Upload
sdeepan
View
220
Download
0
Embed Size (px)
Citation preview
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
1/58
ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 1
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
2/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 2
This module reviews client task configuration and functionality. Students will be shown the process
on deploying point products from ePO along with information on troubleshooting productdeployment.
This module also covers the steps involved in configuring a Point Product’s available policy settings
and then validating and troubleshooting the enforcement on the managed endpoint(s).
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
3/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 3
In addition to managing security products, ePolicy Orchestrator can deploy products, components,
and updates to the desired managed systems. You can perform these actions as needed, or you canschedule them using client and server tasks.
Client TasksClient tasks help automate how you manage systems in the network. They are commonly used for thefollowing activities.
• Product deployment• Product functionality; for example, the VirusScan Enterprise (VSE) On-Demand Scan task.• Upgrades and updates
The extension files installed on the ePO server determine which client tasks are available.
Server TasksServer tasks are configurable actions that run on your ePO server on a schedule. You can leverageserver tasks to help automate repetitive server tasks that need to be performed on your server.McAfee ePO software includes preconfigured server tasks and actions by default. Most of theadditional software products you manage with your ePO server also add preconfigured server tasks.Some example server tasks are:
• Disaster Recovery Snapshot Server: Create a Disaster Recovery Snapshot on a daily basis.• Purge Threat and Client Events Older than 90 Days.• Duplicate Agent GUID: clear error count: Clear Sequence Error Count for systems who have not
recently reported duplicate activities.• Duplicate Agent GUID - remove systems with potentially duplicated GUIDs: Delete systems
whose sequence error count has exceeded the threshold and add Agent GUID to duplicate list.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
4/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. ‹#›
• Query: run a query on a regular basis.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
5/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 4
Client Tasks
You manage client tasks from the Client Task Catalog page. Go to: Menu > Policy > Client TaskCatalog. The Client Task Catalog page opens.
Server Tasks
You manage server tasks from the Server Tasks page. Go to: Menu > Automation > Server Tasks. The
Server Tasks page opens.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
6/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 5
Client and server tasks help automate the process of managing the security software deployed to the
systems on the network.
Client and Server Task Workflow
Follow these high-level steps when creating client and server tasks for the first time.
1. Plan the client tasks you want to automate; for example, deploy product software, perform
product updates, and more.
2. Create and assign client tasks to specific groups and systems.
3. Create server tasks to keep the repositories up-to-date and to automate server maintenance
tasks.
4. Schedule tasks to run automatically.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
7/58
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
8/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 7
The Client Task Catalog Actions menu specifies actions you can perform for the selected object,
including:• Import: Opens the Import page, where you can import Client Task objects from an XML file.
When importing a file containing multiple Client Task objects, you can choose which tasks to
import. NOTE: If you choose to import a Client Task object that is identical to an existing Client
Task, the existing object is overwritten.
• Export All: Opens the Export page, where you can export an XML file containing all client task
objects for the products listed in the Task Type pane. Use this action when you want to create an
XML file that you can import into this or other ePO servers. NOTE: Performing this action does
not delete the client task objects from the server.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
9/58
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
10/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 9
In each row containing a client task, you can perform these actions for the selected task:
Click the name of the client task to modify the details of this object. Changing a client task objectaffects all instances where this object is assigned.
• Name column: Name of the client task.
• Owners column: Displays the Task Ownership page, where you can view and change the client
task's owner.
• Assignments: Opens the Task Assignments page, where you can view the current client task
assignments.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
11/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 10
Actions column: Contains several options:
• Delete: Deletes the selected object from the Client Task Catalog.• Duplicate: Creates a copy of the selected client task object.
• Assign: Opens the Select a group to assign the task page, where you can identify a group in your
System Tree to assign this task. Selecting a group and clicking OK opens the Client Task
Assignment Builder, where you can complete the assignment process.
