Jamf Nation Community

It's a tool to manage FileVault and Windows Bitlocker, and then report on who's out of compliance. I'd invite your team to use the JSS to manage FileVault, you can get all your Macs encrypted while they are still setting up the McAfee server. Unless you have a high number of computers and it's easier to manage it all on one system.

I'd encourage you to show the FV2 disk encryption deployment and key management in the JSS. No need in using the McAfee product. McAfee's Mac products are a bit "touchy" and, incorrectly configured (sometimes by default) they can cause all sorts of issues on the Mac clients. If you have the JSS infrastructure set up, may as well use it for encryption, key escrow/management, and compliance reporting.

Don't use McAfee.

Use the JSS.

Done.

And, if all of the above doesn't make you run for the hills, the McAfee encryption thing uses it's own agent software you'll have to deploy and update and will probably suck as bad as the AV agent.

I've poked the head of the info sec team with some of these concerns and he agreed to talk more in depth next week. if there's anybody with more specific info that can add to this, I'd appreciate any assistance in building a defense or at least enough that they just don't steamroll into the environment.

Well, I've done large-scale FileVault 2 deployments at insurance companies, a large food company, and a very large financial services company (chances are you have something with their corporate logo on it in your wallet). All of them came into the Mac integration project hell-bent to use an encryption or key management console from one of their enterprise vendors. All of them ended up using the Casper Suite after I demonstrated the flexibility and security of the approach.

Good luck.

We've been using this for the last 18 months and have had nothing but headaches so far. It mainly just does key escrow anyway, and nothing else particularly useful.

@mattbomarc1 do you have an specific examples off the top of your head you could share?

It caused nothing but problems for us ... I don't think I've ever read of a McAfee product not causing headaches.

We currently use Endpoint Encryption for Our PCs. For a short time McAfee did have their own Encryption agent for Macs but they moved away from that to just utilize FV2 in the new Management of Native Encryption product. This offers the same functionality as offered by the Casper Suite. I did run a short test with MNE and was not particularly pleased with the configuration in EPO. IF you have Casper, just use it. You're doing the same thing either way, escrowing recovery keys/using an institutional key/combination of both, and you'll have a better time of it with the Casper suite.

I don't think I've ever read of a McAfee product not causing headaches

Truer words have never been spoken.

It isn't even particularly good or stable on the Windows side. Its much better than on the Mac, but its still not great and causes headaches there as well.

@jwojda Sure thing.

Most recently, we had issues with machines not encrypting. They sat on the bench for nearly two weeks while McAfee investigated. They finally determined that the ePO had some queue issue that filled up and would not take any more client requests.

No errors, no idea of what has happening, nothing. And you can't enable FV2 manually and move on, because MNE cannot escrow the keys unless it enabled FV2.

Granted, the new 2.1 version of MNE supports re-escrowing the keys, but it will be a few months before we go to that version. We're on 2.0.1.

It's just these unknown issues that show up randomly with no warning.

@mattbomarc1 Only 2 weeks, that's short for a lot of McAfee issues on OS X. There is a serious lack of resource available at McAfee that is able to support their Macintosh clients. Arguably these products are a very very small percentage of their customer base. I recently had a multi-week spat with support about the firewall in EPM not applying a trusted network rule that got passed from support tech to support tech for over two weeks before I even got to a person that would discuss the issue. By that time I had already tracked down what I thought the issue was and primarily used them for validation of my proposed fix, but I'm not entirely convinced this person was any more knowledgable about the inner workings of EPM than I was.

Not that it's much better on the windows side. We have a false positive submitted to support that is going on 48 hours without an update right now. This is why we don't follow your recommended auto-remediation settings in ePO guys, yea it's resource heavy on our part to look at those reports daily but we simply could not be sitting 2 days for an updated DAT if they broke something.