McAfee Encrypted USB 1.2 User Guide

McAfee Encrypted USB 1.
2
User Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
2 McAfee Encrypted USB 1.2 User Guide

Contents
Introducing Encrypted USB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
How Encrypted USB works?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Encrypted USB features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Supported McAfee devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Target audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Encrypted USB Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installing the Encrypted USB software using ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Checking in portable content packages in ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Installing Encrypted USB 1.2 extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuring Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes. . . . . . . . . . 10
Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes. . . . . . . 10
Administering McAfee Encrypted USB - powered by SanDisk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Setting up policies for McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator. . . 11
Recycling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Revoking a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Administering other supported Encrypted USB devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Setting up policies for other supported Encrypted USB devices using ePolicy Orchestrator. . . . . . . 17
Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Upgrading Encrypted USB client with anti-virus portable content packages. . . . . . . . . . . . . . . . . . . . 28
Revoking a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Recycling a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Recovering data from the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Assigning multiple policies to a managed node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Using the Encrypted USB device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Lifecycle of the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setting up the Encrypted USB - powered by SanDisk device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setting up other supported Encrypted USB device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
McAfee Encrypted USB 1.2 User Guide 3

Contents
Using the Encrypted USB - powered by SanDisk Portable Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Logging on to the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Disconnecting the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Managing McAfee anti-virus scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
McAfee Encrypted USB settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Formatting McAfee Encrypted USB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Restoring data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Rescuing the device through Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Using other supported Encrypted USB Portable Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
LED states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Security options in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Logging on to the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Disconnecting the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing hardware and software information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Managing authentication methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Managing backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Managing the Antivirus Scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Self rescuing the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Rescuing the device through Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Appendix A — Restricting the device use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Restricting the device use to home network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Restricting the device use to specified network(s). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Appendix B — Device management states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Introducing Encrypted USB
Encrypted Universal Serial Bus (USB) devices use the Universal Serial bus standard to interface
to a host computer using a standardized USB interface socket. McAfee Encrypted USB version
1.2 is a scalable software solution for managing large and small deployments of McAfee's USB
storage devices.
McAfee Encrypted USB 1.2 supports Encrypted USB devices powered by SanDisk along with
Encrypted USB 1.1 and 1.0 devices. A Encrypted USB administrator can select the device type
he wants to manage in his network before deploying it on the managed systems.
McAfee Encrypted USB 1.2 includes a management console, a client component, an anti-virus
scanner, and an administration utility (optional). It controls the USB device lifecycle including
initialization, personalization, usage, rescue, recovery, and recycling.
Contents
How Encrypted USB works?
Encrypted USB features
System requirements
Supported McAfee devices
About this guide
How Encrypted USB works?

McAfee Encrypted USB 1.2 offers data protection in the form of powerful encryption technology
combined with strong authentication controls, so that only authorized users can access
information.
It helps you maintain a virus-free environment by scanning the private partition of the USB
device and system folders and processes running on the client system on startup. Each time a
file is copied to the device, it scans the file comparing it with a list of known viruses and
intercepts/cleans the infected file. It updates the virus definition from a configurable signature
update site every time the user logs on to the device.
NOTE: The Encrypted USB Antivirus feature only scans the system folders and the processes
running on the client system. It does not completely protect the client system from malware.
McAfee Encrypted USB 1.2 integrates with McAfee ePolicy Orchestrator version 4.0 (patch 5
minimum) or version 4.5.
NOTE: McAfee Encrypted USB 1.2 does not support downgrade to Encrypted USB version 1.0.
Protecting the device from malware

McAfee Encrypted USB 1.2 includes an anti-virus scanner that prevents malware from being
copied to the device. McAfee Encrypted USB Antivirus Scanner constantly monitors file transfers

to the device, automatically detecting and cleaning/deleting any malware. It also supports
on-demand scan that enables the device user to initiate a scan when required.
Refer to the Managing the Antivirus Scanner section for more details.
Restricting devices to trusted network for some users

McAfee Encrypted USB 1.2 allows you to restrict the use of the device to trusted networks. You
can create and configure different Foreign Device policies for each group of managed systems
restricting them to specified network.
NOTE: This feature is not available for all device types.
Refer to the Appendix A — Restricting device use section for more details.
Revoking a device in emergency

Revoking a device blocks the usage of a device. McAfee Encrypted USB 1.2 allows the
administrator to revoke the device when it is lost, when the password is disclosed, or during
an audit. Encrypted USB administrators can revoke or revoke and wipe the device as required
from ePolicy Orchestrator. The device can be reused after reinstating.
Refer to the Revoking a device section for more details.

• Centralized management — Provides support for deploying and managing McAfee
Encrypted USB devices using ePolicy Orchestrator version 4.0 (patch 5 minimum) or version
4.5.
• Data protection with powerful encryption — Offers data protection through powerful
encryption technology along with strong access controls, so that only authenticated users
can access data stored on the USB device.
• Two-factor authentication — Allows you to use one of these authentication modes to
unlock the USB device:
• Password and/or biometric
• Common Access Card (CAC) or Personal Identity Verification (PIV) card with security PIN
and/or biometric
NOTE: The authentication modes available depends on the device type.
• Protection from malware — Offers protection from malware by scanning files copied to
the device, detecting threats and taking action as required.
• Device type selection — Provides an option for selecting the device type to be managed
in the network before deploying the Encrypted USB client on the managed systems.
System requirements
Operating systems:
• Microsoft Windows XP Professional SP2 and SP3
• Windows Vista Business SP1 or later and Enterprise SP1 or later
• Windows XP Home SP3

• Windows Vista Ultimate

McAfee Encrypted USB 1.2 prerequisites:
• Microsoft .NET Framework 2.0
• Windows Installer 3.1
• McAfee Agent 3.6 (patch 3) or above

Image Device Description
McAfee Encrypted USB - • Supports password authentication mode.

powered by SanDisk
• Can have private and read-only disk partitions.
McAfee Encrypted USB • Supports password and CAC/PIV card

Standard version 2 authentication mode.
McAfee Zero Footprint • Supports biometric and/or password

Biometric Encrypted USB authentication mode.
• Supports biometric and/or CAC/PIV card
authentication mode.
• Can have public, private, and read-only disk
partitions.
McAfee Zero Footprint • Supports password and CAC/PIV card

Non-Biometric Encrypted USB authentication mode.
partitions.
McAfee Encrypted USB Hard • Supports biometric and/or password

Disk authentication mode.
• Supports biometric and/or CAC/PIV card
authentication mode.
partitions. Available in various hard drive sizes.
McAfee Encrypted USB • Supports password and CAC/PIV card

Standard Driverless authentication mode.
About this guide

This guide provides detailed instructions for installing and managing Encrypted USB 1.2 using
ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5.
Target audience
This guide is intended for McAfee Encrypted USB device users and administrators.

