Epo 590 PG 0-00 En-Us - PDF Gda 1490161200 &ext

Product Guide
McAfee ePolicy Orchestrator 5.9.0

Software
COPYRIGHT
2017 Intel Corporation
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

Contents
Preface 13
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1 Product overview 15
What is McAfee ePO? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
How McAfee ePO works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 Monitoring the health of your network 21

Log on and log off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Navigating the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using the shortcut bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Customizing the shortcut bar . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Personal settings categories . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Working with lists and tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Filter a list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Create a custom filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Search for specific list items . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Clicking table row checkboxes . . . . . . . . . . . . . . . . . . . . . . . . . 27
Selecting items in tree lists . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Initial configuration
3 Planning your McAfee ePO configuration 31
Considerations for scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Example organization size and network components . . . . . . . . . . . . . . . . 32
What affects McAfee ePO performance . . . . . . . . . . . . . . . . . . . . . . 35
Internet protocols in a managed environment . . . . . . . . . . . . . . . . . . . . . . 35
4 Setting up your McAfee ePO server 37

Server configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Use automatic Product Installation Status . . . . . . . . . . . . . . . . . . . . . . . . 42
Use Guided Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Use a proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Enter your license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Adding an SSL certificate to trusted collection . . . . . . . . . . . . . . . . . . . . . . 46
Replace the server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Install the security certificate for Internet Explorer . . . . . . . . . . . . . . . . . 47
Install the security certificate for Firefox . . . . . . . . . . . . . . . . . . . . . 48
Adding systems to manage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Installing the McAfee Agent and licensed software . . . . . . . . . . . . . . . . . . . . 50
McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 3

Contents
What installing the McAfee Agent does . . . . . . . . . . . . . . . . . . . . . . 50

How the McAfee Agent works . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Deploying agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
What the System Tree does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
The System Tree structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Sorting your systems dynamically . . . . . . . . . . . . . . . . . . . . . . . . 60
Confirm system management from the System Tree . . . . . . . . . . . . . . . . 61
Default configuration and common tasks . . . . . . . . . . . . . . . . . . . . . . . . 61
Working with Product Deployment . . . . . . . . . . . . . . . . . . . . . . . . 62
Working with the System Tree . . . . . . . . . . . . . . . . . . . . . . . . . 63
Working with policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Working with client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Working with server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Working with dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . 70
Working with queries and reports . . . . . . . . . . . . . . . . . . . . . . . . 71
Confirming system protection and seeing threats . . . . . . . . . . . . . . . . . . . . . 72
Virus test process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
What to do next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Advanced configuration
5 Dashboards and monitors 79
Using dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Manage dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Export and import dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Specify first-time dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Manage dashboard monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Move and resize dashboard monitors . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Set default monitor refresh intervals . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6 Generating queries and reports 87

Query and report permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
About queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Query Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Work with queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Manage custom queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Run a query on a schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Create a query group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
About reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Structure of a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Create a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Edit an existing report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Add elements to a report . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configure image report elements . . . . . . . . . . . . . . . . . . . . . . . . 95
Configure text report elements . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configure query table report elements . . . . . . . . . . . . . . . . . . . . . . 96
Configure query chart report elements . . . . . . . . . . . . . . . . . . . . . . 97
Customize a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Run a report on a schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
View report output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configure the template and location for exported reports . . . . . . . . . . . . . . . . . . 99
Group reports together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
7 Disaster Recovery 101

What is Disaster Recovery? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Disaster Recovery components . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Contents
How Disaster Recovery works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Disaster Recovery Snapshot and backup overview . . . . . . . . . . . . . . . . . 104
McAfee ePO server recovery installation overview . . . . . . . . . . . . . . . . . 105
Create Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Create a snapshot from the McAfee ePO . . . . . . . . . . . . . . . . . . . . . 107
Create snapshot from Web API . . . . . . . . . . . . . . . . . . . . . . . . . 107
Configure Disaster Recovery server settings . . . . . . . . . . . . . . . . . . . . . . 109
8 Using the System Tree and Tags 111

Organizing systems with the System Tree . . . . . . . . . . . . . . . . . . . . . . . 111
Considerations when planning your System Tree . . . . . . . . . . . . . . . . . . 111
Active Directory synchronization . . . . . . . . . . . . . . . . . . . . . . . . 114
Types of Active Directory synchronization . . . . . . . . . . . . . . . . . . . . 114
NT domain synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Criteria-based sorting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
View system information details . . . . . . . . . . . . . . . . . . . . . . . . 118
Creating and populating System Tree groups . . . . . . . . . . . . . . . . . . . 119
Add systems to an existing group manually . . . . . . . . . . . . . . . . . . . . 120
Create groups manually . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Export systems from the System Tree . . . . . . . . . . . . . . . . . . . . . . 121
Create a text file of groups and systems . . . . . . . . . . . . . . . . . . . . . 121
Import systems and groups from a text file . . . . . . . . . . . . . . . . . . . . 122
Sort systems into criteria-based groups . . . . . . . . . . . . . . . . . . . . . 122
Import Active Directory containers . . . . . . . . . . . . . . . . . . . . . . . 124
Import NT domains into an existing group . . . . . . . . . . . . . . . . . . . . 126
Schedule System Tree synchronization . . . . . . . . . . . . . . . . . . . . . 127
Update a synchronized group with an NT domain manually . . . . . . . . . . . . . 128
Move systems within the System Tree . . . . . . . . . . . . . . . . . . . . . . 128
How Transfer Systems works . . . . . . . . . . . . . . . . . . . . . . . . . 129
How the Automatic Responses feature interacts with the System Tree . . . . . . . . . 133
Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Create tags using the New Tag Builder . . . . . . . . . . . . . . . . . . . . . . 133
Manage tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Create, delete, and modify tag subgroups . . . . . . . . . . . . . . . . . . . . 135
Exclude systems from automatic tagging . . . . . . . . . . . . . . . . . . . . . 135
Create a query to list systems based on tags . . . . . . . . . . . . . . . . . . . 136
Apply tags to selected systems . . . . . . . . . . . . . . . . . . . . . . . . . 137
Clear tags from systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Apply criteria-based tags to all matching systems . . . . . . . . . . . . . . . . . 138
Apply criteria-based tags on a schedule . . . . . . . . . . . . . . . . . . . . . 138
9 User accounts and permission sets 141

Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Manage user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Managing McAfee ePO users with Active Directory . . . . . . . . . . . . . . . . . 142
Windows authentication and authorization strategies . . . . . . . . . . . . . . . . 144
Enable Windows authentication in the McAfee ePO server . . . . . . . . . . . . . . 144
Configure Windows authentication . . . . . . . . . . . . . . . . . . . . . . . 145
Configure Windows authorization . . . . . . . . . . . . . . . . . . . . . . . . 146
Create a custom logon message . . . . . . . . . . . . . . . . . . . . . . . . 146
Restrict a user session to a single IP address . . . . . . . . . . . . . . . . . . . 146
The Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Authenticating with certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Configure McAfee ePO for certificate-based authentication . . . . . . . . . . . . . . 148
Disable certificate-based authentication . . . . . . . . . . . . . . . . . . . . . 150
Configure user accounts for certificate-based authentication . . . . . . . . . . . . . 150

Contents
Update the certificate revocation list . . . . . . . . . . . . . . . . . . . . . . 151

Troubleshooting certificate-based authentication . . . . . . . . . . . . . . . . . . 152
Permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
How users, groups, and permission sets fit together . . . . . . . . . . . . . . . . 152
Manage permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
10 Software Manager 157

What's in the Software Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Check in, update, and remove software using the Software Manager . . . . . . . . . . . . 158
Checking product compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Reconfigure Product Compatibility List download . . . . . . . . . . . . . . . . . 161
11 Manual package and update management 163