• Share/Unshare: Shares or unshares the selected client task object. To share a client task object
with other ePO servers in your environment, you must have another ePO server registered with
this ePO. In addition, a Share Client Tasks server task must be created and enabled.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
12/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 11
The New Task button is used to create a new client task object.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
13/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 12
You can use client tasks to automatically deploy product software, perform product updates, and
more. The process is similar for all client tasks. In some cases you must create a new client taskassignment to associate a client task to a System Tree group.
Complete these steps from the ePO console. For option definitions, click ? in the interface.
1. Go to the Client Task Catalog page (Menu > Policy > Client Task Catalog).
2. Select a Client Task Type in the left pane; for example, McAfee Agent > Product Update.
3. Click Actions > New Task (or click the New Task button).
4. Select a task type from the list, then click OK. The Client Task Builder wizard opens.
5. Type a name for the task you are creating, add a description (optional), then configure the
settings specific to the task type you are creating. The configuration options change depending
on the task type selected.6. Review the task settings, then click Save. The task is added to the list of client tasks for the
selected client task type.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
14/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 13
Complete these steps from the Client Task Catalog page, to edit a client task:
1. Select a Client Task Type in the left pane; for example, McAfee Agent > Product Update.2. Select a client task in the right pane.
3. Click the client task name in the Name column.
4. Edit the settings, as needed, then click Save.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
15/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 14
Complete these steps from the Client Task Catalog page, to delete a client task:
1. Select a Client Task Type in the left pane; for example, McAfee Agent > Product Update.2. Select a client task in the right pane.
3. Click the Delete link for the selected task.
4. When prompted, click OK.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
16/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 15
Complete these steps from the Client Task Catalog page:
1. Select a Client Task Type in the left pane; for example, McAfee Agent > Product Update.2. Select a client task in the right pane.
3. Click the Duplicate link for the selected task.
4. Enter task name, then click OK.
5. Use the Client Task Builder wizard to finish the setup. The steps are similar to those for creating
a new task.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
17/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 16
Client tasks in the Client Task Catalog must be assigned to the managed systems to take affect. When
you click the Assign link, you are prompted to specify the System Tree group where you want toassign the client task object, then the Client Task Assignment Builder opens. Client Tasks are inherited
by any managed system in or below the group you specify.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
18/58
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
19/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 18
Task to Schedule
Use the options in this section to specify settings, including:
• Product: Select the managed product from this list that provides the Client Task object you want
to assign. For example, select the McAfee Agent product category to display McAfee Agent Client
Task objects. Choices in this list are dependent on the managed product extensions checked into
your ePO server.
• Task Type: Specify which task type you want to assign. Each managed product has a predefined
set of task types you can employ.
• Task Name: Choices in this list are dependent on the Client Task objects you create. You can
create Client Task objects using the Client Task Catalog, or create one now by clicking Create New
Task. When you create a new Client Task object, it is stored in the Client Task Catalog.
Created at
This field identifies the System Tree location where this Client Task Assignment is enforced. By
default, all groups and systems below this location inherit this assignment unless you break
inheritance manually.
Lock Task Inheritance
Specify whether task inheritance is:
• Locked: Managed systems below this location cannot have inheritance broken.
• Unlocked: Managed systems below this location can have inheritance broken. Note When
inheritance is locked, only the Client Task owner, Global Administrators, or users with specific
permissions can unlock inheritance. The owner is the user who created the Client Task object.
Tags
Use this setting to use Tags to include or exclude tagged managed systems from this assignment. Forexample, if you assign a Client Task at the My Organization level in the System Tree, and choose to
send this assignment only to systems with the Server tag, any system in the My Organization group
that does not have the Server tag will not receive this task.
NOTE: You cannot create and apply tags to your managed systems while creating or managing Client
Task Assignments. The tags must already be created and assigned. For more information on creating
and applying tags, see Tags and how they work in the ePolicy Orchestrator Product Guide.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
20/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 19
Client tasks run on the clients and are typically scheduled to run at a specific time. They are different
from policies because they are an action that the client must perform at a predetermined time.