Encrypted USB Administration
This chapter provides information on:
Installing the Encrypted USB software using ePolicy Orchestrator
Administering McAfee Encrypted USB - powered by SanDisk
Administering other supported Encrypted USB devices
Assigning multiple policies to a managed node
Reporting
Installing the Encrypted USB software using ePolicy

Orchestrator
ePolicy Orchestrator provides a scalable platform for centralized policy management and
enforcement on your security products and systems on which they reside. It also allows you to
deploy and manage Encrypted USB storage devices.
NOTE: The instructions refer to ePolicy Orchestrator 4.0 by default. To use this chapter
effectively, you must be familiar with using ePolicy Orchestrator version 4.0 and 4.5.
Tasks
Checking in portable content packages in ePolicy Orchestrator
Configuring Server Settings
Installing Encrypted USB 1.2 extension
Deploying Encrypted USB Client and Encrypted USB Administrator on managed nodes
Uninstalling Encrypted USB Client and Encrypted USB Administrator from managed nodes
Checking in portable content packages in ePolicy Orchestrator

Use this task to check in the Encrypted USB 1.2 portable content package to the master
repository.
Before you begin

Copy the DPEUPM501100.zip, DPEUPS221100.zip, and DPEUPM211100.zip archives
to a temporary folder of your ePolicy Orchestrator computer.
Task
For option definitions, click ? in the interface.
1 Log on to the ePolicy Orchestrator server as an administrator.

2 Click Software | Master Repository | Check In Package. The Check In Package

wizard appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Software | Master
Repository, then click Actions | Check In Package.
3 In the Package page, select the Package type as Product or Update (.ZIP) and browse
in File path to locate DPEUPM501100.zip.
4 Click Next. The Package Options page appears with the package information.
5 Select Branch as Current, then click Save.
NOTE: Check in DPEUPS221100.zip and DPEUPM211100.zip by repeating the same
steps. However in step 3, browse for DPEUPS221100.zip or DPEUPM211100.zip as
required.
Installing Encrypted USB 1.2 extension

You can install the Encrypted USB extension on the ePolicy Orchestrator 4.0 (patch 5 minimum)
server using the Configuration tab.
Task
1 Copy the EUC120LEN_IPEX.ZIP file to a temporary folder of your ePolicy Orchestrator
computer.
3 Click Configuration | Extensions | Install Extension. The Install Extension dialog
box appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Software | Extensions |
Install Extension.
4 Click Browse to select the extension file EUC120LEN_IPEX.ZIP. Click Open, then click
OK. The Install Extension page appears with the extension name and version details.
5 Click OK.
Configuring Server Settings

Various settings control how the ePolicy Orchestrator server behaves. You can change most
settings at any time. But, only global administrators can access the server settings.
Use this task to configure Server Settings for McAfee Encrypted USB.
Task
1 Log on to ePolicy Orchestrator as an administrator.
2 Click Configuration | Server Settings, then select Encrypted USB Settings. The
Server Settings for Encrypted USB is displayed on the right pane of the page.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Configuration | Server
Settings.

3 Click Edit. The Edit Encrypted USB Settings page appears.

4 Select the device types you want manage, then click Save.
Deploying Encrypted USB Client and Encrypted USB Administrator

on managed nodes
Use this task to deploy Encrypted USB Client on managed nodes.
NOTE: The Encrypted USB Administrator package should be installed on client computers used
only for administrator tasks along with physical access to the USB ports, because the
administrator tasks often require the device to be physically present.
Task
2 Click Systems | Client Tasks. Select the required system(s) on which you want to install
Encrypted USB.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Systems | System Tree
| Client Tasks.
3 Click New Task. The Client Task Builder page appears.

NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Task.
4 In Description, type a Name for the task, Notes (optional), select the Type as Product
Deployment (McAfee Agent), then click Next.
5 In Configuration, select Windows as Target Platforms, Encrypted USB Client 1.2.0
as Products and components, Install as Action. Select the appropriate Language,
then click Next.
6 Schedule the task to run immediately or as required, then click Next to view a summary
of the task.
7 Click Save.
8 Send an agent wake-up call.
NOTE: To deploy Encrypted USB Administrator 1.2, repeat the same steps, however in step
5, select Encrypted USB Administrator 1.2.0 as Products and components.
Uninstalling Encrypted USB Client and Encrypted USB

Administrator from managed nodes
Use this task to uninstall Encrypted USB Client and Encrypted USB Administrator from managed
nodes.
Task

2 Click Systems | Client Tasks. Select the required system(s) from which you want to
uninstall Encrypted USB Client.
| Client Tasks.
3 Click New Task. The Client Task Builder page appears.

NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Task.
4 In Description, type a Name for the task, Notes (optional), select the Type as Product
Deployment (McAfee Agent), then click Next.
5 In Configuration, select Windows as Target Platforms, Encrypted USB Client 1.2.0
as Products and components, Remove as Action. Select the appropriate Language,
then click Next.
6 Schedule the task to run immediately or as required, then click Next to view a summary
of the task.
7 Click Save.
NOTE: To uninstall Encrypted USB Administrator 1.2, repeat the same steps, however in
step 5, select Encrypted USB Administrator 1.2.0 as Products and components.
Administering McAfee Encrypted USB - powered by

SanDisk
Use these tasks to administer McAfee Encrypted USB - powered by SanDisk using ePolicy
Orchestrator.
Setting up policies for McAfee Encrypted USB - powered by SanDisk using ePolicy Orchestrator
Revoking a device
Setting up policies for McAfee Encrypted USB - powered by

SanDisk using ePolicy Orchestrator
The ePolicy Orchestrator console allows the administrator to configure policies for the Encrypted
USB devices from a central location. These policies vary based on the type of the device being
used.
Encrypted USB supports five policy categories:
Device Initialization Policy
Device Authentication policy
Device Backup Policy
Device Revocation List
Foreign Device Policy


Device Initialization Policy enables you to specify a public partition on the device, its size (in
MB), read-only partition size (in MB), and a device management code.
NOTE: The Device Initialization Policy for McAfee Encrypted USB - powered by SanDisk is set
by default and cannot be modified. The default size of read-only partition is set to 38.1 MB. A
device is initialized when it is updated.

Device Authentication Policy allows you to set the password policy for accesing the private
partion of the USB device.
NOTE: Both initialization and authentication policies must be set for a device to be initialized.
Task
2 Click Systems | Policy Catalog. The Policy Catalog page appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu | Policy | Policy Catalog.
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Authentication
Policy.
4 Click New Policy. In Create a new policy dialog box, select the device from the
drop-down, type a name for the policy, then click OK. The following screen appears.
NOTE: This screen varies depending on the Server Settings configured.
5 Select the device type as McAfee Encrypted USB - Powered by SanDisk.

6 By default, authentication mode is set as Password only. This enables you to authenticate
to a device using a password only.
7 In Password Policy, set the following parameters:
Parameter Description
Password Retry Limit Type the maximum number of times you can try authenticating the
device using a wrong password, after which the device will be
blocked. Select Infinite a maximum number of 10 password retries.
This parameter is set to 10 by default.
Minimum Password Length Type the minimum number of characters the password must have.
(between 4 and 16 characters)
Maximum Lifetime (Days) Type the maximum number of days to define the validity of a
password. Select Infinite for the password to remain valid for 65535
days.
This parameter is set to 65535 by default.
NOTE: Regular password updates decreases the risk of correct

password being stolen or guessed.
8 Recovery Policy is set to Help Desk / Challenge Response by default.

