McAfee EETech for Mac 6.2 User Guide
COPYRIGHT Copyright 2012 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2
Contents Introducing McAfee EETech for Mac 6.2................................................. 4 Audience................................................................................. 4 Using this guide............................................................................ 4 Understanding the daily authorization code..................................................... 4 EETech for Mac 6.2......................................................................... 6 Installing EETech on USB disk................................................................ 6 Booting from the EETech USB disk............................................................ 7 Authorizing with daily authorization code....................................................... 7 Authenticating with token.................................................................... 8 Exporting the recovery information file from McAfee epo.......................................... 8 Authenticating with recovery file.............................................................. 9 Performing self-recovery with token authentication............................................... 9 Performing emergency boot................................................................. 10 Removing encryption and boot sector with token authentication................................... 11 Removing encryption and boot sector with file authentication..................................... 12 Viewing the workspace..................................................................... 13 Encrypting or Decrypting sectors............................................................. 14 Repairing preboot......................................................................... 15 Glossary.................................................................................... 16 3
Introducing McAfee EETech for Mac 6.2 With data breaches on the rise, it is important to protect information assets and comply with privacy regulations. McAfee Endpoint Encryption for Mac delivers powerful encryption that protects data from unauthorized access, loss, and exposure. EETech for Mac is McAfee s disaster recovery tool used in conjunction with Endpoint Encryption for Mac (EEMac). This allows to recover a non-booting Endpoint Encryption installation. The software presents a user interface with a number of options that are used to fix or recover the data on an encrypted hard disks. NOTE: EETech for Mac 6.2 is to be used with EEMac 6.2 only. EETech for Mac 1.0 or 1.1 will not work with EEMac 6.2. Audience Using this guide Understanding the daily authorization code Audience This guide is mainly intended for qualified system administrators and security managers. Knowledge of basic networking and routing concepts, and a general understanding of the aims of centrally managed security is required. Using this guide This guide helps corporate security administrators to understand the disaster recovery tool McAfee EETech for Mac. This document includes procedures to recover data from systems that are unrecoverable. Understanding the daily authorization code Some recovery operations in EETech require administrative access. The user can get this access by typing a four-digit code into the authorization screen. This code changes everyday and can only be retrieved by contacting McAfee support (mysupport.mcafee.com). NOTE: All EETech operations require authentication. However, only the administrative operations require authorization with the four-digit daily authorization code. The following operations do not require the daily authorization code: Using the workspace utility to view sectors on the disk 4
Introducing McAfee EETech for Mac 6.2 Understanding the daily authorization code Using the disk information utility to identify encrypted regions on the disk Setting the encryption algorithm used by EETech Setting the boot disk on which EETech will perform its operations The following operations do require the daily authorization code: Removing endpoint encryption, this includes decrypting the disk as well Repairing disk information Using the crypt sectors and force crypt sectors utilities to manually encrypt or decrypt specific sectors Editing the disk crypt state 5
This chapter explains some of the common tasks that can be undertaken using McAfee s disaster recovery tool, McAfee EETech for Mac. Make sure that you exercise caution for all EETech procedures. Contents Installing EETech on USB disk Booting from the EETech USB disk Authorizing with daily authorization code Authenticating with token Exporting the recovery information file from McAfee epo Authenticating with recovery file Performing self-recovery with token authentication Performing emergency boot Removing encryption and boot sector with token authentication Removing encryption and boot sector with file authentication Viewing the workspace Encrypting or Decrypting sectors Repairing preboot Installing EETech on USB disk To use the EETech recovery tool on EEMac installed clients, the user must install the EETech software on a dedicated USB disk. NOTE: Any existing data on the USB disk will be deleted on installing the EETech software. Before proceeding with this task, make sure you have these prerequisites ready. Blank USB disk EpeTechEfi.efi 1 Insert a blank USB disk into a Mac system to install the EETech software. 2 From Finder, open Applications Utilities Disk Utility. 3 Select the inserted USB disk from the list at the left, and click Partition tab. 6