In this next step, enter the scheduling parameters, then click the Next button in the bottom right
corner. See the next page for information about the fields.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
21/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 20
Schedule status
Specifies whether the task runs according to its schedule. If the schedule is disabled, the task can only
be run only from the System Tree >Systems page by clicking Actions > Agent > Run Client Task Now
or as a Server Task action.
Schedule type
Specifies the time interval for running the client task. Options include:
• Daily: Specifies that the task runs every day, at a specific time, on a recurring basis between two
times of the day, or a combination of both.
• Weekly: Specifies that the task runs on a weekly basis. Such a task can be scheduled to run on a
specific weekday, all weekdays, weekends, or a combination of them. You can schedule such a
task to run at a specific time of the selected days, or on a recurring basis between two times of
the selected days.
• Monthly: Specifies that the task runs on a monthly basis. Such a task can be scheduled to run on
one or more specific days of each month at a specific time.
• Once: Starts the task on the time and date you specify.
• At System Startup: Starts the task the next time you start the server.
• At logon: Starts the task the next time you log on to the server.
• When idle: Starts the task the next time the client goes idle. Once initiated, the task continues to
run until its complete, even if the system does not stay idle. Note: After the task is run the first
time, it is not run again.
• Run immediately: Starts the task immediately.
• Run on dialup: Starts the task the next time that the managed system establishes a dialup
connection to the network.
Effective period
Specify the following:
• End date: The date on which the client task becomes unavailable to the scheduled interval.
• Start date: The date on which the client task is available to begin running at the scheduled
intervals.
Start time
Specify the time at which this task should begin, as well as: •Whether to run the task only once at the
Start time, or to continue running until a later time. You can also specify the interval at which the task
runs during this interval.
Task runs according to
Specifies whether the task schedule runs according to the local time on the managed system or
Coordinated Universal Time (UTC).
Options
Specifies how the task behaves and the actions that can be taken if the task runs too long, or whetherthe task should run if it was missed. Options include:
• Enable randomization X hours Y minutes: Specifies that this task runs randomly within the time
you specify. Otherwise, this task starts at the scheduled time regardless if other client tasks are
scheduled to run at the same time.
• Run missed task X minute delay: Runs the task after a user-configured number of minutes once
the managed system is restarted.
• Stop the task if it runs for X hours Y minutes : Stops the task when it has run for a user-
configured amount of time.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
22/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 21
Consider the following when creating and scheduling client update tasks:
• Create a task to update DAT and engine files daily at the highest level of the Directory that isinherited by all systems. If your organization is large, you can use randomization intervals to
mitigate the bandwidth impact of all systems updating at the same time. Also, for large networks
with offices in different time zones, running the task at the local system time on the managed
system, rather than at the same time for all systems, helps balance network load.
• Schedule the update task at least an hour after the scheduled replication task, if you are using
scheduled replication tasks.
• Run update tasks for DAT and engine files at least once a day. Managed systems can be logged off
from the network and miss the scheduled task; running the task frequently ensures these
systems receive the update.
• Maximize bandwidth efficiency and create several scheduled client update tasks that updateseparate components and run at different times. For example, you can create one update task to
update only DAT files, then create another to update both DAT and engine files weekly or
monthly — engine packages are released less frequently.
• Create and schedule additional update tasks for products that do not use the agent for Windows.
• Use the Run missed task option. This can be useful if systems are logged off from the network at
the scheduled update time, ensuring they update after logging onto the network.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
23/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 22
After completing the steps using the Client Task Assignment Builder, verify the configuration. If
necessary, use the Back button to return to a previous step to make changes. When you are satisfiedwith the settings, click Save.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
24/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 23
Client tasks can be set at a group or machine level and always inherits to the group or machine below
them. Customers should always try to set their client tasks at the highest point of their directory tree,like the My Organization level. This reduces the number of tasks they will have to manage and keeps
administration overhead to a minimum.