Help desk operators can assist the device user by securely resetting the authentication
mechanism of their device. This can be done over the phone or through email, and does
not require access to the device or even network connectivity.
9 Click Save.
10 Send an agent wakeup call.

Device Backup Policy allows you to create automatic backups of the device content on the client
computer or shared location. Automatic backups are created only if the device is unlocked and
if the user logged on is the device owner.The backup feature provides protection against data
loss.
Task
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Backup
Policy.
4 Click New Policy. In Create a new policy dialog box, select McAfee Default or My
Default as the policy type.
NOTE:
• If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
• The McAfee Default policy is read-only and cannot be edited, renamed, or deleted.
5 Type a new policy name, then click OK. The following page appears.

6 Select one of the following Backup Type options:

• None if you do not want to create a backup of the device content on your client
computer.
• Always on if you want the software to create a backup on your client computer
automatically on authenticating the device.
NOTE: Automatic back up is supported only on the system on which device was initialized
and personalized.
7 In Backup Path, specify the path of your client computer where you want the backup file
to be stored, then click Save.

Device revocation allows an administrator to block the usage of a device in case of a security
emergency. Later, the device can be reinstated, if required.
NOTE: A device can be revoked only when the device is inserted in a managed node.
Device Revocation List allows you to revoke devices from the ePolicy Orchestrator server based
on the device serial number. It applies to groups or a single computer in ePolicy Orchestrator.
A device revoked event is sent if a device is revoked successfully.


3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Revocation
List.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
5 Type a new policy name, then click OK. The Device Revocation List page appears.
6 Click Revoke new Device, select the serial number of the device(s) to be revoked, then
click OK.
NOTE:
To reinstate a revoked device, click Systems | Encrypted USB Devices, select the devices
to be reinstated, click Reinstate, then click OK.

An unmanaged USB device or a USB device managed by a different ePolicy Orchestrator server
is referred to as a foreign device.
Foreign Device Policy allows you to grant and restrict access to foreign devices.


3 Select Product as Encrypted USB Client 1.2.0 and Category as Foreign Device
Policy.
5 Type a new policy name, then click OK.
6 Select the whether to allow or block managed foreign devices, then click Save.
Recycling a device
Recycling formats a device and returns it to a default state by deleting the user accounts and
all user data on that device. To reuse the recycled device, the administrator must re-personalize
it.
Before you begin

Download the Device Recycle Utility along with the product from the McAfee download site.

Task
1 Run recycle.exe. The Device Recycling Utility window appears.
2 Click Recycle. A warning pop-up appears asking you to confirm device recycle.
3 Click Yes. The Admin Authentication window appears.
4 Type the ePolicy Orchestrator server (by which the device is managed) IP address or name,
user name, and password, then click Login.
After the device is recycled, a recycle successful pop-up appears.
5 Re-insert the device and personalize to use the device.
Revoking a device
To revoke a device, click Systems | Encrypted USB Devices, select the devices to be revoked,
then click Revoke |OK.
NOTE:
• If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB Devices.
• The device can not be used until it is reinstated.
to be reinstated, click Reinstate, then click OK. Once the device is reinstated, it can be used
normally.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB
Devices.
Administering other supported Encrypted USB

devices
Use these tasks to administer McAfee Encrypted USB devices using ePolicy Orchestrator.
Setting up policies for other supported Encrypted USB devices using ePolicy Orchestrator
Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1
Upgrading Encrypted USB client with anti-virus portable content packages
Revoking a device
Recycling a device
Recovering data from the device
Setting up policies for other supported Encrypted USB devices

using ePolicy Orchestrator
The ePolicy Orchestrator console allows the administrator to configure policies for the Encrypted
USB devices from a central location. These policies vary based on the type of the device being
used.
Encrypted USB has six policy categories:


General Settings Policy

Device Initialization Policy enables you to specify a public partition on the device, its size (in
MB), read-only partition size (in MB), and a device management code. Based on these
parameters, you can initialize your device depending on the device capability. Read-only partition
of the device contains the portable client software and antivirus scanner.
Task
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Initialization
Policy.
drop-down list, type a name for the policy, then click OK. The following page appears.
5 Select the device type from the drop-down list.

6 Select the option Allow Public Partition (optional). If you select this option, specify a
size for the public partition (in MB). Default value is 32 MB.
NOTE: Public partition of the device can allow unencrypted data storage. Any user will be
able to read and write data in this partition.
We recommend you to disable the public partition and use private partition (encrypted and
authenticated), which automatically uses all remaining space on the device.
7 Specify the Read-only partition size. Default value is 200 MB, default volume name is
READONLY.
NOTE:
• Read-only partition reflects the data size (that include portable client software and
antivirus scanner) and not the size of the total space available.
• If the size of the read-only partition is less than the minimum size required, the size of
the read-only partition is set to a value higher than default size (200 MB).
8 Type the device management code, then click Save.

NOTE: Device management code is used to erase the device content and its user accounts
when it can not be accessed by the device user or the administrator. Device management
code should not be shared with the device users.

NOTE: McAfee Standard Driverless Encrypted USB initialization policies cannot be edited.

Authentication is the process of unlocking an Encrypted USB device. Encrypted USB supports
different forms of authentication, including password, biometric, and CAC or PIV card with
different strengths. These authentication methods can be combined to offer higher security.
Device Authentication Policy allows you to set the authentication mode and recovery policy for
a device. You can assign multiple policies to managed nodes in the network for a single device
type.
NOTE: Both initialization and authentication policies must be set for a device to be initialized.
Task
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Authentication
Policy.
drop-down list, type a name for the policy, then click OK. The following page appears.

5 Select the device type from the drop-down list.

6 Select the appropriate mode of authentication from the following options:
• Password or Biometric — Default option for all biometric devices. It allows to
authenticate the device using a password or biometric (finger enrollment).
• Password and Biometric — A two-factor security option that allows to authenticate
the device using both the password and biometric.
• Password only — Default option for all non-biometric devices which enables to
authenticate the device using a password only.
• Biometric only — An option that allows you to authenticate the device using biometric
only.
• CAC/PIV+PIN only — An option that allows you to authenticate the device using a
CAC or a PIV card and a security PIN.
• CAC/PIV+PIN and Biometric — An option that allows you to authenticate the device
using both a PIN enabled card (CAC or PIV) and Biometric.

