. The service provides a key to encrypt or decrypt data that can be protected using the Customer Master Key (CMK).
Amazon Web Services (AWS) - A cloud computing service from Amazon that provides on-demand computing platforms for individuals and organizations.
AWS Key Management Service (KMS) - An AWS-managed service that allows you to create customer primary keys that can be used to protect your data.
AWS Customer Master Key (CMK) - An encryption key created by AWS Key Management Service (KMS).
MNE on MVISION ePO is preconfigured with a default primary key for encryption and decryption services to work with zero setup.
We own the AWS KMS, where the default primary key is provisioned. The same primary key is shared among all customers.
We recommend that you configure TKS with your own primary key to enforce strict cryptographic separation between your data and the data of our other customers. Using your own primary key allows you to retain full control of your data with the ability to revoke access at a moment's notice.
For information about creating your own primary key, see the AWS documentation.
When a system is deleted from ePO, is it still possible to use the serial number to obtain the recovery key?
Yes. The serial number and recovery key aren't deleted when a system is removed from ePO.
Is a new drive automatically encrypted when a computer has two drives that are both BitLocker protected, where the secondary drive fails and a new one is installed?
The new drive is automatically managed with MNE on the next policy enforcement. When a normal encryption policy is enforced, MNE generates the following:
Auto Unlock Key
Recovery Key for that drive and escrows to ePO before encryption begins
NOTES:
The user doesn't need to take any manual steps during the above actions.
An Auto Unlock key is the standard unlock mechanism for data volumes.
Does MNE support BitLocker To Go (BitLocker encryption for USB drives)?
No. We recommend that you use File and Removable Media Protection (FRP) to encrypt USB drives.
What's the maximum number of times a user can postpone activation (MNE 4.1 and later)?
The user can postpone the activation up to 10 times. This option is located under the Authentication policy section.
NOTES:
This feature restricts the number of postponements on activation to reduce the amount of time that a client system isn't encrypted.
Systems that are already encrypted have already been activated. So, any policy change that requires different credentials to be entered allows the user to postpone the credentials dialog any number of times. This action occurs because the system is already in an encrypted state.
When might I want to use the Postpone Activation option?
Sometimes it isn't convenient for a product to be installed or updated in busy periods or perhaps during a customer meeting. Thus, having the flexibility to defer this action can improve the user experience during a deployment phase.
Why would I want to use the MNE Control Panel Applet?
Credential management is the key to maintaining an effective security posture and usability within a managed estate.
Key points:
Administrators might want to more securely lock down the user's ability to change the configuration of BitLocker. This action is achieved by removing the BitLocker Control Panel, and replacing it with the MNE user-interface that's also accessed through the Control Panel.
Disabling the BitLocker Control Panel removes the ability for a user to accomplish the following, and might fall outside of a company's security best practices:
Disable BitLocker protection
Manage TPM
Unable to save or print the recovery password
When the BitLocker Control Panel item is removed, the MNE interface still allows non-administrator users the ability to change their password if needed. This capability helps reduce the need to raise a help desk ticket. This design allows a more efficient working practice, while maintaining an effective security posture.
Note that users with administrator rights can manage BitLocker through the BitLocker command-line tool manage-bde.
How do I Hide Default BitLocker Encryption in the Windows Control Panel?
See this Microsoft TechNet article.
Where do I find the System by username?
You can view the Find MNE systems by the username dashboard on the Dashboards page.
Why would I typically use Find System by username?
This new feature is useful in the scenario wherein the owner of a system meets either of the criteria below:
Calls in and reports their system lost or stolen
Doesn't have the system details at hand
How can I disable protection while I modify the operating system?
The endpoint tool MaintenanceMode.exe can be used to disable protection for a set period or number of reboots. You must use this tool instead of disabling protection yourself through non-MNE tools. Otherwise, MNE policy enforcement simply re-enables the protection when it next enforces the policy. You can build this tool into your endpoint scripts during operating system refreshes and upgrades.
Why does a system with no data drives report "Pass" against Security Posture tests?
The Security Posture Reporting tests return Fail only if there's something that fails the specific test. If there are no data drives, there's nothing to make the tests fail, and as a result, they pass. In other words, the report finds systems that are noncompliant; a system with no fixed drives can't be noncompliant to a fixed drive policy.
For reporting methods, is there a way to see what key protectors are in use for a system and its volumes, and the algorithm in use?
No. There are no ePO reports to show this information. You can only use the command manage-bdeto obtain this information.
For more details about how to use the tool manage-bde, see this Microsoft article.
Does MNE support the use of Boot Camp?
MNE doesn't specifically support Boot Camp. Mac FileVault itself supports Boot Camp. But, FileVault only encrypts the operating system volume on the disk. A Windows partition created using Boot Camp remains unencrypted on the disk, which is a pure FileVault function.
What's the recommended method to enable FileVault after it's turned on by the ePO administrator through policy enforcement?
When the ePO administrator enables FileVault on the system, FileVault gets enabled in a deferred enablement mode. This means that the currently logged in user is authorized to enable FileVault using the password. When the ePO administrator enables FileVault, the user on the macOS system sees a notification to restart the system to enable encryption on the Mac system. The user needs to restart and type the password at the password prompt screen to authorize FileVault. This action enables FileVault encryption when the system boots again.
MNE enables FileVault for a currently logged on user, but the system has multiple users. How can the logged on user enable FileVault preboot logon for the other users?
MNE doesn't play any role in adding FileVault logon for the users. The macOS FileVault handles this operation. If a system has more than one user at the time of enabling FileVault, the currently logged on user is authorized to log on at preboot. If you want to allow other users on the system to log on at the FileVault preboot, the administrator user on the macOS system can enable these users as follows:
Open Applications, SystemPreferences, Security&Privacy.
Click Lock and type the administrator's user credentials.
Click EnableUsers.
Select the users and click EnableUser to enable the selected users as FileVault users.
Functionality - Windows (BitLocker) specific:
Why does BitLocker not activate?
For BitLocker to activate, the system needs a system partition. Depending on how your Windows image is created, a system partition might not be available. In this case, you need to create the system partition before BitLocker can activate. In general, if you can activate BitLocker manually, MNE might activate it as well.
Can specific Active Directory (AD) groups be delegated the rights to recover the encryption keys?
No. Rights to encryption key recovery is defined via ePO permission sets to ePO users and not via AD. The DPSSP can be used to allow users to recover systems that they have previously logged into.
NOTE: You can't recover systems that they haven't previously been logged into.
How does MNE handle BitLocker recovery keys stored in AD; is it done automatically?
MNE backs up any recovery keys that exist on the computer to ePO, on systems where BitLocker is already running. It does so by simply pulling them from the client using the BitLocker API (no round trip is needed to AD). MNE then adds our own recovery key as well. So, a system where MNE takes over BitLocker will have multiple recovery keys, and all are safely stored in ePO. This occurs at the first policy enforcement as MNE tries to pull BitLocker into compliance with the MNE policy.