You can see when systems or groups are not inheriting task. You can select the blue hyperlink and
select the systems or groups and reset the inheritance upon the desired nodes.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
25/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 24
Use this task to edit a client task’s settings or schedule information for any existing task.
1. Go to System Tree >Actions > Agent > Modify Tasks on a Single System.2. Click the task name to edit the task, or click on the blue Edit Assignment hyperlink to modify
which systems it is assigned to.
3. Edit the task settings as needed, then click Save.
The managed systems receive these changes the next time the agents communicate with the server.
Note that saving an inherited task at the subgroup level breaks the task’s inheritance.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
26/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 25
Some commonly-used client tasks are described below. We will take a closer look at these tasks in the
following sections.
McAfee Agent:
• McAfee Agent Statistics: Collect network bandwidth saved by RelayServer and SuperAgent
hierarchical feature.
• McAfee Agent Wakeup: Triggers an immediate Agent-Server Communication. This applies to
Windows operating systems only.
• Mirror Repositories: Specifies a location on the managed system to replicate contents from the
repository. This applies to Windows operating systems only.
• Product Deployment: Install a product on managed systems.
• Product Update: Update a product on managed systems.
VirusScan Enterprise: Perform On-Demand Scan and Restore From Quarantine.
NOTE: Client tasks in the Client Task Catalog must be assigned to the managed systems to take affect.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
27/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 26
You can configure the McAfee Agent Statistics task to collect network bandwidth saved by
RelayServer and SuperAgent hierarchical feature.Creating a New TaskThe steps are:
1. Provide a name for the task.
2. Optionally, provide a description of the task's purpose.
3. Select from the Statistics Options.
• RelayServer Statistics: Collects these statistics from the client systems: Number of failed connections to the RelayServers Number of attempts made to connect to the RelayServer after the maximum allowed
connections•
SuperAgent Hierarchical Update Statistics: Collects the network bandwidth saved by useof SuperAgent hierarchy.
Agent Relay CapabilityIf your network configuration blocks communication between the McAfee Agent and the McAfee ePOserver, the agent can't receive content updates, policies, or send events. Relay capability can beenabled on agents that have direct connectivity to the ePO server or Agent Handlers to bridgecommunication between the client systems and the McAfee ePO server. You can configure more thanone agent as a RelayServer to maintain network load balance.
SuperAgent Hierarchical CapabilityYou can create a hierarchy to avoid repetitive download of the content update from the ePO server ordistributed repository. It is recommended to have a three-level hierarchy of SuperAgents in your
network.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
28/58
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
29/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 28
The Mirror Repositories page specifies a location on the managed system to replicate contents from
the repository. The repository this task uses is selected based on policy selections on the Repositoriestab of the agent policy pages.
Creating a New Mirror Repositories (Windows only) Task
The steps are:
1. Provide a name for the task.
2. Optionally, provide a description of the task's purpose.
3. Specify the path and folder where the repository contents are copied. The repository selected
is based on policy selections on the Repositories tab of the agent policy pages.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
30/58
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
31/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 30
Fields and Descriptions
• Task Name: Provide a name for the task.
• Description: An optional description of the task's purpose.
• Target platforms: Specifies all platforms where these packages are deployed.
• Products and components: Select the products and components to deploy when this task runs.
If you do not see the product you want to deploy listed here, you must first check in that
product’s software package.
Select Add (+) or Delete (-) to add or delete products from the list. For each product:
o Specify the Action, Language, and Branch.
o Optionally, specify command-line update options by typing the desired command.
• Options: Select Run at every policy enforcement (Windows only) to ensure the deploymentoccurs again at the policy enforcement interval if a user has removed the product or component.
• Postpone Deployment dialog box (Windows systems only): Select Allow end users to postpone
this update to give the user the option to postpone the update; for example, if users are in the
middle of an important task, they can postpone the update to finish the task, or at least close
any open applications.