Bring products under management . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Check in packages manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Delete DAT or engine packages from the Master Repository . . . . . . . . . . . . . . . . 164
Move DAT and engine packages between branches . . . . . . . . . . . . . . . . . . . . 164
Check in Engine, DAT, and Extra.DAT update packages manually . . . . . . . . . . . . . . 165
Best practice: Automating DAT file testing . . . . . . . . . . . . . . . . . . . . . . . 165
Pull and copy DAT updates from McAfee . . . . . . . . . . . . . . . . . . . . . 167
Best practice: Create a test group of systems . . . . . . . . . . . . . . . . . . . 169
Best practice: Configure an agent policy for the test group . . . . . . . . . . . . . 170
Best practice: Configure an on-demand scan of the test group . . . . . . . . . . . . 170
Best practice: Schedule an on-demand scan of the test group . . . . . . . . . . . . 171
Best practice: Configure an Automatic Response for malware detection . . . . . . . . 172
12 Deploying products 175

Product deployment steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Choosing a product deployment method . . . . . . . . . . . . . . . . . . . . . . . . 176
Benefits of product deployment projects . . . . . . . . . . . . . . . . . . . . . . . . 177
The Product Deployment page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Viewing Product Deployment audit logs . . . . . . . . . . . . . . . . . . . . . . . . 180
View product deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Deploy products using a deployment project . . . . . . . . . . . . . . . . . . . . . . 181
Monitor and edit deployment projects . . . . . . . . . . . . . . . . . . . . . . . . . 182
Deploy new product example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Global updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Deploy update packages automatically with global updating . . . . . . . . . . . . . . . . 186
13 Assigning policies 189

About policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
When policies are applied . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
How policies are applied . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Policy ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Policy assignment rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Policy assignment rule priority . . . . . . . . . . . . . . . . . . . . . . . . . 191
User-based policy assignment . . . . . . . . . . . . . . . . . . . . . . . . . 192
System-based policy assignment . . . . . . . . . . . . . . . . . . . . . . . . 192
Create and manage policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Create a policy from the Policy Catalog page . . . . . . . . . . . . . . . . . . . 193
Enforcing product policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Enforce policies for a product in a System Tree group . . . . . . . . . . . . . . . . 194
Enforce policies for a product on a system . . . . . . . . . . . . . . . . . . . . 194
Managing policy history . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Manage policy history . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Edit policy history permission sets . . . . . . . . . . . . . . . . . . . . . . . 196

Contents
Compare policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Change the owners of a policy . . . . . . . . . . . . . . . . . . . . . . . . . 196
Move and share policies between McAfee ePO servers . . . . . . . . . . . . . . . . . . 197
Register servers for policy sharing . . . . . . . . . . . . . . . . . . . . . . . 197
Designate policies for sharing . . . . . . . . . . . . . . . . . . . . . . . . . 197
Schedule server tasks to share policies . . . . . . . . . . . . . . . . . . . . . 198
Create and manage policy assignment rules . . . . . . . . . . . . . . . . . . . . . . 198
Create policy assignment rules . . . . . . . . . . . . . . . . . . . . . . . . . 198
Manage policy assignment rules . . . . . . . . . . . . . . . . . . . . . . . . 199
Policy management users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Best practice: Set policy management globally . . . . . . . . . . . . . . . . . . 200
Create policy management permission sets . . . . . . . . . . . . . . . . . . . . 201
Create policy management users . . . . . . . . . . . . . . . . . . . . . . . . 202
Submit policy changes for acceptance . . . . . . . . . . . . . . . . . . . . . . 204
Accept policy changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Assign policies to managed systems . . . . . . . . . . . . . . . . . . . . . . . . . 205
Assign a policy to a System Tree group . . . . . . . . . . . . . . . . . . . . . 205
Assign a policy to a managed system . . . . . . . . . . . . . . . . . . . . . . 205
Assign a policy to systems in a System Tree group . . . . . . . . . . . . . . . . . 206
Copy and paste policy assignments . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Copy policy assignments from a group . . . . . . . . . . . . . . . . . . . . . 206
Copy policy assignments from a system . . . . . . . . . . . . . . . . . . . . . 207
Paste policy assignments to a group . . . . . . . . . . . . . . . . . . . . . . 207
Paste policy assignments to a specific system . . . . . . . . . . . . . . . . . . . 207
View policy information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
View groups and systems where a policy is assigned . . . . . . . . . . . . . . . . 208
View policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
View policy ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
View assignments where policy enforcement is disabled . . . . . . . . . . . . . . . 209
View policies assigned to a group . . . . . . . . . . . . . . . . . . . . . . . . 209
View policies assigned to a specific system . . . . . . . . . . . . . . . . . . . . 210
View policy inheritance for a group . . . . . . . . . . . . . . . . . . . . . . . 210
View and reset broken inheritance . . . . . . . . . . . . . . . . . . . . . . . 210
Create policy management queries . . . . . . . . . . . . . . . . . . . . . . . 210
14 Server and client tasks 213

Server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
View server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Server task status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Create a server task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Remove outdated server tasks from the Server Task Log: best practice . . . . . . . . 214
Remove outdated log items automatically . . . . . . . . . . . . . . . . . . . . 215
Accepted Cron syntax when scheduling a server task . . . . . . . . . . . . . . . . 215
Client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
How the Client Task Catalog works . . . . . . . . . . . . . . . . . . . . . . . 216
Deployment tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Use the Product Deployment task to deploy products to managed systems . . . . . . . 219
Updating tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Manage client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
15 Setting up automatic responses 227

Using Automatic Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Event thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Default automatic response rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Response planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Determine how events are forwarded . . . . . . . . . . . . . . . . . . . . . . . . . 230

Contents
Determine which events are forwarded immediately . . . . . . . . . . . . . . . . 230

Determine which events are forwarded to the server . . . . . . . . . . . . . . . . 230
Archive events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Configure Automatic Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Assign permissions to notifications . . . . . . . . . . . . . . . . . . . . . . . 232
Assign permissions to Automatic Responses . . . . . . . . . . . . . . . . . . . 233
Manage SNMP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Choose a notification interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Create and edit Automatic Response rules . . . . . . . . . . . . . . . . . . . . . . . 236
Define a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Set filters for the rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Set Aggregation and grouping criteria for the rule . . . . . . . . . . . . . . . . . 237
Configure the actions for an automatic response rule . . . . . . . . . . . . . . . . 237
16 Agent-server communication 239

How agent-server communication works . . . . . . . . . . . . . . . . . . . . . . . . 239
Best practices: Estimating and adjusting the ASCI . . . . . . . . . . . . . . . . . . . . 240
Estimating the best ASCI: best practice . . . . . . . . . . . . . . . . . . . . . 240
Configure the ASCI setting: best practice . . . . . . . . . . . . . . . . . . . . 240
Managing agent-server communication . . . . . . . . . . . . . . . . . . . . . . . . 241
Allow agent deployment credentials to be cached . . . . . . . . . . . . . . . . . 241
Change agent communication ports . . . . . . . . . . . . . . . . . . . . . . 241
Update Now page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
17 Automating and optimizing McAfee ePO workflow 243

Best practice: Find systems with the same GUID . . . . . . . . . . . . . . . . . . . . 243
Best practices: Purging events automatically . . . . . . . . . . . . . . . . . . . . . . 244
Create a purge events server task best practice . . . . . . . . . . . . . . . . . . 244
Purge events by query . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Best practice: Creating an automatic content pull and replication . . . . . . . . . . . . . . 245
Pull content automatically: best practice . . . . . . . . . . . . . . . . . . . . . 246
Best practices: Filtering 1051 and 1059 events . . . . . . . . . . . . . . . . . . . . . 246
Best practice: Filter 1051 and 1059 events . . . . . . . . . . . . . . . . . . . . 247
Best practice: Finding systems that need a new agent . . . . . . . . . . . . . . . . . . 248
Create an Agent Version Summary query best practice . . . . . . . . . . . . . . . 248
Update the McAfee Agents with a product deployment project best practice . . . . . . . 249
Finding inactive systems: best practice . . . . . . . . . . . . . . . . . . . . . . . . 250
Change the Inactive Agents query: best practice . . . . . . . . . . . . . . . . . 251
Delete inactive systems: best practice . . . . . . . . . . . . . . . . . . . . . . 251
Measuring malware events best practice . . . . . . . . . . . . . . . . . . . . . . . . 252
Create a query that counts systems cleaned per week best practice . . . . . . . . . . 253
Finding malware events per subnet: best practice . . . . . . . . . . . . . . . . . . . . 254
Create a query to find malware events per subnet best practice . . . . . . . . . . . 254
Create an automatic compliance query and report best practice . . . . . . . . . . . . . . 254
Create a server task to run compliance queries best practice . . . . . . . . . . . . . 255
Create a report to include query output best practice . . . . . . . . . . . . . . . . 256
Create a server task to run and deliver a report: best practice . . . . . . . . . . . . 257
18 Repositories 259
What repositories do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Repository types and what they do . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Repository branches and their purposes . . . . . . . . . . . . . . . . . . . . . . . . 262
Using repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Distributed repository types . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Repository list files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Best practice: Where to place repositories . . . . . . . . . . . . . . . . . . . . 270

