skip to primary navigationskip to content
 

ePO Guide for Institutions

ePolicy Orchestrator Hosted Service Guide for Institutions:

Domain Preparation:

Typically we talk about Domains in the context of a Microsoft Active Directory Domain but the principles can be applied to any managed environment.

Firewall Exceptions:

You need to prepare your systems to allow ePO to connect and configure your computers and to allow traffic to return through any institutional border firewall or port blocking that you may have in place.

Ports Used:

Agent to server communication is via port 443 by default, so typically should not be impeded.  For Admin access you will need to be able to access the following URL: https://epo.csx.cam.ac.uk:8443

Service Ports table:

Service

Port

TCP/UDP

Bi-directional Agent to Server communication.

80

TCP

Bi-directional Agent to Server secure communication

443

TCP

Agent Wake-up communication port opened by agents to receive agent wake-up requests from the ePO server.

8081

TCP

Inbound Agent broadcast communication

8082

UDP

Console-to-application server communication port. Inbound connection to the ePO server from ePO Console. 8443

TCP

Bi-directional Client to server authenticated communication

8444

TCP

Security threats communication port

8801

TCP

These ports from the table above are required to allow functionality. Traffic to and from epo.csx.cam.ac.uk should be allowed into your network on these ports.

Client Configuration

Depending on your deployment method for the Agent you may need to enable certain features to allow the ePO server to remotely install an Agent and products onto your systems.

Windows Example:

Using Group Policy add the following exceptions to your client firewalls.
Computer Configuration - Policies - Administrative Templates - Network/NetworkConnections/Windows Firewall/Domain Profile

  • Windows Firewall:  Define inbound program exceptions
    • FramePkg.exe

NOTE:  By installing the Agent (by whatever means) the Framework Service will be added as an exception to the firewall.

Windows User Account Control (UAC) Group Policy Setting:

If you have UAC enabled on your Windows desktops you will need to enable the policy outlined below.  This allows the Agent and McAfee products to be installed with UAC enabled on client systems without UAC preventing installation by requiring a local admin prompt intervention.  
Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Security Options/ User Account Control
User Account Control:  Behaviour of the elevation prompt for administrators in Admin approval mode - Elevate without prompting

The ePO Server:

The ePolicy Orchestrator server is epo.csx.cam.ac.uk (131.111.8.125).  You can connect to the ePO console with the login provided at https://epo.csx.cam.ac.uk:8443/

Browser Support:

To connect to the ePO via the web you need to use a supported browser.  ePO 5.X only currently supports web access using IE 8+, Firefox 10+, Chrome 17+ and Safari 6+. Others browsers/versions will receive some warning text at log-in.

Opera:

To use Opera enter “about:config” into Opera's address bar. The resulting screen is the background settings section of Opera. Type "Spoof UserAgent ID" into the search text area to locate the correct setting:
There are only five values you can enter:

  1. Opera (this is the default user agent string used by Opera)
  2. Mozilla
  3. Internet Explorer
  4. Mozilla, without mentioning Opera (in other words, without saying that this is actually Opera but being spoofed as Mozilla)
  5. Internet Explorer, without mentioning Opera (in other words, without saying that this is actually Opera but being spoofed as IE)
  • Enter 2, 3, 4 or 5 and click save

System Tree Access:

You have been given access to a portion of the System Tree based on the name of your institution. Systems will be tagged and sorted into your areas based on agreed criteria (See the Service Outline and Configuration section for details). You can add systems to the system tree using one or more of the methods outlined below. Please make sure that you use the McAfee Agent for the hosted ePO service which is available from http://ftp.csx.cam.ac.uk/cam_only/HostedEPO/ when not deploying directly from the ePO console.

Adding Systems to the System Tree & the Agent:

The McAfee Agent provides three levels of functionality in an ePO environment:

  • Communication to the ePO server
  • Application of Policies to a workstation
  • Cleaning instructions

So to manage your systems you need to install the Agent from an ePO into your workstations.  This Agent will have the IP Address and host name of the ePO server to define communication paths, it uses IP first, then FQDN and then NetBIOS name

A Note on IPv6:

ePO 5.1.1 (the current version) is IPv6 aware and capable. The current ePO server is using a mixed mode method of IP which means it will use IPv4 first and by preference but systems which are IPv6 capable can communicate with ePO.