Booting from the EETech USB disk 4 Select the existing 1 Partition in the Volume Scheme list and type the name EETech for the partition. 5 Select how to format the partition that will be erased or created. 6 Click Apply. This initializes the inserted USB disk. 7 When the USB initialization is complete, copy the EpeTechEfi.efi file to the USB disk. 8 Open a terminal prompt and type the following command: sudo bless --folder "/Volumes/EETech/" --file "/Volumes/EETech/EpeTechEfi.efi" --label "McAfee EETech" 9 Enter the password if prompted. 10 Disconnect (unmount) and remove the USB disk. Booting from the EETech USB disk EETech is accessed through the EETech USB disk. When the user boots the unrecoverable system with the EETech installed USB disk, the first page that appears is the McAfee EETech interface. 1 Insert the EETech USB boot disk into the unrecoverable system. 2 Boot the unrecoverable system while holding down the Option (or alt) key. The Boot Authorizing with daily authorization code You need to gain administrative access to EETech using the daily authorization code. This code is only required for certain tasks in EETech, so retrieve the code when the recovery procedure in this document states that it is required. Make sure that the system s main power supply is plugged in for this task. Do not attempt to perform this task on battery only. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB disk. The daily Authorization/Access code. NOTE: Users with a valid support contract with McAfee can only obtain the daily Authorization code from McAfee Support. 1 Boot the unrecoverable system with the EETech USB boot disk while holding down the Option (or alt) key. The Boot 2 Select McAfee EETech from the Boot Menu. The McAfee EETech interface appears. 7
Authenticating with token 3 Click Authorize under Authorization. The Authorize dialog box appears. 4 Type the daily Authorization/Access Code and click OK. On typing the correct authorization code for the day, the Authorization status changes to Authorized. Authenticating with token You need to authenticate the recovery tasks using the Endpoint Encryption user credentials for the system. Make sure that the system s main power supply is plugged in for this task. Do not attempt to perform this task on battery only. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB disk. 1 Insert the EETech USB boot disk into the unrecoverable system. 2 Boot the unrecoverable system while holding down the Option (or alt) key. The Boot 4 Click Token under Authentication. The Endpoint Encryption Logon window appears and prompts for the Endpoint Encryption user credentials of the system. 5 Type the Username and Password for the client system, then click Logon. On typing the correct credential, the Authentication status changes to Authenticated with Token. Exporting the recovery information file from McAfee epo You need to export the recovery information file (.xml) for the required system from epolicy Orchestrator, to perform the recovery tasks. Every EEMac installed system that is managed through the epolicy Orchestrator server has a recovery information file in the server. Any user trying to authenticate the recovery procedures on the client systems should get the recovery file from McAfee epo administrator for EEMac. You must have appropriate permissions to perform this task. Before proceeding with this task, make sure you have these prerequisites ready. FAT-32 formatted USB disk. 1 Insert the FAT-32 formatted USB disk to the system where epolicy Orchestrator is present. 2 Log on to epolicy Orchestrator as an administrator. 8
Authenticating with recovery file 3 Click Menu Systems System Tree. The Systems page appears. Select the required group under System Tree pane on the left. 4 Select the required System, then click Actions Endpoint Encryption Export Recovery Information. The Export Recovery Information confirmation page appears. 5 Click Yes to export the recovery information file. The Export Recovery Information page appears with the Export information (.xml) file. 6 Right-click the.xml file and save it to the inserted USB disk. NOTE: The Recovery Information File has a general format of client system name.xml. Authenticating with recovery file You need to authenticate the recovery tasks using the Recovery Information File (.xml). The administrator needs to export the Recovery Information File for the required system from epolicy Orchestrator. NOTE: Using the wrong recovery key file might damage an encrypted drive. Make sure that you are using an appropriate recovery file for the system. Make sure that the system s main power supply is plugged in for this task. Do not attempt to perform this task on battery only. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB disk. The Recovery Information File (.xml). 1 Insert the EETech USB boot disk containing the Recovery Information File (.xml) into the unrecoverable system. NOTE: It is the same EETech USB boot disk that will have the Recovery Information File (.xml) as well. 2 Boot the unrecoverable system while holding down the Option (or alt) key. The Boot 4 Click File under Authentication, then browse and select the Recovery Information File (.xml) from the USB disk. 5 Click OK. On selecting the right file, the Authentication status changes to Authenticated with File. Performing self-recovery with token authentication You might need to perform self-recovery in the client computer, if the user's password or the logon token have been lost, to recover the user. 9