Contents
How many repositories do you need? . . . . . . . . . . . . . . . . . . . . . . 271

Best practice: Global Updating restrictions . . . . . . . . . . . . . . . . . . . . 275
Setting up repositories for the first time . . . . . . . . . . . . . . . . . . . . . . . . 276
Manage source and fallback sites best practice . . . . . . . . . . . . . . . . . . . . . 276
Create source sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Switch source and fallback sites best practice . . . . . . . . . . . . . . . . . . . 277
Edit source and fallback sites best practice . . . . . . . . . . . . . . . . . . . . 278
Delete source sites or disabling fallback sites best practice . . . . . . . . . . . . . 278
Verify access to the source site best practice . . . . . . . . . . . . . . . . . . . . . . 278
Configure proxy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Configure proxy settings for the McAfee Agent . . . . . . . . . . . . . . . . . . 279
Configure settings for global updates best practice . . . . . . . . . . . . . . . . . . . . 280
Configure agent policies to use a distributed repository best practice . . . . . . . . . . . . 280
Use SuperAgents as distributed repositories . . . . . . . . . . . . . . . . . . . . . . 281
Create SuperAgent distributed repositories . . . . . . . . . . . . . . . . . . . . 281
Replicate packages to SuperAgent repositories . . . . . . . . . . . . . . . . . . 282
Delete SuperAgent distributed repositories . . . . . . . . . . . . . . . . . . . . 282
Create and configure repositories on FTP or HTTP servers and UNC shares . . . . . . . . . . 283
Create a folder location . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Add the distributed repository to McAfee ePO . . . . . . . . . . . . . . . . . . . 284
Avoid replication of selected packages . . . . . . . . . . . . . . . . . . . . . . 285
Disable replication of selected packages . . . . . . . . . . . . . . . . . . . . . 286
Enable folder sharing for UNC and HTTP repositories . . . . . . . . . . . . . . . . 286
Edit distributed repositories . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Delete distributed repositories . . . . . . . . . . . . . . . . . . . . . . . . . 287
Using UNC shares as distributed repositories . . . . . . . . . . . . . . . . . . . . . . 287
Use local distributed repositories that are not managed . . . . . . . . . . . . . . . . . . 288
Work with the repository list files . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Export the repository list SiteList.xml file . . . . . . . . . . . . . . . . . . . . 289
Export the repository list for backup or use by other servers . . . . . . . . . . . . . 290
Import distributed repositories from the repository list . . . . . . . . . . . . . . . 290
Import source sites from the SiteMgr.xml file . . . . . . . . . . . . . . . . . . . 290
Pulling tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Replication tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Repository selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
19 Agent Handlers 295

How Agent Handlers work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Agent Handler details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Best practice: Agent Handlers eliminate multiple McAfee ePO servers . . . . . . . . . 299
Agent Handler functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Providing scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Failover protection with Agent Handlers best practice . . . . . . . . . . . . . . . . 300
Best practices: Network topology and deployment considerations . . . . . . . . . . . 303
Best Practices: Agent Handler installation and configuration . . . . . . . . . . . . . . . . 306
Deployment considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Agent Handler configuration overview . . . . . . . . . . . . . . . . . . . . . . 306
Configure Agent Handlers list . . . . . . . . . . . . . . . . . . . . . . . . . 308
Configure Agent Handlers groups and virtual groups . . . . . . . . . . . . . . . . 308
Configure Agent Handlers priority . . . . . . . . . . . . . . . . . . . . . . . 309
Configure assignments for Agent Handlers . . . . . . . . . . . . . . . . . . . . 310
Best Practices: Adding an Agent Handler in the DMZ . . . . . . . . . . . . . . . . . . . 310
Configure hardware, operating system, and ports . . . . . . . . . . . . . . . . . 311
Install software and configure the Agent Handler . . . . . . . . . . . . . . . . . 312
Connect an Agent Handler in the DMZ to a McAfee ePO server in a domain . . . . . . . . . . 314
Handler groups and priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Contents
Assign McAfee agents to Agent Handlers . . . . . . . . . . . . . . . . . . . . . . . . 316

Manage Agent Handler assignments . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Create Agent Handler groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Manage Agent Handler groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Move agents between handlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Group agents using Agent Handler assignments . . . . . . . . . . . . . . . . . . 319
Group agents by assignment priority . . . . . . . . . . . . . . . . . . . . . . 319
Group agents using the System Tree . . . . . . . . . . . . . . . . . . . . . . 320
Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
20 Maintaining your McAfee ePO server, SQL databases, and bandwidth 323
Maintaining your McAfee ePO server . . . . . . . . . . . . . . . . . . . . . . . . . 323
Best practices: Monitoring server performance . . . . . . . . . . . . . . . . . . 323
Maintaining your SQL database . . . . . . . . . . . . . . . . . . . . . . . . 327
Best practices: Recommended tasks . . . . . . . . . . . . . . . . . . . . . . 328
Managing SQL databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Best practice: Maintaining SQL databases . . . . . . . . . . . . . . . . . . . . 338
Use a remote command to determine the Microsoft SQL database server and name . . . 338
Configure a Snapshot and restore the SQL database . . . . . . . . . . . . . . . . 338
Use Microsoft SQL Server Management Studio to find McAfee ePO server information . . . 340
The Threat Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Bandwidth usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Best practice: Agent deployment and bandwidth . . . . . . . . . . . . . . . . . . 343
Best practices: Bandwidth recommendations for repository distribution . . . . . . . . 345
21 Reporting with queries 349

Reporting features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Best practices: How to use custom queries . . . . . . . . . . . . . . . . . . . . . . . 350
Create custom event queries . . . . . . . . . . . . . . . . . . . . . . . . . 350
How event summary queries work best practice . . . . . . . . . . . . . . . . . . 353
Create custom table queries: best practice . . . . . . . . . . . . . . . . . . . . 357
Multi-server rollup querying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Create a Rollup Data server task . . . . . . . . . . . . . . . . . . . . . . . . 358
Create a query to define compliance . . . . . . . . . . . . . . . . . . . . . . 359
Generate compliance events . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Export query results to other formats . . . . . . . . . . . . . . . . . . . . . . 360
Best practices: Running reports with the web API . . . . . . . . . . . . . . . . . . . . 361
Use the web URL API or the McAfee ePO user interface . . . . . . . . . . . . . . . 361
McAfee ePO command framework: best practice . . . . . . . . . . . . . . . . . . 362
Using the web URL Help: best practice . . . . . . . . . . . . . . . . . . . . . . 362
Using S-Expressions in web URL queries: best practice . . . . . . . . . . . . . . . 364
Parsing query export data to create web URL queries best practice . . . . . . . . . . 368
Run query with ID number: best practice . . . . . . . . . . . . . . . . . . . . 370
Run query with XML data best practice . . . . . . . . . . . . . . . . . . . . . 371
Run query using table objects, commands, and arguments: best practice . . . . . . . 373
A Additional information 377