• Maximum number of postpones allowed: Specifies the number of times a user can postpone
the update. Defaults to 1.
• Option to postpone expires after (seconds): Specifies how long the option to postpone exists.
Once this threshold is passed, the update begins. Defaults to 20 seconds.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
32/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. ‹#›
• Display this text: Specifies a message displayed in the Postpone Update dialog box.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
33/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 31
Use this task to deploy products to a single system using the Product Deployment task.
Create a Product Deployment client task for a single system when that system requires:
• A product installed which other systems within the same group do not require.
• A different schedule than other systems in the group. For example, if a system is located in a
different time zone than its peers.
Steps
1. Go to System Tree > Systems, then select the group in the System Tree which contains the
desired system.
2. Select the checkbox next to the desired system.
3. Click Actions > Agent > Modify Tasks on a Single System. The list of tasks assigned to thissystem appears.
4. Click Actions > New Client Task Assignment. The Description page of the Client Task
Assignment Builder appears.
5. Select McAfee Agent > Product Deployment from the Task information screens.
6. Click Create New Task.
7. Add any descriptive information to the Notes field.
The information you add here is only visible when you open the task at the system for which you are
configuring the task.
Continued on next page
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
34/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 32
Steps (Continued)
8. Select the desired platforms to which you are deploying the packages.
9. Next to Products to deploy, select the desired product from the first drop-down list. The
products listed are those for which you have already checked in a package file to the master
repository. If you do not see the product you want to deploy listed here, you must first check in
that product’s package file.
10. Set the Action to Install, then select the language version of the package.
11. To specify command-line install options, type the desired command-line options in theCommand line text field. See the product documentation for information on command-line
options of the product you are installing.
12. Click Save.
13. Select your newly created task and click Next. The Schedule page appears.
14. Schedule the task as needed, then click Next. The Summary page appears.
15. Review and verify the details of the Product Deployment task, then click Save.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
35/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 33
Product Update page (Client Task Configuration)
The Product Update page is where you configure how the McAfee Agent updates packages,signatures, and engines on managed systems.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
36/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 34
When you are configuring the options for updating signatures, engines, patches, service packs, and
any other update types, it is important to keep in mind that the McAfee Agent policy is where youconfigure the location and the desired repositories that you want the system to access for updates.
The product update task lists the package types that you can update. If, for example, the customer
wants to control the update for a new engine version then they will need to configure both the policy
location along with the task.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
37/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 35
After you have Client tasks defined in the task Catalog, you can select systems in the System tree and
select the McAfee Agent action Run Client Task Now.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
38/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 36
You can then select the task you wish to run. Once you click the Run Task Now button it will present a
Status bar showing the status of the task on each system you selected the task to run.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
39/58
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
40/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 38
The administrator will need to check product installation software in to the ePO 5.1 Master
Repository for deployment to systems. This can be done manually through the Master Repository orautomatically through the Software Manager.
Customers can download their licensed software from the McAfee downloads site or through the
Software Manager.
To manually download McAfee products, updates, and documentation, visit the Downloads page at
http://www.mcafee.com/us/downloads/downloads.aspx .
To download through the Software Manager:
1. Log on to the ePO console.2. Click Menu.
3. Click Software, Software Manager.
4. Under Software Not Checked In, select the product you wish to download or check in from the
Product list in the detail pane.
5. Under the details, select to check in all components or select them individually. You can select
to check in, download, remove, or update components.
Checked in packages are displayed on the Master Repository page. Successfully checked in products
will display:
• Install listed in the Type column
http://www.mcafee.com/us/downloads/downloads.aspxhttp://www.mcafee.com/us/downloads/downloads.aspx
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
41/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. ‹#›
• OK listed in the Status column
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
42/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 39
You can check in deployment packages manually to the Master Repository so that the ePO server can
deploy them. The Check In Package button launches the Check in Package wizard. Use this to browseto a new package to be checked in to the server.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
43/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 40
A product’s extension must be installed before ePolicy Orchestrator can manage the product.