Performing emergency boot The user must have successfully enrolled for self recovery on the client system to perform this task. This task should be performed by the client user on the client computer. Make sure that the system s main power supply is plugged in for this task. Do not attempt to perform this task on battery only. Before proceeding with this task, make sure you have this prerequisites ready. The EETech USB boot disk. 1 Insert the EETech USB boot disk into unrecoverable system. 2 Boot the unrecoverable system whilst holding down the Option (or alt) key. The Boot 4 Click Token under Authentication. The Endpoint Encryption Logon window appears and prompts for the Endpoint Encryption credentials of the user. 5 Click Options Recovery. The Recovery dialog box appears with Self-Recovery as the default option. 6 Type the Username and click OK. The Recovery dialog box appears with the questions that the user answered while enrolling for the self-recovery. 7 Type the answers for the prompted questions and click Finish. The Change Password dialog box appears. 8 Type and confirm the New Password and click OK. The Logon window appears and prompts for the Endpoint Encryption credentials of the user. The user can now type the newly set password and authenticate. Performing emergency boot You can perform the emergency boot when an EEMac installed system fails to boot or when the Endpoint Encryption logon is corrupt. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB boot disk. The Recovery Information File (.xml). The daily Authorization/Access code. NOTE: Users with a valid support contract with McAfee can only obtain the daily Authorization code from McAfee Support. 1 Insert the EETech USB boot disk containing the Recovery Information File (.xml) into the unrecoverable system. NOTE: It is the same EETech USB boot disk that will have the Recovery Information File (.xml) as well. 10
Removing encryption and boot sector with token authentication 2 Boot the unrecoverable system while holding down the Option (or alt) key. The Boot 4 Authorize with daily Authorization code and confirm the authorization status. 5 Click File under Authentication, then browse and select the Recovery Information File (.xml) from the USB disk, then click OK. On selecting the right file, the Authentication status changes to Authenticated with File. NOTE: The authentication can also be achieved using the token authentication. 6 Click Emergency Boot under Actions. The confirmation message EETech will now emergency boot into the operating system appears. 7 Click OK to confirm the emergency boot. NOTE: This may modify the GPT partition. When the client system boots into Mac OS X, if it is connected to the epolicy Orchestrator server, then the system synchronizes with the server and fully repairs itself. The Endpoint Encryption System Status will now appear as Recovery and you can confirm the Endpoint Encryption System Status by clicking the Encryption (lock) icon McAfee Endpoint Encryption System Status option on the menu bar that is present on the desktop of the client. The Endpoint Encryption System Status Recovery will change to Active after the first successful communication of the client with McAfee epo server. NOTE: If the McAfee Agent is unable to establish connection with epolicy Orchestrator, continue to use the EETech Emergency Boot option to boot the system until a connection to the server is established. Removing encryption and boot sector with token authentication The Remove EE function can be used to completely decrypt the system and remove the Pre-Boot portion of the Endpoint Encryption software. Use this task when: Mac OS X becomes corrupt You cannot access the data of an encrypted system Encryption or decryption fails due to an operating system error Make sure that the system s main power supply is plugged in for this task. Do not attempt to perform this task on battery only. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB boot disk. The daily Authorization/Access code. NOTE: Users with a valid support contract with McAfee can only obtain the daily Authorization code from McAfee Support. 11
Removing encryption and boot sector with file authentication 1 Insert the EETech USB boot disk into the unrecoverable system. 2 Boot the unrecoverable system while holding down the Option (or alt) key. The Boot 4 Authorize with daily Authorization code and confirm the authorization status. 5 Authenticate with Token and confirm the authentication status. 6 Click Remove EE under Actions. The Remove EE window appears. 7 Click Remove to begin the removal. This removes encryption and boot sector from the client system, however, this does not remove Endpoint Encryption client files. It might take a few hours depending on the system performance and the storage capacity of the drive or partition. Removing encryption and boot sector with file authentication When the Endpoint Encryption software does not work, you might have to remove the encryption and boot sector from the client system. CAUTION: This procedure should only be attempted under the guidance of McAfee Support. For this method, the system's recovery information file should be exported from the epo server. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB boot disk. The USB disk containing the Recovery Information File (.xml) The daily Authorization/Access code. NOTE: Users with a valid support contract with McAfee can only obtain the daily Authorization code from McAfee Support. 1 Insert the EETech USB boot disk containing the Recovery Information File (.xml) into the unrecoverable system. 2 Boot the unrecoverable system whilst holding down the Option (or alt) key. The Boot 4 Authorize with daily Authorization code and confirm the authorization status. 5 Authenticate with Recovery Information File (.xml) and confirm the authentication status. 6 Click Remove EE under Actions. The Remove EE window appears. 7 Click Remove to begin the removal. This removes encryption and boot sector from the client system, however, this does not remove Endpoint Encryption client files. It might take a few hours depending on the system performance and the storage capacity of the drive or partition. 12
Viewing the workspace Viewing the workspace The workspace contains the bytes loaded from the sectors on the disk or from a file. This option opens the Workspace window which allows the users to read sector ranges from the disk and to view the contents. This can also be used to inspect, encrypt, and decrypt sectors of the disk. By default, there is nothing loaded into the workspace. The workspace is not a view of the disk, rather it is only a view of what the user loads into it. The user can choose to load the contents of sectors or the contents of a file. Once the user loads any of these, it is displayed in the workspace. CAUTION: It is entirely the responsibility of the qualified system administrators and security managers to take appropriate precautions before performing this task. The user needs to take maximum care while performing this task, otherwise, it may cause the system to become corrupt and that might result in the loss of data. Contact McAfee support for assistance on how to use the EETech workspace. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB boot disk. The daily Authorization/Access code. NOTE: Users with a valid support contract with McAfee can only obtain the daily Authorization code from McAfee Support. Recovery Information File (.xml) or Authentication Token 1 Insert the EETech USB boot disk into unrecoverable system. 2 Boot the unrecoverable system whilst holding down the Option (or alt) key. The Boot 4 Authorize with daily Authorization code and confirm the authorization status. 5 Authenticate with Token or Recovery Information File (.xml) and confirm the authentication status. 6 Click Workspace under Actions. The Workspace window appears with these options: Load From File It loads a previously saved workspace that was not encrypted and replaces the current contents of the workspace. It just loads the bytes and displays them. Save To File This option saves the current content (bytes) of the workspace in a file. Load From Disk This loads the bytes from the sectors on the disk. Save To Disk This option saves the current content (bytes) of the workspace on the specified sectors of the disk. Zero Workspace This option fills the current content of the workspace with zeros. Encrypt Workspace This option encrypts the entire contents of the workspace. Decrypt Workspace This option decrypts the entire contents of the workspace. 7 Click First Sector to view the first sector from the sectors loaded on the workspace. 13
Encrypting or Decrypting sectors 8 Click Previous Sector to view the previous sector of the current sector loaded on the workspace. 9 Click Next Sector to view the next sector of the current sector loaded on the workspace. 10 Click Last Sector to view the last sector from the sectors loaded on the workspace. Encrypting or Decrypting sectors This option allows you to safely verify which sectors are encrypted on the disk. This option follows the crypt list to validate the ranges you submit, so it does not encrypt sectors which are currently encrypted, and will not decrypt sectors which are currently not encrypted. This option supports power fail protection. Crypt Sectors option cannot be used if Endpoint Encryption has become corrupt on the disk, or the crypt state has been corrupted, however, the Force Crypt Sectors option can be used in such cases. While changing the encryption state with this option, it effects with appropriate modifications to the disk Crypt List. For example, while you encrypt a new range, it creates a new Region definition. While you decrypt within an existing Region, the existing region is split into two, if you completely decrypt a region, it removes the Region from the crypt list. CAUTION: It is entirely the system administrator's responsibility, to take appropriate precautions before performing this task. The user needs to take maximum care while performing this task, otherwise, it may cause the system to become corrupt and that might result in the loss of data. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB boot disk. The daily Authorization/Access code. NOTE: Users with a valid support contract with McAfee can only obtain the daily Authorization code from McAfee Support. Recovery Information File (.xml) or Authentication Token 1 Insert the EETech USB boot disk into unrecoverable system. 2 Boot the unrecoverable system while holding down the Option (or alt) key. The Boot 4 Authorize with daily Authorization code and confirm the authorization status. 5 Authenticate with Token or Recovery Information File (.xml) and confirm the authentication status. 6 Click Crypt Sectors and select the disk from the Select Disk list, then type the Start Sector and the Number of Sectors. 7 Click Encrypt/Decrypt to encrypt or decrypt a range of sectors. NOTE: Follow the same procedure for Force Crypt Sectors. 14