Open a remote console connection . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Plan your disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Server clusters for disaster recovery . . . . . . . . . . . . . . . . . . . . . . 379
Cold and hot spares on one physical site . . . . . . . . . . . . . . . . . . . . . 379
Cold and hot spares on two physical sites . . . . . . . . . . . . . . . . . . . . 379
Registered servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Register McAfee ePO servers . . . . . . . . . . . . . . . . . . . . . . . . . 380
Using database servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Contents
Register SNMP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Register syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Register LDAP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Mirroring an LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Sharing objects between servers . . . . . . . . . . . . . . . . . . . . . . . . 387
Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Issues and how they work . . . . . . . . . . . . . . . . . . . . . . . . . . 389
View issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Remove closed issues from the Issues table . . . . . . . . . . . . . . . . . . . 389
Create issues manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Configure responses to automatically create issues . . . . . . . . . . . . . . . . 390
Manage issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Use tickets with McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . 391
SSL certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Create a self-signed certificate with OpenSSL . . . . . . . . . . . . . . . . . . 392
Other useful OpenSSL commands . . . . . . . . . . . . . . . . . . . . . . . 394
Convert an existing PVK file to a PEM file . . . . . . . . . . . . . . . . . . . . . 395
Migrate certificates to the hash algorithm . . . . . . . . . . . . . . . . . . . . 396
Security keys and how they work . . . . . . . . . . . . . . . . . . . . . . . . 397
Master Repository key pair . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Other repository public keys . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Manage repository keys . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Agent-server secure communication (ASSC) keys . . . . . . . . . . . . . . . . . 400
Back up and restore keys . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configure Product Improvement Program . . . . . . . . . . . . . . . . . . . . . . . 404
Uninstall McAfee Product Improvement Program . . . . . . . . . . . . . . . . . . 405
Restore administrator rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Ports overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Change console-to-application server communication port . . . . . . . . . . . . . . 406
Change agent-server communication port . . . . . . . . . . . . . . . . . . . . 407
Ports required for communicating through a firewall . . . . . . . . . . . . . . . . 410
Traffic quick reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
B Adding systems connected over a VPN 413

Determining connected VPN server's OUI . . . . . . . . . . . . . . . . . . . . . . . 414
Use the System Tree to find VPN server MAC address . . . . . . . . . . . . . . . . . . . 414
Create report to find VPN server MAC address best practice . . . . . . . . . . . . . . . . 415
Best practice: Use SQL Server Management Studio to add virtual MAC vendor ID value . . . . . 416
C Installing McAfee ePO on an AWS server 419

Using an AWS server with McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . 419
Create the AWS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Connect to the AWS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Install McAfee ePO on an AWS server . . . . . . . . . . . . . . . . . . . . . . . . . 432
Create a virtual Agent Handler . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Index 435

Contents

Preface
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
About this guide

This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators People who implement and enforce the company's security program.
Users People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized
Monospace Commands and other text that the user types; a code sample; a displayed message
Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes
Hypertext blue A link to a topic or to an external website
Note: Extra information to emphasize a point, remind the reader of something, or
provide an alternative method
Tip: Best practice information
Caution: Important advice to protect your computer system, software installation,

network, business, or data
Warning: Critical advice to prevent bodily harm when using a hardware product

Preface

On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.

1 Product overview

McAfee ePolicy Orchestrator (McAfee ePO ) is an extensible platform that enables centralized policy
management and enforcement of your security policies.
Types of management platforms

McAfee ePO is installed on a server in your network environment. It is intended for enterprises that
already have an established infrastructure, including the necessary dedicated servers. It assumes that
your organization can configure, maintain, and patch these servers. McAfee ePO features such as
Automatic Response, Active Directory synchronization, and the Software Manager support in-house
security administration.
McAfee ePO Cloud is a cloud-based instance of McAfee ePO. With McAfee ePO Cloud, you don't need to
configure and maintain the servers where your security management software runs. Software
management and other maintenance are taken care of by our administrators.
Contents
What is McAfee ePO?
Key features
How McAfee ePO works
What is McAfee ePO?

Using McAfee ePO software, you can perform many network security tasks.
Those tasks include:
Manage and enforce network security using policy assignments and client tasks.
Update the detection DAT (signature) files, antivirus engines, and other security content required
by your security software to keep your managed systems secure.
Create reports using the query system builder, which displays configurable charts and tables of
your network security data.
With McAfee ePO automation features and end-to-end network visibility, you can:
Reduce response times.
Strengthen protection.
Simplify risk and security management.

1
Product overview
Key features
Key features
From the single view of McAfee ePO, many features can be accessed such as, managed clients,
networks, data, and compliance solutions to protect your network.
Whether your network has a hundred clients or 300,000 clients, McAfee ePO can manage the security
of your network using these features.
Feature Description
Fast deployment time When the preconfigured security and risk management solutions are
working together, you can reduce security gaps and complexity. Single
agent deployment and customizable policy enforcement also secure your
environment quickly.
Drag-and-drop These dashboards provide a unified view of your security posture and
dashboards security intelligence across managed systems, data centers, mobile
devices, and networks.
Reduce complexity and Using Guided Configuration, automated work streams, and predefined
streamline processes dashboards you can quickly start protecting your network clients.
Future-proof your Protect your organization from current and future threats. Real-time
security infrastructure threat intelligence proactively guards your infrastructure. The open
platform facilitates rapid adoption of security innovations as new threat
categories emerge.
Advanced network Your IT administrators can unify security management across endpoints,
configuration features networks, data, and compliance solutions from Intel Security and
third-party solutions.
Comprehensive Endpoint McAfee Active Response uses predefined and customizable collectors to
Detection and Response search deeply across all systems. It finds indicators of attack (IoAs) that
(EDR) are present in running processes, lying dormant, or have been deleted.
Scale for enterprise Use additional servers, such as Agent Handlers and distributed
deployments repositories, to quickly connect to remote sites with limited bandwidth and
provide systems with the latest protection software.
Enhanced disaster Protecting your network security, history, and McAfee ePO configuration is
recovery automatic and can be quickly rebuilt if a catastrophic hardware disaster
occurs.
Multiple users You can create many McAfee ePO users to simplify security management
and create reports. You can add users limited to specific groups of
systems, plus additional administrators with full control as backups.
Issue management Automated issue responses can send alerts and events to predefined
users.
Automatic Responses You define how McAfee ePO software directs alerts and security responses
based on the type and criticality of security events in your environment.
You can also create automated workflows between your security and IT
operations systems to quickly remediate outstanding issues.
Native 64-bit support McAfee ePO takes advantage of the latest native 64-bit operating system
with reporting orientation features for increased processing speed.
Policy comparison, With multiple McAfee ePO users, you might have similar policies and
common task orientation tasks. Now, you can compare them side by side to manage them.
Single page deployment Product Deployment is one page where you can deploy, track, and even
delete software on your managed systems.

1
Product overview
Feature Description
URL installation of McAfee Smart Installer URL lets you install the McAfee Agent using a
endpoint products browser and your Internet-connected McAfee ePO server.
HTML5 UI support McAfee ePO now supports the latest browsers, including Internet Explorer
11, Edge, Chrome, Firefox, and Safari.

McAfee security software and McAfee ePO work together to stop malware attacks on your systems and
notify you when an attack occurs.
How McAfee software responds to an attack.

This diagram shows the components and processes that stop an attack, notify you when the attack
occurs, and record the incident.
Malware attacks a computer in your McAfee ePO managed network.
McAfee product software, for example McAfee Endpoint Security, cleans or deletes the malware

file.
McAfee Agent notifies McAfee ePO of the attack.
McAfee ePO stores the attack information.
McAfee ePO displays the notification of the attack on the Number of Threat Events dashboard
and saves the history of the attack in the Threat Event Log.
McAfee ePO components

The architecture of the McAfee ePO software and its components is designed to help you successfully
manage and protect your environment no matter how large or small.
The McAfee ePO server provides these major functions:

1
Product overview
Manages and deploys products
Enforces policies on your endpoints
Collects events, product properties, and system properties from the managed endpoints and sends
them back to McAfee ePO
Distributes McAfee software, including new products, upgrades, and patches
Reports on your endpoint security
This diagram shows the major McAfee ePO components.
Figure 1-1 Major McAfee ePO components
McAfee ePO server Connects to the McAfee ePO update server to download the latest
security content
Microsoft SQL database Stores all data about your network managed systems, McAfee ePO,
Agent Handlers, and repositories
McAfee Agent installed on clients Provides these features:
Policy enforcement
Product deployments and updates
Connections to send events, product, and system properties to the McAfee ePO server

1
Product overview
Agent-server secure communication (ASSC) connections Provides communications that

occur at regular intervals between your systems and the server
Web console Allows users to log on to the McAfee ePO console to perform security
management tasks, such as running queries to report on security status or working with your
managed software security policies
McAfee web server Hosts the latest security content so that your McAfee ePO server can
pull the content at scheduled intervals
Distributed repositories Host your security content locally throughout your network so that
agents can receive updates more quickly
Agent Handlers Reduces the workload of the server by off-loading event processing and
McAfee Agent connectivity duties
Agent Handlers are most effective when on the same network segment as the McAfee ePO
database.
LDAP or Ticketing system Connects your McAfee ePO server to your LDAP server or SNMP
ticketing server
Automatic Responses Notifies administrators and task automation when an event occurs
Web Console connection Provides HTTPS connection between the McAfee ePO server and
the web browser using default port 8443.
Distributed Repository connections Repository connections depend on the type of
repository. For example, HTTP, FTP, or UDP connections.
Agent Handler in DMZ Agent Handlers installed in the DMZ require specific port
connections.
Round-trip latency between the Agent Handler and the McAfee ePO database, must be less than
about 10 ms.