The Extension page is used to upload the files needed by point products to be managed through ePO.
For example, Vulnerability Manager has an extension that ensures among other things that the
proper menus are added to ePO for administration.
To bring products under management:
1. From the ePO console, click Menu > Software > Extensions > Install Extension .
2. Browse to and select the extension file, then click OK.
3. Verify that the product name appears in the Extensions list.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
44/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 41
Deploying security products to managed systems using a deployment project allows the customer to
easily select products to deploy, the target systems, and schedule the deployment.
Customers can use the Product Deployment page to display the configuration and status of currently
configured deployment projects. Plus, you can edit, delete, duplicate, start, stop and uninstall
deployment projects using this page.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
45/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 42
To create a new deployment project:
1. Click Menu > Software > Product Deployment.
2. Click New Deployment to open the New Deployment page to start a new project.
3. Type a Name and Description for this deployment. This name appears on the Deployment page
after the deployment is saved.
4. Choose the type of deployment:
• Continuous – Uses your System Tree groups or tags to configure the systems receiving the
deployment. This allows these systems to change over time as the yare added or removed from
the groups or tags.
• Fixed – Uses a fixed, or defined, set of systems to receive the deployment. System selection is
done using your System Tree or Managed System Queries table output.5. To specify which software to deploy, select a product from the Package list. Click + and – to add or
remove packages.
6. In the Command line text field, specify any command-line installation options.
NOTE: After choosing the type of deployment, either Fixed or Continuous, the menu options change
in Select the systems area (in ‘Select Systems’ windows).
Continued on next page
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
46/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 43
7. In the Select the systems section, click Select Systems to open the System Selection dialog box.
The System Selection dialog box is a filter that allows you to select groups in your System Tree,
Tags, or a subset of grouped and/or tagged systems. The selections you make in each tab within
this dialog box are concatenated to filter the complete set of target systems for your deployment.
For example, if your System Tree contains, “Group A,” which includes both Servers and
Workstations, you can target the entire group, just the Servers or Workstations (if they are tagged
accordingly), or a subset of either system type in group A.
8. Pick a start time or schedule for your deployment:
• Run Immediately – Starts the deployment task during next ASCI.
• Once – Opens the scheduler so you can configure the start date, time, and randomization.
9. When finished click Save at the top of the page.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
47/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 44
After saving the task, the Product Deployment page opens with your new project added to the list of
deployments.
After you create a deployment project, a client task is automatically created with the deployment
settings.
You can click on the System Actions button to display the list of systems in a new page where you can
perform system specific actions on the systems you select.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
48/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 45
Troubleshooting Product Deployment Issues
1. Validate that the agent(s) received the task.a. Validate that the task is present on the client.
Check for its presence in the Datastore.bin file.
Check for the corresponding task ini file in the agent’s task folder.
b. If task was not received, validate that the agent is communicating with ePO. If failing to
communicate, investigate as an agent-to-server communication problem (check the
Agent_.log file).
2. On the ePO Server side, review the server.log file. To validate the task was provided without
errors.
3. Validate that the agents executed the task at the scheduled time. Check the
Agent_.log, and McScript.log files.4. Is task being written to the registry?
a. Use PROCMON to capture if the task (policy) is attempted to be written to the registry. If it
is and access was denied, then we know it to be a permissions related issue.
It’s this type of troubleshooting methodology that will help you identify where the failure is occurring
and why.
NOTE: When ePO deploys a product, it only pushes out the files to the client and starts the
installation. Any problems with providing the files or starting the installation is generally the
deployment tasks fault. Any problems after that are on the application/point product.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
49/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 46
Managing products from a single location is a central feature of ePolicy Orchestrator. This is
accomplished through application and enforcement of product policies. Policies ensure a product’sfeatures are configured correctly, while client tasks are the scheduled actions that run on the
managed systems hosting any client-side software.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
50/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 47
A policy is a collection of settings that you create and configure, then enforce. Policies make sure that
the managed security software products are configured and perform accordingly. Some policysettings are the same as the settings you configure in the interface of the product installed on the
managed system. Other policy settings are the primary interface for configuring the product or
component. The ePolicy Orchestrator console allows you to configure policy settings for all products
and systems from a central location.