Repairing preboot Repairing preboot The EETech for Mac tool provides this operation that is used to verify and rebuild the contents of the NVRAM variables that are used to load the EE Pre-Boot drivers and start the Pre-Boot Authentication. Before proceeding with this task, make sure you have these prerequisites ready. The EETech USB boot disk. The USB disk containing the recovery information file (.xml) 1 Insert the EETech USB boot disk containing the Recovery Information File (.xml) into the unrecoverable system. 2 Boot the unrecoverable system whilst holding down the Option (or alt) key. The Boot 4 Authorize with daily Authorization code and confirm the authorization status. 5 Authenticate with Token or Recovery Information File (.xml) and confirm the authentication status. 6 Click Repair preboot under Actions. The Warning window appears. 7 Click OK in the Warning window to confirm that you want to rebuild the contents of the NVRAM variables. NOTE: After you authenticate through file or token and use the Repair preboot option, it replaces the code portion of the NVRAM variables with the one that was present after installing and activating Endpoint Encryption for Mac. CAUTION: Repair preboot should be performed on a system where the boot disk is not encrypted, else an error message Missing Operating System is displayed. 15
Glossary There are a number of options that an administrator needs to be aware of while using EETech for Mac. Those options and their functionalities are listed in the table below. Topic Description Disk Information Disk Power Fail Status Endpoint Encryption for Mac tracks the progress of encryption on the drive to make sure that if power is lost during encryption, the process is recoverable. Status Determines whether the drive is currently in powerfail state. A status of Inactive indicates that the current encryption process has finished. Disk Crypt List Crypt List Region Count The number of defined crypted areas of this logical disk. This usually corresponds to the number of partitions on the drive. Region Each region is defined as follows: Start Sector The physical start sector of the region End Sector The last physical sector included in the region Sector Count The number of sectors included in this region Disk Partitions A section per Logical partition on this physical drive as follows: Partition Count The unique partition number. Partition Type The file system detected on this partition. Partition Bootable Whether the partition is bootable or not. Partition Recognized Whether the partition is recognized as viable. Partition Drive Letter The detected drive letter of this partition. Partition Start Sector The physical start sector of the partition. Partition End Sector The physical end sector of the partition. Partition Sector Count The number of sectors in the partition. Partition Bus Type Bus type used in particular partition. Repair preboot The EETech for Mac tool provides an operation that can be used to verify and rebuild the contents of the NVRM 16
Glossary Topic NVRAM info Force Crypt Sectors Description variables that are used to load the EE Pre-Boot drivers and start the Pre-Boot Authentication. This is a diagnostic feature which is part of the EETech Mac tool. This displays the contents of the NVRAM variables. Before using this option call McAfee Technical support for assistance. Unlike the Crypt Sectors Encrypt/Decrypt option, the Force Crypt Sectors option does not consider the disk crypt state. It simply performs the operation blindly according to user input. Force Crypt does not support power fail, nor does it apply any logic or parameter validation on the input. You should use the Force Crypt Sectors option only when everything else fails. For example, when the on-disk structures are completely corrupted. CAUTION: This option will cause irretrievable data loss if used incorrectly. If you are forced to use this option, you should make a recording of each operation you apply to support in data recovery. CAUTION: Make sure that there is no possibility of losing power while using this option as this option does not support power fail protection. Edit Disk Crypt State The disk crypt state contains information about which range of sectors are encrypted. This option allows you to change the ranges. CAUTION: Call McAfee Technical support for assistance before using this option, because using this option inappropriately will cause irretrievable data loss. CAUTION: Make sure that there is no possibility of losing power while using this option as this option does not support power fail protection. 17
Index A Authenticate from file 13, 14, 15 Authenticate from token 13, 14 authentication 9 Authentication 8 Authentication Code 10 Authorization 7 Authorization Code 7 C Create EETech USB Disk 6 Crypt Sectors 14 D Decrypt 13, 14 E EE credential 11 EETech 4, 10 EETech for Mac 6 EETech USB disk 7 Emergency Boot 10 Encrypt 13, 14 Endpoint Encryption for Mac 4 export 8 F file authentication 12 R recovery change password 9 self-recovery 9 Recovery 6 recovery information file 8, 9 Recovery Information file 12, 15 Recovery Information File 10 Remove EE 11, 12 Repairing preboot 15 S system administrator 4 T token authentication 11 Token Authentication 8 U USB 6 W Workspace 13 18