1
Product overview

2 Monitoring the health of your network
Log on to the console to configure McAfee ePO to manage and monitor your network security.
Contents
Log on and log off
Navigating the interface
Working with lists and tables
Log on and log off

To access the McAfee ePO software, enter your user name and password on the logon screen.
Before you begin

You must have an assigned user name and password before you can log on to McAfee ePO.
When you connect to McAfee ePO, the first screen you see is the McAfee ePO logon screen.
Task
1 Type your user name, password, and click Log On.
Your McAfee ePO software displays the default dashboard.
2 To end your McAfee ePO session, click Log Off.
Once you log off, your session is closed and cannot be opened by other users.

The McAfee ePO interface uses menu-based navigation with a shortcut bar that you can customize to
get where you want to go quickly.
Menu sections represent top-level features like Reporting, Systems, and Policy. As you add managed
products to McAfee ePO, the main menu options like Dashboards, System Tree, and Policy Catalog
include new options to select.
Using the shortcut bar

Use the McAfee ePO shortcut bar to navigate to the main menu and user menu.
The McAfee ePO shortcut bar, at the top of the interface, includes the menu items you use most often
to manage your network security.

2
Monitoring the health of your network
Main menu Click to access menu items and functionality of McAfee ePO. Each section
contains a list of primary feature pages associated with a unique icon. Select a category in the
main menu to view and navigate to the primary pages that make up that feature.
Drag and drop menu items from the main menu into the shortcut bar for easy access in the future.
Drag the menu items off the shortcut bar to delete.
This down-arrow indicates that more features are available in the shortcut bar.
User menu Click to access:

Help Opens the McAfee Help Portal with links to the product documentation and user
interface feature descriptions.
Get Support Allows you to:
Open Service Request Opens the ServicePortal where you click the Service Requests tab to log on
and create a service request.
Call Customer Service Opens the Contact Us page for lists of contacts for support, sales,
services, and partners.
Feedback Opens the Provide Feedback page where you enter your information and send it to
us.
Log Off Returns you to the McAfee ePO logon page and locks the user interface until you log
on again.

2
Customizing the shortcut bar

Customize the shortcut bar for quick access to the features and functionality you use most often.
You can decide which icons are displayed on the shortcut bar by dragging any menu item on or off the
shortcut bar.
When you place more icons on the shortcut bar than can be viewed, an overflow menu is created on
the right side of the bar. Click the down-arrow to access the hidden menu items not displayed in the
shortcut bar.
The icons displayed in the shortcut bar are stored as user preferences. Each user's customized
shortcut bar is displayed regardless of which console they use to log on to the server.
Personal settings categories

Adjust personal settings to tailor your McAfee ePO experience. Your customizations affect only your
user sessions.
Here are descriptions of the default categories.
For descriptions of the categories in a managed product, see your managed product documentation.
Category Description
Password Changes your McAfee ePO logon password.
Queries and Reports Determines whether a warning message appears when you try to drag a
Warning query from one query group to another.
System Tree Warning Determines whether a warning message appears when you try to drag
systems or groups from one System Tree group to another.
Tables Specifies how often auto-refreshed tables are refreshed during your session.
User Session Controls the length of time that your user session remains open after you
stop interacting with the user interface.
Server settings
Adjust server settings to fine-tune McAfee ePO for the needs of your organization. Your customizations
affect all your McAfee ePO users.
Here are descriptions of the default categories.
For descriptions of the categories provided by managed products, see your managed product
documentation.
Table 2-1 Default server settings

Server settings Description
category
Active Directory Groups Specifies the LDAP server to use for each domain.
Active Directory User Login Specifies whether members of your mapped Active Directory (AD) groups
can log on to your server using their AD credentials once the Active Directory
User Login feature is fully configured.

2
Table 2-1 Default server settings (continued)

category
Agent Contact Method Specifies the priority of methods that McAfee ePO uses when it attempts to
contact a McAfee Agent.
To change the priority, select Agent Contact Method under Setting Categories, click
Edit, then select the priority. Each contact method must have a different
priority level. The methods to contact a McAfee Agent are:
Fully Qualified Domain Name
NetBIOS name
IP Address
Agent Deployment Specifies whether users are allowed to cache agent deployment credentials.
Credentials
Certificate Based Specifies whether Certificate Based Authentication is enabled, and the
Authentication settings and configurations required for the Certificate Authority (CA)
certificate being used.
Dashboards Specifies the default active dashboard that is assigned to new users
accounts at the time of account creation, and the default refresh rate (5
minutes) for dashboard monitors.
Disaster Recovery Enables and sets the keystore encryption passphrase for Disaster Recovery.
Email Server Specifies the email server that McAfee ePO uses to send email messages.
Event Filtering Specifies which events the agent forwards.
Event Notifications Specifies how often McAfee ePO checks your notifications to see if any
trigger Automatic Responses.
Global Updating Specifies whether and how global updating is enabled.
License Key Specifies the license key used to register this McAfee ePO software.
Logon Message Specifies whether a custom message is displayed when users log on to the
McAfee ePO console, and the message content.
Policy and Task Retention Specifies whether the policies and client task data is removed when you
delete the product extension.
Ports Specifies the ports used by the server when it communicates with agents
and the database.
Printing and Exporting Specifies how information is exported to other formats, and the template for
PDF exports. It also specifies the default location where the exported files
are stored.
Product Compatibility List Specifies whether the Product Compatibility List is automatically downloaded
and whether it displays any incompatible product extensions.
Product Improvement Specifies whether McAfee ePO can collect data proactively and periodically
Program from the managed client systems.
Proxy Settings Specifies the type of proxy settings configured for your McAfee ePO server.
Scheduler Tasks Specifies the number of server tasks that run at the same time.
Security Keys Specifies and manages the agent-server secure communication keys and
repository keys.
Server Certificate Specifies the server certificate that your McAfee ePO server uses for HTTPS
communication with browsers.
Server Information Specifies Java, OpenSSL, and Apache server information, such as name, IP
address, and version information.

2
Table 2-1 Default server settings (continued)

category
Software Evaluation Specifies the information required to enable check-in and deployment of
evaluation software from the Software Manager.
Source Sites Specifies which source sites your server connects to for updates, and which
sites are fallback sites.
System Details Specifies which queries and systems properties are displayed in the System
Details page for your managed systems.
System Tree Sorting Specifies whether and how System Tree sorting is enabled in your
environment.
User Policies Enables or disables database mirroring to improve performance for policy
assignment rules.
User Session Specifies the amount of time a user can be inactive before the system logs
them out.
Configure server settings

To familiarize yourself with configuring server settings, change the user session timeout interval from
the default 30 minutes to 60 minutes.
By default when you are logged on to McAfee ePO, if you don't use the interface for 30 minutes, the
user session closes and you must log back on. Change the default setting to 60 minutes.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Select Menu | Configuration | Server Settings, select User Session from the Setting Categories, then click
Edit.
2 Configure these settings, then click Save.

Default session timeout interval (minutes) Type 60 to replace the default.
Maximum session timeout interval (minutes) Type 60 to replace the default.
Now you aren't prompted to log on after only 30 minutes of inactivity.