7 In Password Policy, set the following parameters:
Parameter Description Default value
Password Retry Limit Type the maximum number of times you can try 256
authenticating the device using a wrong password,
after which the device will be blocked. Select Infinite
for a maximum number of 256 password retries.
NOTE: If the retry limit exceeds the maximum
password retries, the device will be blocked. The
device will be in Data Recovery or Data Destruction
state.
Minimum Password Length Type the minimum number of characters the password 6
must have (between 4 and 40 characters).
Minimum Special Characters Type the minimum number of special characters the 0
password must have for stronger password. This
includes ~ ' ! @ # $ % ^ * ( ) _ - + = { }[ ] | \ : ' "
,./?&;<>
Minimum Numeric Characters Type the minimum number of numerals the password 0
must have (0-9) for stronger password.
Minimum Alphabetical Type the minimum number of alphabets the password 0

Characters must have(a-z, A-Z) for stronger password.
Minimum Uppercase Type the minimum number of uppercase alphabets 0

Characters the password must have (A-Z) for stronger password.
Minimum Lowercase Type the minimum number of lowercase alphabets 0

Characters the password must have (a-z).
Password Re-use Threshold This option prevents users from reusing old passwords 0
too often at password change intervals thus increasing
the security of the device.
Type the minimum number of unique passwords
that must be set before a password can be reused.
Minimum Lifetime (Minutes) Type the minimum number of minutes you must wait 0
before modifying a recently changed password. This
prevents users from changing passwords quickly.
Maximum Lifetime (Days) Type the maximum number of days to define the 65535
validity of a password. Select Infinite for the
password to remain valid for 65535 days.
NOTE: Regular password updates decreases the risk
of correct password being stolen or guessed.
8 In Biometric Policy, select the following:

• Number of Fingers — Select the number of fingers you want to register (maximum
up to 6 fingers) during personalization. You can log on to the device using any of the
registered fingers.
• Biometric Security Level — Select the desired level from the drop-down list. Biometric
Security Level is expressed as a False Match Rate (FMR) probability (such as "1 in
4,500"). FMR is the probability that two different fingers are incorrectly matched. A high
FMR means higher security because the device requires a closer match between two
fingerprints. Therefore, "1 in 4,500" is more secure than "1 in 2,700". However, for a
small number of users it may be difficult to verify their fingerprint at higher levels.

• Biometric Retry limit — Type the maximum number of mismatched finger swipes
allowed, after which the device will be blocked. The device will be in Data Recovery or
Data Destruction state. Select Infinite for a maximum number of 256 retries.
NOTE: A larger number of retries are required for biometric authentication because an
improper swipe will be registered as a failed attempt. Thus the device user may have
to attempt verification two or more times before access is granted.
9 In Recovery Policy you can specify what happens when a user reaches an authentication
failure limit (that is, password retry limit or biometric retry limit) and when a device is
blocked. Select either of these:
• Recovery — Select these options as required to recover the data on the device after
the user has been locked,
• User Self-Rescue — Allows device user to rescue data by re-personalizing a device
with new credentials. The device user will be prompted to type a new password,
enroll biometric, or bind with their CAC/PIV card, as appropriate.
• Help Desk/Challenge Response — Help desk operators can assist the device
user by securely resetting the authentication mechanism of their device. This can
be done over the phone or through email, and does not require access to the device
or even network connectivity.
• Data Recovery — Encrypted data can be recovered without user intervention (in
cases where there may be security audits or when a user has left the organization).
This task can be initiated only by an administrator.
• Data Destruction — If you select this option, it is not possible to rescue the device
or recover data from the device. All logged on user data is immediately destroyed when
the device is locked.
NOTE: This option offers high security, but may be inconvenient if particular users
regularly have trouble authenticating the device.
10 Click Save.
NOTE: The device must re-personalized whenever Device Authentication policy is changed.
Refer to the Setting up the Encrypted USB device section for instructions on personalizing
the device.
Refer to theAssigning multiple policies to a managed node section for assigning multiple
initialization and authentication policies for different device types to a single managed node.

Device Backup Policy allows you to create backups of a user's device content on the client
computer or shared location. Automatic backups are created only if the device is unlocked and
if the user logged on is the device owner. The backup feature provides protection against data
loss.
Task


3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Backup
Policy.
NOTE:
• If you are using ePolicy Orchestrator 4.5, click Actions | New Policy.
• The McAfee Default policy is read-only and cannot be edited, renamed, or deleted.
6 Select one of the following Backup Type options:

• None if you do not want to back up the device content on your client computer.

• Always on if you want to create a backup on your client computer automatically on

authenticating the device.
NOTE: Automatic back up is supported only on the system on which device was initialized
and personalized.
• User On-demand if you want the user to initiate the backup process when required.
7 In Backup Path, specify the path to store the device content when taking a scheduled
backup, then click Save.
NOTE: We recommend you not to save the backups on shared network because backups
are not encrypted.

Device revocation allows an administrator to block the usage of a device in case of a security
emergency. Later, the device can be reinstated, if required. The device can also be revoked
and wiped, automatically erasing all logged on user data.
NOTE: A device can be revoked only when the device is inserted in a managed node.
Device Revocation List allows you to revoke devices from the ePolicy Orchestrator server based
on the device serial number. It applies to groups or a single computer in ePolicy Orchestrator.
A device revoked event is sent if a device is revoked successfully.
Task
3 Select Product as Encrypted USB Client 1.2.0 and Category as Device Revocation
List.
5 Type a new policy name, then click OK. The Device Revocation List page appears.

6 Click Revoke new Device, then select the serial number of the device(s) to be revoked.
NOTE: The device cannot be revoked in malware-proof mode.
7 Select Revoke & Wipe if you want to erase the contents of the device and revoke it, then
click OK.
NOTE: To reinstate a revoked device, click Systems | Encrypted USB Devices, select
the devices to be reinstated, click Reinstate, then click OK.

An unmanaged USB device or a USB device managed by a different ePolicy Orchestrator server
is referred to as a foreign device.
Foreign Device Policy allows you to grant and restrict access to foreign devices.
Task
3 Select Product as Encrypted USB Client 1.2.0 and Category as Foreign Device
Policy.

6 On the Foreign Device policy page, select these options as required:

• Allow Managed Foreign Devices — Allows the use of devices managed by a different
ePolicy Orchestrator server.
• Allow Other (Unmanaged) Foreign Devices — Allows the use of standalone or
unmanaged foreign devices.
NOTE: This generate events in ePolicy Orchestrator when the device is used in the
managed network.
• Restrict device use to managed systems — Restricts the use of USB devices to
the network managed by the specified ePolicy Orchestrator server(s).
• Add — Adds ePolicy Orchestrator server(s) which are allowed to manage the device
other than the ePolicy Orchestrator server network on which it was initialized.
• Remove - Removes ePolicy Orchestrator server(s) to restrict the use of device on the
nodes managed by the selected ePolicy Orchestrator server.
NOTE:
• The ePolicy Orchestrator server added should have Encrypted USB client installed
with Device Initialization and Device Authentication policies enforced on the managed
nodes.
• If no ePolicy Orchestrator servers are added, the device can be used only in the
network in which it was initialized.
7 Click Save.

General Settings Policy

Use this task to configure anti-virus settings on managed Encrypted USB clients.
Task
3 Select Product as Encrypted USB Client 1.2.0 and Category as General Settings
Policy.
drop-down, type a name for the policy, then click OK. The following page appears.
5 Select Enable AntiVirus where available to enable the anti-virus scanner on devices
which have Encrypted USB Antivirus installed.
6 Add or remove addresses of signature update sites for the anti-virus scanner as required,
then click Save. The default update site is http://update.nai.com. McAfee Encrypted USB
Antivirus uses these sites to update its virus definitions.
NOTE:
• Enable the use of proxy server on Control Panel | Internet Options | Connections
| LAN Settings to connect to the update sites.
• If update fails using any of the added sites, the DAT files are updated from the default
update site.

Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1

Use this task to upgrade from Encrypted USB 1.0 or Encrypted USB 1.1. It is recommended to
upgarde only the Encrypted USB client package as there are no changes to Encrypted USB
Administrator package after Encrypted USB 1.0.
Before you begin

• Backup any important data in the device to a temporary location to avoid data loss and
recycle the device. Refer to McAfee Encrypted USB 1.0 User Guide for instructions.
• Export the Encrypted USB policies to a temporary location in the required format. Refer to
ePolicy Orchestrator product documentation for instructions.
Task
2 Copy the EUC120LEN_IPEX.ZIP file to a temporary folder of your ePolicy Orchestrator
computer, then install the extension. This upgrades the ePolicy Orchestrator extension to
1.2.
Refer to the Installing Encrypted USB 1.2 extension section for instructions.
3 Copy the DPEUPM501100.zip, DPEUPS221100.zip, and DPEUPM211100.zip archives
to a temporary folder of your ePolicy Orchestrator computer, then check in the portable
content packages to the software repository.
Refer to the Checking in portable content packages in ePolicy Orchestrator section for
instructions.
4 Deploy Encrypted USB Client or Administrator as required on the managed nodes.
Refer to the Deploying Encrypted USB Client and Encrypted USB Administrator on managed
nodes section for instructions.
5 Configure the Encrypted USB 1.2 policies, initialize and personalize the device, then restore
the data.
NOTE: The device can be initialized and personalized after the policies have been enforced
on the managed node.
Refer to Setting up policies using ePolicy Orchestrator and Setting up the Encrypted USB
device sections for instructions.
Upgrading Encrypted USB client with anti-virus portable content

packages
Use this task to upgrade the Encrypted USB client with the anti-virus portable content packages.
Task
1 Backup the device content to a temporary location and recycle the device.
Refer to Managing backup and Recycling a device sections for instructions.

3 Copy the portable content packages with anti-virus (DPEUPM501100.zip,

DPEUPS221100.zip, and DPEUPM211100.zip) to a temporary folder of your ePolicy
Orchestrator computer.
4 Check in the portable content packages to ePolicy Orchestrator software repository.
NOTE: Refer to the Checking in portable content packages in ePolicy Orchestrator section
for instructions on checking in the portable content packages to ePolicy Orchestrator
software repository.
5 Configure and enforce the Device Initialization and Device Authentication policies on the
required managed systems in the network.
Refer to Device Initialization policy and Device Authentication policy for instructions on
configuring the Device Initialization and Device Authentication policies
6 Initialize and personalize the device on the managed system.
7 Click , then select Manage Antivirus Scanner to manage McAfee Encrypted USB
Antivirus.
Revoking a device
To revoke a device, click Systems | Encrypted USB Devices, select the devices to be revoked,
then click Revoke |OK.
NOTE:
• The device can not be used until it is reinstated.
Alternatively, to revoke a device and erase its contents, click Systems | Encrypted USB
Devices, select the devices to be revoked, click Revoke & Wipe, then click OK.
NOTE:
• This option deletes all logged on user data permanently.
to be reinstated, click Reinstate, then click OK. Once the device is reinstated, it can be used
normally.
NOTE: If you are using ePolicy Orchestrator 4.5, click Menu |Systems | Encrypted USB
Devices.
Recycling a device
Recycling formats a device and returns it to a default state by deleting the user accounts and
all user data on that device. To reuse the recycled device, the administrator must re-personalize
it.
PREREQUISITE
To recycle a device, the Encrypted USB Administrator package must be installed on the client
computer.
Task
1 Insert the Encrypted USB device to the USB interface socket.

2 Click Start | Programs | McAfee | Encrypted USB Administrator | Data Recovery.

The McAfee Encrypted USB Administrator dialog box appears.
3 Click Recycle. A warning dialog box appears.
4 Click Yes. The McAfee ePO Server - Login dialog box appears.
5 Enter the user and server information, then click OK. The McAfee Encrypted USB
Administrator dialog box appears.
NOTE:
• If Device State is Open, the device is recycled.
• You can recycle a driverless device on Encrypted USB Client by clicking Recycle Device.

Recovering data from the device

Encrypted data may need to be recovered for security audits or due to employee contract
termination. You can recover data on a device that belongs to a device user without the user
being present. Once data is recovered from a device, the device has to be personalized again.
The private partition becomes accessible and a password is generated.
Prerequisite
To recover data from a device, the ePolicy Orchestrator administrators must install the Encrypted
USB Administrator package.
Additionally, the Encrypted USB client must be installed on the computer where you insert the
device to recover data. The device policy must be configured to allow data recovery, or the
following warning appears.
To recover data
1 Click Start | Programs | McAfee | Encrypted USB Administrator | Data Recovery.
The McAfee Encrypted USB Administrator dialog box appears.
2 Click Recover. The following warning appears.
3 Click Yes. The McAfee ePO Server - Login dialog box appears.
4 Enter the user and server information, then click OK. The device state is unlocked and a
new password is provided.
5 Log on to the device using the new password.
NOTE: The new password generated will be used as default authentication on any system
in the managed network. This password cannot be used as default authentication on the
system on which device was initialized.


Use this task to assign multiple initialization and authentication policies for different device types
to a single managed node
Task
1 Click Systems | System Tree | Systems, then select the desired group under System
Tree. All the systems within this group (but not its subgroups) appear in the details pane.
| Systems.
2 Select the desired system, then click Modify Policies on a Single System. The Policy
Assignment page for that system appears.
NOTE: If you are using ePolicy Orchestrator 4.5, click Actions | Agent | Modify Policies
on a Single System.
3 Select Product as Encrypted USB Client 1.2.0. The categories of Encrypted USB Client
1.2.0 are listed with the system’s assigned policy.
4 Locate the desired Initialization or Authentication policy, then click Edit Assignments.
5 Click New Policy Instance, then edit the policy settings as required.
6 Click Save.
Reporting
Reports are pre-defined queries which query the ePolicy Orchestrator database and generate
a graphical output. You can create, edit and manage queries through ePolicy Orchestrator 4.0
and 4.5.
You can query the following default Encrypted USB reports and run them to see a graphical
display:
• All Encrypted USB devices sorted by their state of management (such as managed native,
managed imported, foreign unmanaged and so on).
• All Encrypted USB devices sorted by the type of the devices.
• All blocked devices to which you cannot logon using password and/or swiping finger(s).
• All devices that are not initialized.
• All devices that are not personalized.
• All devices that are revoked from the ePolicy Orchestrator server.
NOTE: For instructions on creating, editing or deleting queries, see ePolicy Orchestrator 4.0
Product Guide and ePolicy Orchestrator 4.5 Product Guide.

Using the Encrypted USB device
This chapter provides information on:
Lifecycle of the device
Using the Encrypted USB - powered by SanDisk Portable Client
Using other supported Encrypted USB Portable Client
Troubleshooting

Device initialization is the first phase of deploying McAfee Encrypted USB. During this process,
the portable software package is installed on the read-only partition and the private and public
partitions are created.
Personalization is the next phase that includes setting a new password, enrolling fingers or
both, depending on the type of the USB device, or using a CAC or PIV authentication card (for
all devices).
Usage is the next phase where the device is in use for various functions, such as unlocking the
device, updating finger enrollments or passwords, and so on.
Tasks
Setting up the Encrypted USB - powered by SanDisk device
Setting up other supported Encrypted USB device
Setting up the Encrypted USB - powered by SanDisk device

Use these tasks to initialize and personalize the Encrypted USB device.
Tasks
1 Insert the new Encrypted USB device to the USB port, the End User License Agreement
window appears.
2 Accept the license agreement, then click Next. The installer detects for the connected USB
devices. Once the device is detected, the Format Warning window appears.