Deploying the Agent:

There are several ways you can deploy the Agent to systems, we will outline the most common methods of deployment and advise each institution on the best way to proceed.  Please make sure that you have prepared your systems (if necessary) as per the Domain Preparation section.
It is possible to create an Agent installer package with embedded credentials if required.

The ePO agents are available to download from ftp://ftp.csx.cam.ac.uk/cam_only/HostedEPO/

Agent Deployment URL:

An Agent Deployment URL can be made for each branch (or sub-branch) that can then be used on any machine to download and install the agent. This automatically puts the machine into the branch the Agent Depolyment URL was created in.

Deploying the Agent using ePO:

ePO can push the Agent to systems provided you have Administrative access to the systems.
To do this you add systems to the System Tree. You should do this by IP address.

  • Click the System Tree tab
  • Make sure My Organisation is open and your institution is selected
  • Click on System Tree Actions - New Systems
  • Select the top option – Push agents and add systems to the current group
  • Enter your systems IP addresses in the Target Systems box.
  • Un-tick “Disable system tree sorting on these systems”
  • NOTE:  This is very important.  In order to minimise manual management of systems we are using tags to identity and sort systems in the system tree automatically.
  • Enter in your Domain/Administrative credentials.
  • Click OK to add the systems.

Deploying the Agent using Scripts:

The FramePkg.exe file can be installed via a start-up script or similar if desired.  Typically a Computer start up script is the best way to do this as it ensures that the next time the system is booted the Agent will be installed.

Deploying the Agent using Group Policy:

You can deploy the Agent via Group Policy using an MSI.  This requires you create an MSI/MST from the .exe file.  Instructions for this are available at: https://kc.mcafee.com/corporate/index?page=content&id=KB67796

Deploying the Agent to OSX:

The agent install package (install.sh) needs to be run on all OSX systems that you wish to install the ePO Agent to.

The package installer will write out a log file (/Library/Logs/ePO_install). You can check the Activity Monitor from /Applications/Utilities and search for the cma process to check that the agent process is running.

Uninstall any existing agent first:

  1. Log on as an administrator or with root account permissions.
  2. Open the Terminal window.
  3. Type sudo /Library/McAfee/cma/uninstall.sh and press Enter.
  4. Type the logged on administrator or root account password and press Enter to uninstall the agent. (This ensures any existing agent is fully removed, if no agent is present the cma folder will not exist.)

During the removal, you see the messages: stopping McAfee agent 
and McAfee agent stopped.

After uninstalling, restart your computer.

Then install the latest ePO agent:

  1. Log on as an administrator or with root account privileges.
  2. Copy the install.sh file to the desktop of the Macintosh
  3. Open the Terminal.
  4. Navigate to the desktop.
  5. Type sudo chmod +x install.sh and press Enter.
  6. Type the password when prompted.
  7. To begin the installation, type sudo ./install.sh -i and press Enter.
  8. Type the password when prompted.
    You are notified in the terminal window when the installation is 
    complete.
  9. Reboot the Mac

    This should give you a clean install which should then (after a period 
    of time) get the Mac AV client.

Policies:

Every product has a number of settings which can be set using policies in ePO.  We have set up a basic set of policies and settings (See Default Policy Settings).  You can have these applied to your systems or you can customize the settings yourself for one or more of the available policies.

Customizing Policies:

To configure policies click the Assigned Policies tab in System Tree.

  • Select a product from the drop-down list and click on Edit Assignment for the category you want to configure.
  • Select “Break inheritance and assign the policy and settings below” and click on “New Policy”. Select My Default from the “Create a policy based on the existing policy” drop-down.
  • Enter a name for the new policy (it’s best to enter a name based on your organisation name and the category name e.g. “Maths On-Access General Policies”) and click OK twice.
  • Edit the policy to your requirements and click Save twice.
  • Repeat for all the other categories you wish to edit.

Automatic Responses:

You can create your own automatic responses to send emails to individuals or groups whenever an event occurs.
All automatic responses can be viewed but users only have permission to edit ones they have created.