Use McAfee ePO search and filter functions to sort lists of data.
Lists of data in McAfee ePO can have hundreds or thousands of entries. Manually searching for specific
entries in these lists can be hard without the Quick Find search filter.
This screenshot shows the Quick Find search filter for queries.

2
Filter a list
Use filters to select specific rows in the lists of data in the McAfee ePO interface.
Task
1 From the bar at the top of a list, select the filter that you want to use to filter the list.
Only items that meet the filter criteria are displayed.
2 Select the checkboxes next to the list items that you want to focus on, then select Show selected rows.
Only the selected rows are displayed.
Create a custom filter

Custom filters help you quickly sort through long lists of table entries, such as log items or server
tasks, so you can focus on relevant information. The custom filters you create are added to the
Custom filter drop-down at the top of your table, so you can reuse them later.
Task
1 From the top of the table, select Custom | Add.
2 From the Available Properties list, click the properties you want to include in your filter.
The selected properties move the Property pane.
3 For each property, select a comparison and a value.

The options you can select depend on the property you selected. Use the + or - signs to add or
remove comparison and value pairs.
4 Once all the properties that you selected are populated with valid and complete values, click Update
Filter.
The new custom filter appears in the Custom drop-down list.
Search for specific list items

Use the Quick Find filter to find items in a large list.

2
Task
1 Enter your search terms in the Quick Find field.
2 Click Apply.
Only items that contain the terms that you entered in the Quick Find field are displayed.
Click Clear to remove the filter and display all list items.
Example: Find detection queries

Here is an example of a valid search for a specific list of queries.
1 Select Menu | Reporting | Queries & Reports, then click Query.
All queries that are available in McAfee ePO appear in the list.
2 Limit the list to specific queries, for example, "detection." In the Quick Find field, type
detection, then click Apply.
Some lists contain items translated for your location. When communicating with users in other
locales, remember that query names can differ.
Clicking table row checkboxes

The McAfee ePO interface has special table row selection actions and shortcuts that allow you to select
table row checkboxes using click or Shift+click.
Some output pages in the McAfee ePO interface display a checkbox next to each list item in the table.
These checkboxes allow you to select rows individually, as groups, or select all rows in the table.
This table row selection action does not work in the Audit Log table.
This table lists the actions used to select table row checkboxes.
To select... Action Response

Individual rows Click checkbox for individual Selects each individual row independently.
rows.
Group of rows Click one checkbox, then hold Selects all rows between and including the first and
Shift while you click the last last rows that you clicked.
checkbox in the group.
Using Shift+click to select more than 1,500
rows in a table simultaneously might cause a
spike in CPU utilization. This action might trigger
an error message describing a script error.
All rows Click the top checkbox in table Selects every row in the table.
headings.
Selecting items in tree lists

You can press Ctrl+click to select consecutive or non-consecutive items in tree lists.
Hierarchical tree lists, for example System Tree (Subgroups) and Tag Group Tree lists, let you select
list items:

2
Individually Click an item.
As a consecutive group Press Ctrl+click and select the items sequentially.
As a non-consecutive group Press Ctrl+click and select each item individually.

Setting up your McAfee ePO server is the first step to managing your
network security.
Chapter 3 Planning your McAfee ePO configuration

Chapter 4 Setting up your McAfee ePO server


3 Planning your McAfee ePO configuration
To use your McAfee ePO server effectively, you must create a comprehensive plan specific to your
environment.
Your McAfee ePO server infrastructure and configuration needs depend on the unique needs of your
network environment. Considering these areas in advance can reduce the time it takes to get started.
How many systems will you manage?
Do you have systems located in one network or multiple geographic areas?
Do you have any specific security needs, such as firewalls or do you use Network Address
Translation (NAT) in an external network?
Do you have any bandwidth restrictions to remote network segments?
Will you have multiple McAfee ePO users with different permission sets?
Contents
Considerations for scalability
Internet protocols in a managed environment

How you manage your scalability depends on whether you use multiple McAfee ePO servers, multiple
remote Agent Handlers, or both.
With McAfee ePO software, you can scale your network vertically or horizontally.
Vertical scalability Adding and upgrading to bigger, faster hardware to manage larger and
larger deployments. Scaling vertically is accomplished by upgrading your server hardware, and
using multiple McAfee ePO servers throughout your network, each with its own database.
Horizontal scalability Increasing the deployment size that one McAfee ePO server can
manage. Scaling horizontally is accomplished by installing multiple remote Agent Handlers, each
reporting to one database.
Managed systems and servers

How many systems your McAfee ePO server manages dictates the number of servers installed on your
network.
This table lists the number of managed systems and the suggested server hardware needed to
manage these systems.

3
Planning your McAfee ePO configuration
Number of systems managed

< 1,500 1,500 10,000 25,000 > 75,000
10,000 25,000 75,000
Virtual
McAfee ePO
server and
database
Windows
Server and
SQL database
in the same
server
Windows Distributed
Server and Repositories
separate SQL
database
Windows Distributed Agent Handler types:
Server and Repositories
Install Agent Handler to improve
separate SQL
database McAfee ePO performance on the
same network segment as the
McAfee ePO database.
Install Remote Agent Handlers in
your network to allow agents to
communicate with the server
through their assigned Agent
Handlers.
Remote Agent Handlers require a
high-bandwidth connection to the
See also
Example organization size and network components on page 32
Example organization size and network components

The number of systems you manage determines the server components to manage your network with
McAfee ePO.
The following examples of environments provide some guidelines for organization size and server
component requirements. These examples provide the minimum requirements for hardware network
components. To improve performance and allow for growth, we recommned you exceed these
requirements wherever possible. See the McAfee ePolicy Orchestrator Installation Guide for detailed
hardware requirements.
Example 1 Fewer than 10,000 managed systems

In an organization with fewer than 10,000 managed systems, you can reduce hardware costs by
installing the McAfee ePO server and SQL database on the same physical server or virtual machine

(VM). You can also have multiple McAfee products deployed in this environment, such as McAfee
Endpoint Security.

Best practice: If you plan to add the McAfee Host Intrusion Prevention product, separate the McAfee
ePO server and SQL database onto two physical servers.

3
This figure shows an organization with fewer than 10,000 managed systems.
Figure 3-1 Fewer than 10,000 managed systems McAfee ePO network components
The McAfee ePO server must use a 64-bit operating system.
You can use the Microsoft SQL Express database for a small number of managed systems. But,
Microsoft does not allow the SQL Express database to exceed 10 GB, and the memory available for
the SQL Express Database Engine is limited to 1 GB.
Example 2 10,00025,000 managed systems

You can use one McAfee ePO server to manage an organization ranging from 10,00025,000 managed
systems, with only the VirusScan Enterprise product installed.
Best practice: As your managed systems count approaches 10,000 managed systems, we recommend
that you separate the McAfee ePO server and SQL servers onto their own physical servers.
This diagram shows an organization configured for 25,000 managed systems with the servers on
different hardware.
Figure 3-2 McAfee ePO network components for 10,00025,000 managed systems
The McAfee ePO server must use a 64-bit operating system.
If you have the budget for additional hardware resources, exceed this recommendation for
improved performance.
Separate SQL Server

3
Example 3 25,00075,000 managed systems

You can manage an organization ranging from 25,00075,000 managed systems on one McAfee ePO
server, separate SQL Server, with only the VirusScan Enterprise product installed and properly placed
repositories to update content and software.
This diagram shows an organization configured for 25,00075,000 managed systems with the servers
on different hardware and a distributed repository.
Figure 3-3 McAfee ePO network components for 25,00075,000 managed systems
The McAfee ePO server
Separate SQL Server
Separate Distributed Repositories to store and distribute important security content for your
managed systems
Example 4 75,000150,000+ managed systems

You can manage an organization ranging from 75,000150,000+ managed systems on one McAfee
ePO server, separate SQL Server, separate Agent Handler, and properly placed repositories to update
content and software to the agents.
This diagram shows an organization configured for 75,000150,000+ managed systems.
Figure 3-4 75,000150,000+ managed systems McAfee ePO network components