3 Click Format. When the device is formatted, the update successful window appears.
4 Select Launch, then click Next to personalize the USB device.
5 On the Select Language window, select the appropriate language, then click Next.
6 On the License Agreement window, accept the license agreement, then click Next.
7 On the Password window, type and verify the password for accessing the private partition
of the USB device, then click Next.
In Hint enter a reminder that will help you to recover your password.
8 On the Contact Information window, enter your contact details, then click Finish.
NOTE: The personalized device appears on the ePolicy Orchestrator server in Systems |
Encrypted USB Devices along with its serial number, name, user ID, status, and the

client to which it is/was connected at a particular time. Click Options | Choose Columns,
then click the desired options in Available Columns to add to the existing columns.
Setting up other supported Encrypted USB device

Before you begin
Install Encrypted USB client and enforce Device Initialization and Device Authentication on the
client system policies before initializing and personalizing the device.
Task
1 Insert the new Encrypted USB device to the USB port. A dialog box appears stating that
your device is being initialized.
Once the initialization process completes, the following dialog box appears prompting you
to continue with personalizing the device.
NOTE: Reinsert the device if personalization doesnot start.
2 Click Next. One of the following screens appears depending on the Device Type and the
Authentication Mode set in the Device Authentication policy.
• In case of non-biometric device (or a biometric device where the policy allows you to
authenticate to the device using only a password), the Set Password screen appears.
Type and verify the password.

• In case you selected CAC/PIV+PIN only or CAC/PIV+PIN and Biometric as

Authentication Mode in the Device Authentication policy, CAC Authentication
screen appears. Type the security PIN for your CAC card. Select Use malware-proof
mode (read-only) to use the device in read-only mode.
3 Click Next. In case of biometric device, the Biometric Enrollment screen appears.

4 Select a finger to enroll by clicking on the image, then click Next. The Enroll Biometric
screen appears.
5 Swipe your finger across the device sensor three times, then click Next. The Self
Personalization dialog box appears.
6 Click Next. The Biometric Authentication screen appears.

You can either swipe your finger across the device sensor or click Authenticate using
Password.
NOTE: This screen varies if the device authentication policy is set to Biometric only or
CAC/PIV+PIN and Biometric.
7 Swipe your finger across the sensor to log on to the device.

8 If you click Authenticate using Password, the Password Authentication screen
appears.

9 Type your password, then click Next to log on to the device.

NOTE: The personalized device appears on the ePolicy Orchestrator server in Systems |
Encrypted USB Devices along with its serial number, name, user ID, status, and the
client to which it is/was connected at a particular time. Click Options | Choose Columns,
then click the desired options in Available Columns to add to the existing columns.
Using the Encrypted USB - powered by SanDisk

Portable Client
Encrypted USB Client provides a high-level interface that allows Encrypted USB to integrate
with the ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5 and McAfee Agent
3.6 (patch 3 minimum) or above.
Encrypted USB Client prompts you to initialize and personalize a device each time you plug in
a new device to the USB interface socket. It also checks for changes in Device Authentication
policy each time the device is inserted and updates the device accordingly. Any changes in the
Device Authentication policy requires the device to be re-personalized.
Tasks
Logging on to the device
Disconnecting the device
Managing McAfee anti-virus scanner
McAfee Encrypted USB settings
Formatting McAfee Encrypted USB
Restoring data
Rescuing the device through Help Desk

Once the device is initialized and personalized, you can use the McAfee Encrypted USB device
any time. You are prompted to type your password to access the private partion of the USB
device.
1 Insert the USB device into an available USB port. The login window appears.

2 Type your password, then click Login.

3 Click icon , then select the required option to use the device.

1 Click on the system tray, then select Shut down McAfee Encrypted USB. A
confirmation dialog box appears.
2 Click OK and disconnect the device from the USB port.
Managing McAfee anti-virus scanner

McAfee Encrypted USB Antivirus protects the private partition of the device from malware. It
detects and deletes virus or other harmful or unwanted code in the private partition of the
device. Each time a file is copied to the device, it scans the file and intercepts or cleans the
infected file. It supports both on-access and on-demand scans. In addition it scans the host for
active malware when you log in and shuts down the drive to prevent infection.
Antivirus scanner depends on the information in the detection definition (DAT) files to identify
and take action on threats. New threats appear on a regular basis. To meet this challenge,
McAfee releases new DAT files every day, incorporating the results of its ongoing research.

McAfee Encrypted USB Antivirus scanner updates the detection definition (DAT) files from the
configured update site. The default update site ishttp://update.nai.com. You can also initiate
scans to inspect the drive with newly updated virus signatures.
Click icon on your taskbar, then select Scanner | Console. The McAfee Encrypted USB anti-virus
Scanner appears.
Option Definition
Statistics Displays the anti-virus scan statistics, which include the last scan date and
time, number of files and processes scanned, and files deleted to avoid
infection.
Log — Opens the anti-virus scanner log file.
Version Displays the last update date and time, scan engine, DAT, and scanner versions.
Actions • Check Updates — Checks for detection definition updates from the
McAfee download website.
• Start Drive Scan — Starts an on-demand scan of the USB device for
potential threats.

Option Definition
Settings • Scan host memory on log in — Scans the processes running on the
host system automatically for threats when the device is inserted.
• Scan file when saved or copied to Drive — Scans the file and
intercepts or cleans the infected file each time a file is copied to the device.
• Show messages — Shows scan details in a pop-up window.
McAfee Encrypted USB settings

Use this task to modify McAfee Encrypted USB password, contact information, or language.
Task
1 Click on the system tray, then select McAfee Encrypted USB Settings. The McAfee
Encrypted USB Settings page appears.
2 Select the settings tab you want to modify.

3 Enter appropriate information, then click OK.
Formatting McAfee Encrypted USB

Use this task to fromat the USB device. Formatting erases all data on the device. Back up your
files before formatting the device.
Task
1 Click on the system tray, then select Format McAfee Encrypted USB. The Format
McAfee Encrypted USB window appears with a warning.

2 Click OK.
Restoring data
Use this task to restore backed up users's device content from the managed system.
Before you begin

Back up the device content by shutting down and re-inserting the device in the managed system.
Task
1 Click on the system tray, then select Restore | Launch.
2 Browse to select the data to be restored, then click Next. A pop-up window appears asking
you to shut down and re-insert the device.
3 Click OK, then remove and re-insert the device. A warning message is displayed asking
you to back up any important device content before restoring.
4 Click OK. The selected back up data is scanned and restored to the device.

