Posted on 04-10-2015 08:05 AM
Is there anybody that's had experience with encryption with McAffee and macs/jamf? Our info sec team said they are planning to switch over to it and was hoping to be aware of any gotchas.
Posted on 04-10-2015 08:15 AM
Erhm, McAfee Encryption just uses the built in FileVault enablement process, same as JAMF does, more or less. They used to have their own encryption product, which we used (and still do on the few systems still on 10.6 an 10.7), but it was so horribly terrible that they abandoned it, claiming it didn't make sense for them to have a custom FDE when Apple was already doing it. Thank goodness.
I can't speak to how their "use FileVault and capture the Recovery keys" process works now because we managed to stave it off since we'd already deployed FV2 through Casper by then. I don't know what the hell it is about security people and their constantly pushing to use their own systems instead of Casper, but we had to keep pushing that off until they finally gave up. They are just such dang control freaks they can't handle the idea of not managing encryption through their own console I guess.
Anyway, as I said, I can't talk to how it works now, but I can tell you that anything with the name McAfee generally works pretty poor on Macs. We use their Endpoint Protection (A/V, Anti-Malware, Firewall) and have near constant issues with performance on it. I wish almost every day we were using a different AV product. I hear Sophos works pretty well on Macs.
Posted on 04-10-2015 08:16 AM
It's a tool to manage FileVault and Windows Bitlocker, and then report on who's out of compliance. I'd invite your team to use the JSS to manage FileVault, you can get all your Macs encrypted while they are still setting up the McAfee server. Unless you have a high number of computers and it's easier to manage it all on one system.
Posted on 04-10-2015 10:35 AM
I'd encourage you to show the FV2 disk encryption deployment and key management in the JSS. No need in using the McAfee product. McAfee's Mac products are a bit "touchy" and, incorrectly configured (sometimes by default) they can cause all sorts of issues on the Mac clients. If you have the JSS infrastructure set up, may as well use it for encryption, key escrow/management, and compliance reporting.
Posted on 04-10-2015 10:42 AM
Don't use McAfee.
Use the JSS.
Done.
Posted on 04-10-2015 12:58 PM
And, if all of the above doesn't make you run for the hills, the McAfee encryption thing uses it's own agent software you'll have to deploy and update and will probably suck as bad as the AV agent.
Posted on 04-10-2015 01:24 PM
I've poked the head of the info sec team with some of these concerns and he agreed to talk more in depth next week. if there's anybody with more specific info that can add to this, I'd appreciate any assistance in building a defense or at least enough that they just don't steamroll into the environment.
Posted on 04-10-2015 06:32 PM
Well, I've done large-scale FileVault 2 deployments at insurance companies, a large food company, and a very large financial services company (chances are you have something with their corporate logo on it in your wallet). All of them came into the Mac integration project hell-bent to use an encryption or key management console from one of their enterprise vendors. All of them ended up using the Casper Suite after I demonstrated the flexibility and security of the approach.
Good luck.
Posted on 04-13-2015 06:30 PM
We've been using this for the last 18 months and have had nothing but headaches so far. It mainly just does key escrow anyway, and nothing else particularly useful.
Posted on 04-14-2015 05:26 AM
@mattbomarc1 do you have an specific examples off the top of your head you could share?
Posted on 04-14-2015 06:58 AM
It caused nothing but problems for us ... I don't think I've ever read of a McAfee product not causing headaches.
Posted on 04-14-2015 07:09 AM
We currently use Endpoint Encryption for Our PCs. For a short time McAfee did have their own Encryption agent for Macs but they moved away from that to just utilize FV2 in the new Management of Native Encryption product. This offers the same functionality as offered by the Casper Suite. I did run a short test with MNE and was not particularly pleased with the configuration in EPO. IF you have Casper, just use it. You're doing the same thing either way, escrowing recovery keys/using an institutional key/combination of both, and you'll have a better time of it with the Casper suite.
Posted on 04-14-2015 08:31 AM
I don't think I've ever read of a McAfee product not causing headaches
Truer words have never been spoken.
It isn't even particularly good or stable on the Windows side. Its much better than on the Mac, but its still not great and causes headaches there as well.
Posted on 04-14-2015 08:14 PM
@jwojda Sure thing.
Most recently, we had issues with machines not encrypting. They sat on the bench for nearly two weeks while McAfee investigated. They finally determined that the ePO had some queue issue that filled up and would not take any more client requests.
No errors, no idea of what has happening, nothing. And you can't enable FV2 manually and move on, because MNE cannot escrow the keys unless it enabled FV2.
Granted, the new 2.1 version of MNE supports re-escrowing the keys, but it will be a few months before we go to that version. We're on 2.0.1.
It's just these unknown issues that show up randomly with no warning.
Posted on 04-15-2015 06:54 AM
@mattbomarc1 Only 2 weeks, that's short for a lot of McAfee issues on OS X. There is a serious lack of resource available at McAfee that is able to support their Macintosh clients. Arguably these products are a very very small percentage of their customer base. I recently had a multi-week spat with support about the firewall in EPM not applying a trusted network rule that got passed from support tech to support tech for over two weeks before I even got to a person that would discuss the issue. By that time I had already tracked down what I thought the issue was and primarily used them for validation of my proposed fix, but I'm not entirely convinced this person was any more knowledgable about the inner workings of EPM than I was.
Not that it's much better on the windows side. We have a false positive submitted to support that is going on 48 hours without an update right now. This is why we don't follow your recommended auto-remediation settings in ePO guys, yea it's resource heavy on our part to look at those reports daily but we simply could not be sitting 2 days for an updated DAT if they broke something.