3
Separate SQL Server
Separate McAfee ePO Agent Handlers to coordinate McAfee Agent requests between themselves
and the McAfee ePO server. Agent Handlers require constant communication back to the SQL
database. They check the McAfee ePO server database work queue about every ten seconds to
find which tasks to perform. Agent Handlers need a relatively high speed, low latency connection
to the database. Agent Handlers reduce the workload on the McAfee ePO server by about 50
percent. We recommend one Agent Handler for each 50,000 managed systems.
Best Practice: For organizations with 75,000 to 150,000+ managed systems, install an Agent
Handler on the same network subnet with the McAfee ePO server, for redundancy. This leaves the
McAfee ePO server to manage agent-server communications if the coonnection to the Agent
Handler fails.
Separate McAfee ePO Distributed Repositories to store and distribute important security content
for your managed client systems.
See also
How Agent Handlers work on page 295
What affects McAfee ePO performance

To install and use the McAfee ePO server, it's important to know which factors affect the performance
of your server and the attached SQL database.
For example, a McAfee ePO server and database can manage up to 200,000 client systems with only
the VirusScan Enterprise product installed. But as you add more software products and clients, that
same server hardware can no longer provide the performance you expect.
Each of these factors affects your McAfee ePO server performance and must be considered as your
managed network grows and your security needs change.
McAfee ePO server hardware
SQL Server This server is the main workhorse behind the McAfee ePO server and affects the
performance of the McAfee ePO server.
Number of software products installed Each software product you install adds processing
load on the McAfee ePO server and the SQL database.
Number of managed clients and their Agent Handlers These numbers are proportional to
the McAfee ePO server and database performance. Each Agent Handler places these fixed loads on
the database server:
Heartbeat updates (every minute)
Work queue checks (every 10 seconds)
Pool of database connections held open to the database (two connections per CPU to the Event
Parser service and four connections per CPU to the Apache service)

McAfee ePO software is compatible with both Internet Protocol versions: IPv4 and IPv6.
The McAfee ePO server work in three different modes:

3
Only IPv4 Supports only IPv4 address format
Only IPv6 Supports only IPv6 address format
Mixed mode Supports both IPv4 and IPv6 address formats
The mode in which your McAfee ePO server works depends on your network configuration. For
example, if your network is configured to use only IPv4 addresses, your server works in Only IPv4
mode. Similarly, if your network is configured to use both IPv4 and IPv6 addresses, your server works
in Mixed mode.
Until IPv6 is installed and enabled, your McAfee ePO server listens only to IPv4 addresses. When IPv6
is enabled, it works in the mode in which it is configured.
When the McAfee ePO server communicates with an Agent Handler on IPv6, address-related
properties such as IP address, subnet address, and subnet mask are reported in IPv6 format. When
transmitted between client and McAfee ePO server, or when displayed in the user interface or log file,
IPv6-related properties are displayed in the expanded form and are enclosed in brackets.
For example, 3FFE:85B:1F1F::A9:1234 is displayed as [3FFE:085B:1F1F:

0000:0000:0000:00A9:1234].
When setting an IPv6 address for FTP or HTTP sources, no changes to the address are needed. But,
when setting a Literal IPv6 address for a UNC source, you must use the Microsoft Literal IPv6 format.
See Microsoft documentation for more information.

4 Setting up your McAfee ePO server
Get up-and-running quickly by configuring the essential features of your McAfee ePO server.
Contents
Server configuration overview
Use automatic Product Installation Status
Use Guided Configuration
Use a proxy server
Enter your license key
Adding an SSL certificate to trusted collection
Adding systems to manage
Installing the McAfee Agent and licensed software
What the System Tree does
Default configuration and common tasks
Confirming system protection and seeing threats
What to do next

Set up your McAfee ePO server to meet the unique needs of your environment.
This flowchart describes the basic tasks to set up your McAfee ePO server and start protecting your
systems.

4
Setting up your McAfee ePO server

4
To download the licensed product software, use one of these methods:

Automatic Product Installation This only appears if you selected Enable Automatic Product
Installation option during the McAfee ePO installation
Guided Configuration
Software Manager For complex networks
To deploy McAfee Agent to your systems, use one of these methods:

Create the Smart Installer URL Creates the URL that installs the licensed products and adds
the clients to the System Tree
Guided Configuration Part of the previous step
Add systems to manage
Use a Product Deployment to install the product software on your managed systems.
Use the Update Master Repository Server Task to install the latest product software and DAT file.
Create a Product deployment Client task and assign it to a group of systems in the System Tree.
To check system managed status, confirm managed systems in System Tree.
To learn about the default Policies, Client Tasks, and other features, use the default configuration
and common tasks.
To confirm the initial configuration, run the test virus to confirm system protection.
To configure advances features, use these methods:

Monitoring and reporting on your network security status
Detailed McAfee ePO configuration
This table lists the configuration steps to install your licensed product software automatically or
manually.
The Product Installation Status page starts only if you selected Enable Automatic Product Installation option
during the McAfee ePO installation. Use Automatic Product Installation in the first 24 hours after initial
logon. After the initial 24 hours, Automatic Product Installation is no longer available and you must use
one of the other methods.

4
Table 4-1 Overview of configuration methods

Automatic product download Manual product download
1 McAfee ePO installation completes and you start 1 McAfee ePO installation completes and you
the software. start the software.
2 From the logon screen, log on to the McAfee ePO 2 From the logon screen, log on to the McAfee
console. The Product Installation Status page ePO console.
appears and starts installing the latest revisions of
3 Run ePolicy Orchestrator Guided Configuration to
your licensed security software on your McAfee
perform these processes:
ePO server.
Add McAfee security software to your
The page displays the products and their status.
Master Repository.
3 If all product statuses are Complete, continue
Add systems to the System Tree.
with step 5. If any product status appears as
Failed, click the checkbox next to the product Create and assign at least one security
name and Retry. policy to your managed systems.
4 If the failed product installation continues to fail: Schedule a client update task.
Try using the manual product download method. Deploy your security products to your
managed systems.
Call McAfee support.
4 Complete these tasks as needed for your
Continue with the McAfee ePO configuration and
environment:
try to install the product later.
Configure general server settings.
5 Complete these tasks as needed for your
environment: Create user accounts.
Add systems to your System Tree. Configure permission sets.
Configure general server settings. Configure policies.
Create user accounts. Configure advanced server settings and
features.
Configure permission sets.
Set up additional components.
Configure policies.
Configure advanced server settings and
features.
Set up additional components.
Overview of configuration methods
Configuration checklist
Use this checklist to make sure that you have completed the configuration steps to configure your
McAfee ePO server
Install the McAfee ePO software.
Log on to the user interface.
Download and install the McAfee product software using one of these methods:
Use Automatic Product Installation in the first 24 hours after initial logon. After the initial 24 hours,
Automatic Product Installation is no longer available and you must use one of the other methods.
The Product Installation Status page starts only if you selected Enable Automatic Product Installation
option during the McAfee ePO installation.

4
Use Customize Software Installation from the Dashboard.
Use ePolicy Orchestrator Guided Configuration from the Dashboard.
Use Software Manager found at Menu | Software.
Add system to manage using one of these methods:
Create a Smart Installer URL and distribute it to the systems.
Deploy FramePkg.exe manually or use a logon script.
Use System Tree and manually add the systems from their domains.
Use Active Directory to add the systems.
Confirm that the default product deployment task keeps your system updated with the latest
software.
Confirm that the default Policies for your McAfee product software include the correct
configurations.
Confirm that the default client tasks send and gather the correct information from your managed
systems.
Confirm the default McAfee ePO server tasks are scheduled and perform the correct tasks on your
server.
Confirm the default dashboards display the best information to help you monitor your managed
environment.
Confirm that a few systems are protected and are returning threat information using the
eicar.com anti-malware test file.
If you have a large or complex network, you might need to configure these additional
features:
Add additional McAfee ePO users.
Reorganize your System Tree into groups and use tags to organize systems.
Configure automatic responses to occur when rules are met.
Create custom server and client tasks.
Add custom policies to ensure that your product features are configured correctly on managed
systems.
Add Agent Handlers or distributed repositories to update software on remote systems.
Create custom SSL certificates.
Monitor the bandwidth from your remote managed systems.
Create processes to monitor and maintain your McAfee ePO server and SQL database.
Create additional automatic queries and reports to monitor your managed systems.
See also
What's in the Software Manager on page 157
What the System Tree does on page 57
Use automatic Product Installation Status on page 42