The Help Desk Device Rescue option allows you to rescue your blocked device with the
assistance of an ePO administrator.
1 On the Login screen, click Forgot Password. The new password page appears.
2 Type and verify the new password and click Administrator Login.
ePO administrator searches for the device serial number in the device list. Once the device
is found, ePO administrator selects the desired recovery action, which generates a One-Time
Password. This One-Time Password is given to the user.
3 Type the One-Time Password without spaces on the Administrator Login page, then click
Next. A pop-up window appears with a response code.
NOTE:
• Typing wrong authorization code twice will deactivate the device.
• Provide the response code to the ePO administrator.

The device user will now be able to log on to the device using the new password.
Using other supported Encrypted USB Portable

Client
Encrypted USB Client provides a high-level interface that allows Encrypted USB to integrate
with the ePolicy Orchestrator version 4.0 (patch 5 minimum) or version 4.5 and McAfee Agent
3.6 (patch 3 minimum) or above.
Encrypted USB Client prompts you to initialize and personalize a device each time you plug in
a new device to the USB interface socket. It also checks for changes in Device Authentication
policy each time the device is inserted and updates the device accordingly. Any changes in the
Device Authentication policy requires the device to be re-personalized.
Tasks
LED states
Security options in the device
Viewing hardware and software information
Managing authentication methods
Managing backup
Managing the Antivirus Scanner
Self rescuing the device
LED states
All McAfee Encrypted USB 1.2 devices use one or more Light Emitting Diodes (LEDs) that
indicates the state of the device.
NOTE: The USB LED flashes approximately every second.
State Description
Green Device is ON for use with or without authentication.
Green (flashing) Device is ON, waiting to verify fingerprint (if the device requires biometric authentication) and
the user to log on.
Green (delayed Device is ON and idle, waiting to verify fingerprint (if the device requires biometric
flash) authentication) and the user to log on.
Red (flashes once) Failed fingerprint authentication attempt.
Red and Green Final attempt for finger print authentication. Failing the attempt will block the device.
(alternating flash)
Red (flashing) Device is either powering up or blocked. When blocked, no authentication methods are available
to log on to the device. Contact your device administrator to unblock the device.
Red Device is blocked. This is due to unauthorized or failed device access attempts. Contact your
device administrator to unlock the device.
Blue Data transfer activity.

State Description
Red and Blue Device has invalid firmware.

(alternating flash)
Security options in the device

Security options vary based on the Encrypted USB device that you use. The security options
available in a device are:
• Access to the device — Uses authentication mechanisms to unlock the device that includes:
• Password only
• Biometric and password
• Biometric or password
• Biometric only
• Card with security PIN
• Card with security PIN and biometric
• Private data protection — Data related to the user is encrypted in private stores and
partitions.

1 Once the device is initialized and personalized, Password Authentication screen appears.
NOTE: If Autoplay is disabled on your system, double-click the Read-Only partition of the
device, then click Start.exe.
2 Type your PIN, password, or swipe your finger depending on the authentication
mechanism(s) you have set. Select Use malware-proof mode (read only) if you want
to use the device in read-only mode, then click Next. The icon appears on the taskbar.
NOTE:
• McAfee Encrypted USB Antivirus and Backup Manager is not supported in malware-proof
mode.
• No events are generated in ePolicy Orchestrator in malware-proof mode.
3 Click icon on your taskbar, then select Managed Device. The Encrypted USB Client
page appears.

NOTE:
• Click Logout on the Encrypted USB Client page to log off from the Encrypted USB Client.
The device state will be changed to locked after the user logs off from the device.
• Encrypted USB devices use ActivIdentity third-party software to authenticate the
device in CAC/PIV authentication mode. ePolicy Orchestrator does not generate any
event for device authentication done by ActivIdentity.

1 Click icon from your task bar, then click Eject Device.
2 Disconnect the device from the USB port once you see the “Safe To Remove Hardware”
message.
Viewing hardware and software information

Click Hardware and Software Information on the Encrypted USB Client page to view
information about the users, device settings, partition details, and product versions.
• Device Settings — Displays general device information such as private and public partition
storage capacities and serial number of the device.
• Disk Partitions — Displays information about the allocation of disk space on the device.
• Product Versions — Provides hardware and software versions of the product.
Managing authentication methods

Click Manage Authentication Methods on the Encrypted USB Client page to update your
password or finger enrollments. The Manage Authentication Methods page appears.

NOTE: This page varies depending on the type of the device you use.
Manage Your Password — Click this option and follow the on-screen instructions to reset
your password.
Manage Your Finger Enrollments — Click this option and follow the on-screen instructions
to update your fingerprints.
Managing backup
McAfee Encrypted USB 1.2 allows you to back up user's device content on the client computer
when required.
Click icon on your taskbar, then select Backup Manager. On the McAfee Encrypted USB
Client dialog box click Next to back up device content.
NOTE: Backup Manager option is available on the system tray if you selected Backup Type
as User On-demand in Device Backup policy.
Specify the path or click , browse for the path to store the device content, then click OK.

NOTE: We recommend you not to save the backups on shared network because backups are
not encrypted.
Managing the Antivirus Scanner

McAfee Encrypted USB Antivirus protects the private partition of the device from malware. It
detects and deletes virus or other harmful or unwanted code in the private partition of the
device. Each time a file is copied to the device, it scans the file and intercepts or cleans the
infected file. It supports both on-access and on-demand scans. It also allows the device user
to scan the system folders and processes running on the host system on startup.
Antivirus scanner depends on the information in the detection definition (DAT) files to identify
and take action on threats. New threats appear on a regular basis. To meet this challenge,
McAfee releases new DAT files every day, incorporating the results of its ongoing research.
McAfee Encrypted USB Antivirus scanner updates the detection definition (DAT) files from the
configured update site. The default update site is http://update.nai.com.
NOTE: If update fails using any of the added sites, the DAT files are updated from the default
update site.
Click icon on your taskbar, then select Manage Antivirus Scanner. The McAfee Encrypted
USB Antivirus screen appears.

NOTE: McAfee Encrypted USB Antivirus can be managed after the DAT file is updated. Remove
and reinsert the device after updating the DAT file.
Option Definition
Private Partition • On-access scan — Scans for threats as files are read from or written to the
device.
• Scan — Select this option to start an on-demand scan on the private partition of
the device.
Host System • Scan host system on startup — Select this option to scan the system folders
and the processes running on the host system automatically for threats when the
device is inserted.
• Scan — Select this option to start an on-demand scan on the host system for
potential threats.
Virus Database • Automatic updates — Downloads updates of detection definitions automatically

from the McAfee download website.
• Update — Select this option to download the latest detection definitions manually
from the McAfee download website.
NOTE: Enable your browser proxy server settings to update your computer with the
latest detection definitions from the McAfee download website.
Intrusion log • Enabled — Enables activity logging. All intrusions detected will be logged.
• View — Select this option to view the log details.
• Clear — Clears the log details.

Self rescuing the device

The Self Rescue option allows you to reset your password and/or update your finger
enrollments.
NOTE: This option is available only if you insert the Encrypted USB device on the same computer
where you initialized the device.
1 Click Self Rescue on the Encrypted USB Client page. The Device Self Rescue screen
appears.
2 Click Next and type a new password or update your fingerprint depending on the policy
you set. The Device Self Rescue screen appears stating that your device has been
successfully rescued.
3 Click Next and log on to the device using your updated credentials.