  • Go to Menu > Automation > Automatic Responses > New Response button
  • Enter a name (preferable with your domain name included), select an event group and event type and set the status to “Enabled”.
  • To set up a response for “Malware detected but not handled” set Event group to “EPO Notification Events” and Event type to “Threat”.
  • Click “Next”
  • Select required properties from the list on the left hand side.
  • To set up a response for “Malware detected but not handled” select “Threat category”, leave “Belongs to” set and select “Malware detected” from the drop down list then select “Threat handled” leave  equals set and select “False”.
  • Click “Next”
  • Choose required aggregation options. Decide if you want to be notified for every event or if multiple events occur within a set period of time. Decide if you want to group events on criteria such as Agent GUID or Threat category and set throttling to prevent multiple emails.
  • Click “Next”
  • Select “Send Email” from the drop down (at the top left of the screen that currently says “Run System Command”)
  • Enter an email address to send the response to.
  • Leave Importance set to “High”
  • Enter a subject and body text along with any variables selected from the drop down lists e.g.:
  • Value “Threat Category”, “Source Host Name”
  • Click “Next”
  • Review all settings and click “Save”

The Dashboard:

Dashboards are graphical information displays which can be customised by users of the ePO service.   You will have had a basic new Dashboard for your institution created for you and you can add new private (or public) dashboards for yourself which can contain various graphs and charts of information.

Default Dashboard:

Each institution has a dashboard created for it which contains the following charts:

  • McAfee Labs Threat Advisory which displays the status of the repository and versions available in the ePO
  • Basic systems total for your Group
  • Systems Compliance chart (systems up to date and with the latest product installed
  • Malware detection History

Creating your own Dashboard:

You may want to create your own Dashboards.  You can create custom queries on which the dashboard can be based.

To create a new Dashboard use the following basic guide:

  • login to the ePO server
  • Your default Dashboard will be displayed by default.
  • In the Dashboard Actions drop down select New.
  • Name your new dashboard and click OK
  • Click Add Monitor and drag required monitors to the dashboard area
  • Click Save then Close

An example to add a Dashboard based on a new query:

Create a New Query:

  • login to the ePO server
  • Click on the Queries & Reports tab
  • Ensure the Query tab is selected and click ‘New’
  • Select required Feature Group & Result Type
  • For this example use Events and Threat Events and click ‘Next’
  • Select required display and configure appropriately
  • For this example use Pie Chart and configure the slice values as Number of Threat Events, the labels as Threat Name and Sort by Value, click ‘Next’
  • Choose required columns (Unless you selected "Table" on the previous screen, this is a table accessed by clicking on the summary chart).
  • For this example leave the defaults and click ‘Next’
  • Select the criteria you want to use to narrow down the results
  • For this example select  Event Generated Time and choose ‘Is within the last’ ‘2’ and ‘Weeks’
  • Click ‘Save’
  • Enter a query name
  • For this example use ‘Threats in last 2 weeks’
  • Enter a group name if required
  • Click ‘Save’

Create the Dashboard based on the query:

  • Click on the Dashboards tab
  • Select ‘New’ from the Dashboard Actions drop-down menu
  • Enter a name for the dashboard and click ’OK’
  • Click ‘Add Monitor’
  • Drag ‘Queries’ into the dashboard area (if queries is not visible, click the right pointing arrow)
  • Select the required Monitor Content (your new query is usually select by default but if not, select it from the drop-down list)
  • Set the Refresh Interval and click ‘OK’
  • Add addition monitors as required then click ‘Save’
  • Click ‘Close’
  • Your new dashboard is now available from the Dashboards drop-down menu

ePO – Default Policy Settings

Product Removal:

OS X

ePO doesn't properly manage the removal of the Agent or product automatically.
To manually remove the McAfee agent from a Mac open Terminal and type: 
sudo Library/Mcafee/cma/uninstall.sh 
To remove AntiVirus for Mac open Terminal and type:
sudo /usr/local/McAfee/uninstall EPM


NOTE: You may have to set the eXecute bit on the file before you can run the scripts.

Windows

ePO will usually manage the removal of the Agent and product. However in cases where it doesn't or where a system was in ePO but the ePO server no longer exists you may need to do a manual removal. 
To manually remove the agent from a managed PC open a command line and enter: 
C:\Program Files\McAfee\Common Framework\frminst.exe /forceuninstall 
To manually remove Enterprise 8.8 use: C:\Windows\System32\msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /q 
see https://kc.mcafee.com/corporate/index?page=content&id=KB71179 
and 
https://kc.mcafee.com/corporate/index?page=content&id=KB52648