Each McAfee product Extension file within the ePO repository is represented in the Policy Catalog list.
Generally by default only two named policy objects exists for each product policy. One is named
McAfee Default, and cannot be renamed, edited, or deleted (but can be duplicated). The other policy
is named My Default and this policy can be edited, renamed, duplicated, deleted, or exported.
Policy objects are managed from within the Policy Catalog. From here policies can be viewed,
duplicated, copied, enforced, and policy assignments can be viewed. However, policies cannot be
assigned to System Tree nodes from within the catalog. In order to assign a policy to a System Tree
node the node itself must be selected.
Policy categories
Policy settings for most products are grouped by category . Each policy category refers to a specific
subset of policy settings. Policies are created by category. In the Policy Catalog page, policies are
displayed by product and category. When you open an existing policy or create a policy, the policy
settings are organized across tabs.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
51/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 48
The product configuration options on the managed system is almost identical to that specified
through the product policies in ePO, as shown here. The left graphic shows Access Protectionconfigured locally on a system running VirusScan Enterprise. The right graphic shows how this same
configuration can be enforced using ePO product policies.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
52/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 49
It is likely that most systems within any environment will require identical or very similar
configurations. A small minority of systems may require radically different settings from the majority.The purpose of policy objects and inheritance is to allow the described scenario (or any given
scenario) to be implemented with as minimal effort as possible.
Policy inheritance is the concept of a higher-level policy assignment being applied to a lower-level
node.
Policy assignment is the allocation of a specific named policy object at a specific node within the ePO
System Tree.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
53/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 50
You can create a new policy from the Policy Catalog by clicking the button at the top left-hand side of
the Policy Catalog page labeled New Policy. This allows you to base the new policy on a duplicate ofan existing policy object. Policies created here are by default not assigned to any groups or systems.When you create a policy here, you are adding a custom policy to the Policy Catalog. You can createpolicies before or after a product is deployed.
In addition to specifying how the policy obtains its initial configuration, you must specify the name.After the policy is created, you can change inheritance and any configuration contained within thepolicy.
To create a new policy:
1. Click Menu on the navigation bar. Select Policy Catalog within the Policy section.2. Select the Product and Category from the drop-down lists. All created policies for the selected
category appear in the details pane.
3. Click New Policy button. The Create new policy dialog appears.
4. Select the policy you want to duplicate from the Create a policy based on this existing policydrop-down list. Type a name for the new policy and click OK.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
54/58
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
55/58
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
56/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 53
When policies are enforced
When you reconfigure policy settings, the new settings are delivered to, and enforced on, themanaged systems at the next agent-to-server communication.
Once the policy settings are in effect on the managed system, the agent continues to enforce policy
settings locally at the regular interval. This enforcement interval is determined by the Policy
enforcement interval setting on the General tab of the McAfee Agent policy pages.
Policy settings for McAfee products are enforced immediately at the policy enforcement interval, and
at each agent-to-server communication if policy settings have changed.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
57/58ePolicy Orchestrator 5.1 Esse013 McAfee, Inc. All Rights Reserved. 54
Troubleshooting Point Product Policy Enforcement
1. Is the policy set up correctly?
a.VSE splits policies between workstation and server OSes.
2. Has an agent wakeup occurred since saving the policy?
3. Is the target client(s) receiving the policy?
a.Check the Agent_.log and Datastore.bin files.
4. Use PROCMON to capture if the policy is attempted to be written to the registry. If it is and
access was denied, then we know it to be a permissions related issue.
8/18/2019 0.9 Point Prod VSE Deployment Policy Config
58/58