The Help Desk Device Rescue option allows you to rescue your blocked device with the
assistance of a Help Desk operator over telephone.
NOTE: We recommend the device users to use self rescue if they have access to the managed
node.
1 On the Encrypted USB Client page, click Help Desk Device Rescue. The Help Desk
Device Rescue page appears prompting you to type the authorization code.

2 Contact Help Desk and provide your identity, device serial number, and user name. Help
Desk operator gives you an authorization code.
3 Type this code on the Help Desk Device Rescue page, then click Next. The Help Desk
Device Rescue Complete page appears with a confirmation code and a new password.
NOTE: Provide the confirmation code to the help desk operator.
4 Click Next. The Device Reset Warning page appears asking you to note the confirmation
code and new password.
5 Click Next to personalize your device.

Troubleshooting
Troubleshooting
This section provides troubleshooting information for Encrypted USB 1.2. For further technical
assistance, visit http://www.mcafee.com/us/support/index.html.
I cannot eject my USB device

Error message:
"Cannot Unmount Volume-An error was encountered trying to unmount 'Removable Disk (F:)'
Check to ensure there are no open files or windows from that volume.”
This message appears and prevents you from ejecting the drive if you are not an administrator
on the computer. Refer to the Microsoft article at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;192785
WORKAROUND: Log off from the device using Encrypted USB Client or safely remove the
device using the taskbar icon.
Password or biometric access to my device is blocked

The device gets locked when you exceed the password/biometric retry limit. Contact your device
administrator to unlock the device.
Data saved to the read-only partition is not available

You cannot save data to the read-only partition of the device. Data saved here is stored in the
cache of the Windows filesystem. It is deleted when you remove the device. Hence, save data
only on your private partition or the public partition (if applicable).
Client system is not reporting to ePolicy Orchestrator server

Check if other client systems in the network are reporting to the ePO server. If yes, then reinstall
the Encrypted USB client on the system which was not reporting to the ePO server. If none of
the systems in the network are reporting to the ePO server, then restart the ePO server.

Appendix A — Restricting the device use
Use these tasks to restrict devices to their home network or specified ePolicy Orchestrator server
network.
Assumptions
User group1:
User group 1 accesses client systems in finance network managed by ePolicy Orchestrator server
1.
User group 2:
User group 2 accesses client systems in executive network managed by ePolicy Orchestrator
server 2.
Restricting the device use to home network

Use this task to restrict the use of device to the network managed by ePolicy Orchestrator server
on which it was initialized (ePolicy Orchestrator server 1 network).
Task
1 Log on to the ePolicy Orchestrator server 1 as an administrator.
2 Create a new Foreign device policy.
NOTE: Refer to Foreign device policy section for instructions.
3 On the Foreign Device policy page, select Restrict device use to managed systems,
then click Save.
4 Send an agent wake-up call to enforce the policy.
Restricting the device use to specified network(s)

Use this task to restrict the device use to other specified ePolicy Orchestrator networks including
the ePolicy Orchestrator server network on which it was initialized.
Task
1 Log on to the ePolicy Orchestrator server 2 as an administrator.

Appendix A — Restricting the device use
Restricting the device use to specified network(s)
2 Create a new Foreign device policy.

NOTE: Refer to Foreign device policy section for instructions.
3 On the Foreign Device policy page, select Restrict device use to managed systems.
4 Click Add then add the corporate identifier of the ePolicy Orchestrator server 1.
5 Click Save, then send a agent wake-up call.

Appendix B — Device management states
This section lists and describes the device management states.
Management State Description
Unsupported Device is not supported.
Blank New device which is not initialized.
Managed Native Device is initialized and managed by the same ePolicy Orchestrator
server the managed client computer belongs to.
Managed Imported Device was initialized and managed by Encrypted USB Manager.
Migrated to Encrypted USB 1.2
Foreign Managed Device was initialized and managed by a different ePolicy Orchestrator
server.
Foreign Unmanaged Device is not managed by any ePolicy Orchestrator, but the usage
is allowed by the Foreign Device Policy.
Unmanaged Device is either managed by an ePolicy Orchestrator server, but the

usage is prohibited by the Foreign Device Policy, or the device is
unmanaged a(stand-alone) and the usage of those devices is
prohibited by the Foreign Device Policy.
Unmanageable Device is managed by an ePolicy Orchestrator server, but cannot be

recycled.

Index
introduction 5
D
disconnect device 40, 46 L
LED states 44
E
Encrypted USB P
audience 7 personalization 33
features 6
installation 8
introduction 5
R
prerequisites 6 recycle device 29
I S
initialization 33 supported devices 7

McAfee Encrypted USB 1.2 User Guide

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

McAfee Encrypted USB 1.2 User Guide

Transféré par

Droits d'auteur :

Formats disponibles

McAfee Encrypted USB 1.

2 McAfee Encrypted USB 1.2 User Guide

Encrypted USB features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Supported McAfee devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Encrypted USB Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Checking in portable content packages in ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installing Encrypted USB 1.2 extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Configuring Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Administering McAfee Encrypted USB - powered by SanDisk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Administering other supported Encrypted USB devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Upgrading from Encrypted USB 1.0 or Encrypted USB 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Upgrading Encrypted USB client with anti-virus portable content packages. . . . . . . . . . . . . . . . . . . . 28

Recovering data from the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Assigning multiple policies to a managed node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Using the Encrypted USB device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Setting up the Encrypted USB - powered by SanDisk device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Setting up other supported Encrypted USB device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

McAfee Encrypted USB 1.2 User Guide 3

Using the Encrypted USB - powered by SanDisk Portable Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Logging on to the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Disconnecting the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Managing McAfee anti-virus scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

McAfee Encrypted USB settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Formatting McAfee Encrypted USB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Rescuing the device through Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Using other supported Encrypted USB Portable Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Security options in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Logging on to the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Disconnecting the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Viewing hardware and software information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Managing authentication methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Managing the Antivirus Scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Self rescuing the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Rescuing the device through Help Desk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Appendix A — Restricting the device use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Restricting the device use to specified network(s). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Appendix B — Device management states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4 McAfee Encrypted USB 1.2 User Guide

How Encrypted USB works?

Protecting the device from malware

McAfee Encrypted USB 1.2 User Guide 5

Restricting devices to trusted network for some users

Revoking a device in emergency

Encrypted USB features

6 McAfee Encrypted USB 1.2 User Guide

• Windows Vista Ultimate

Supported McAfee devices

McAfee Encrypted USB - • Supports password authentication mode.

McAfee Encrypted USB • Supports password and CAC/PIV card

McAfee Zero Footprint • Supports biometric and/or password

McAfee Zero Footprint • Supports password and CAC/PIV card

McAfee Encrypted USB Hard • Supports biometric and/or password

McAfee Encrypted USB • Supports password and CAC/PIV card

About this guide

McAfee Encrypted USB 1.2 User Guide 7

Installing the Encrypted USB software using ePolicy

Checking in portable content packages in ePolicy Orchestrator

Before you begin

8 McAfee Encrypted USB 1.2 User Guide

2 Click Software | Master Repository | Check In Package. The Check In Package

Installing Encrypted USB 1.2 extension

Configuring Server Settings