4

The Product Installation Status page appears automatically after you initially log on to McAfee ePO.
The Product Installation Status software allows you to automatically install your security software on
the McAfee ePO server. Or, you can stop automatic installation and manually check in the security
software.
Before you begin

The Product Installation Status page starts only if you selected Enable Automatic Product
Installation option during the McAfee ePO installation.
The Product Installation Status page is available only for the first 24 hours after you initially log on to
McAfee ePO. After 24 hours, all subsequent user logons, the default dashboard page appears. After 24
hours, Product Installation Status disappears from the Menu | Automation list.
Task
1 Click the Launch ePolicy Orchestrator icon on your McAfee ePO server desktop, to open the Log On
screen.
2 Type your credentials and pick a language.
The Product Installation Status software automatically starts downloading and installing the
licensed software available to your organization. You can monitor the process using:
Products Displays all licensed software and the latest available version.
Status Displays one of these values:

Updating The software is downloading and installing.
Completed The software is successfully installed.
Failed An error occurs during the download or installation process.
Stopped You clicked Stop at the top of the page.
You can click Menu | Software | Software Manager at any time to see details of the software installation
process.
You can also use the McAfee ePO user interface to configure other elements while the automatic
software installation process is running.
3 Complete the software installation process using the automatic or manual method.
Automatic installation Manual installation

On the Product Installation Status page, wait 1 On the Product Installation Status page, click
for the Status listed for each product to Stop and click OK in the dialog box that tells you
change to Complete.
that you must complete the software installation
If any product installation fails, select the process using Software Manager.
checkbox next to the product name to The product status values change to Stopped.
retry the installation. If the installation
continues to fail, try using Software 2 To complete the software installation process,
Manager to complete the installation. click Menu | Software | Software Manager.

4
4 Complete your McAfee ePO configuration by performing these tasks, as needed:

Configure general server settings These settings allow you to customize how your server
works. They are not needed for correct operation.
Create user accounts and configure permission sets User accounts allow users to
access the server, and permission sets grant rights and access to McAfee ePO features.
Configure advanced server settings and features Advanced features and functionality
help you automate the management of your network security.
Set up additional components Components such as distributed repositories, registered

servers, and Agent Handlers are required for many advanced features.
Your McAfee ePO server is now protecting your managed systems.
See also
Server settings on page 23
Users on page 141
Permission sets on page 152

Use the Guided Configuration tool to configure essential features. Or you can use these tasks to guide
you when manually configuring your McAfee ePO server.
Task
1 Click the Launch icon on your McAfee ePO server desktop, to see the Log On screen.
2 Type your user name, password, and select a language, if needed, then click Log On. McAfee ePO
starts and displays the Dashboard dialog box.
3 Use either automatic Product Installation Status or Software Manager to install your product
software.
4 Select Menu | Reporting | Dashboards, select Guided Configuration from the Dashboard drop-down, then click
Start.
5 Review the Guided Configuration overview and instructions, then click Start.
6 On the Software Selection page:

a Under the Software Not Checked In product category, click Licensed or Evaluation to display available
products.
b In the Software table, select the product that you want to check in. The product description and
all available components are displayed in the table that is diaplayed.
c Click Check In All to check in product extensions to your McAfee ePO server, and product packages
to your Master Repository.
d Click Next at the top of the screen when you're finished checking in software.

4
7 On the System Selection page:

a Select the group in your System Tree where you want to add your systems. If you don't have any
custom groups defined, select My Organization, then click Next to open the Adding your systems dialog
box.
b Select a method to add your systems to the System Tree.
Add To... Then...

systems
using...
AD Sync Synchronize your McAfee ePO 1 In the AD Sync dialog box, select the
server with your Active Directory
synchronization type and specify the
(AD) server or Domain Controller
(DC). AD Sync is the quickest way appropriate settings.
to add your systems to the System
2 Click Synchronize and Save.
Tree.
Manual Manually add systems to your 1 On the New Systems page, type system
System Tree by specifying names or names in the Target systems field, or click
selecting from a list of systems by
domain. Browse to add individual systems from a
domain, then click OK
2 Click Add Systems.
8 On the Policy Configuration page:
Select... To... Then...

Accept Defaults Use the My Default policy setting for This step is complete.
the software you deploy and
continue your configuration.
Configure Policy Specify custom policy settings now 1 In the Policy Configuration dialog box, click
for each software product you OK.
checked in.
2 Select a product from the Product list and click
My Default to edit the default policy settings.
3 Click Next.
9 On the Software Updating page:
Select... To... Then...

Create Defaults Automatically create a This step is complete.
default product update
client task that runs daily
at 12:00 P.M.
Set Task Manually configure the 1 Using the Client Task Assignment Builder, specify a product
Schedule schedule for your product and task name for your product update task.
update client task.
Do not change the Task Type selection. It must be
set to Product Update.
2 Configure the Lock task inheritance and Tags options, then

click Next.
3 Specify the schedule for the update task, then click
Next.
4 Review the summary, then click Save.

4
Use a proxy server
10 On the Software Deployment page:

a In the System Tree, select the location that contains the systems where you want to deploy
your software, click Next, then click OK.
b Specify your settings for the McAfee Agent deployment, then click Deploy.
Click Skip Agent Deployment to wait until later to perform this action. But you must deploy agents
before you can deploy your other security software.
c Select the software packages that you want to deploy to your managed systems, then click
Deploy.
11 On the Configuration Summary page, click Finish to close the Guided Configuration.
12 Complete your McAfee ePO configuration by performing these tasks, as needed:

Configure general server settings Server settings in this group affect functionality that
you do not need to change for your server to operate correctly. If you want, customize some
aspects of how your server works.
Create user accounts and configure permission sets User accounts provide a means for
users to access the server, and permission sets grant rights and access to McAfee ePO features.
Configure advanced server settings and features Your McAfee ePO server provides
advanced features and functionality to help you automate the management of your network
security.
Set up additional components Additional components such as distributed repositories,

registered servers, and Agent Handlers are required to use many of the advanced features of
your McAfee ePO software.
Your McAfee ePO server is now protecting your managed systems.
See also
Use automatic Product Installation Status on page 42
Use a proxy server

If you use a proxy server in your network environment, you must specify the proxy settings on the
Server Settings page.
Task
1 Select Menu | Configuration | Server Settings, select Proxy Settings from the Setting Categories, then click Edit.
2 Select Configure the proxy settings manually, provide the specific configuration information your proxy
server uses for each set of options, then click Save.

4

Your license key entitles you to a full installation of the software, and populates the ePolicy
Orchestrator Software Manager with the licensed McAfee software your company owns.
Without a license key, your software runs in evaluation mode. Once the evaluation period expires, the
software ceases to function. You can add a license key at any time during or after the evaluation
period.
Task
1 Select Menu | Configuration | Server Settings, select License Key from the Setting Categories, then click Edit.
2 Type your License Key and click Save.

Supported browsers warn about a servers SSL certificate if it cannot verify that a trusted source
signed the certificate.
By default, the McAfee ePO server uses a self-signed certificate for SSL communication with the
browser, which the browser does not trust. A warning message displays every time you visit the
McAfee ePO console.
To stop this warning message from appearing, do one of the following:
Add the McAfee ePO server certificate to the browser's collection of trusted certificates.
Add the certificate for every browser that interacts with McAfee ePO. If the browser certificate
changes, add the server certificate again.
(Recommended) Replace the default McAfee ePO server certificate with a valid certificate signed by
a certificate authority (CA) that the browser trusts. You only need to add the certificate once for
web browsers in your environment.
If the server host name changes, replace the server certificate with a new trusted CA certificate.
To replace the McAfee ePO server certificate, you must first obtain the certificate signed by a trusted
CA. You must also obtain the certificates private key and its password (if it has one). Then you can
use all these files to replace the servers certificate.
The McAfee ePO browser expects the linked files to use the following format:
Server certificate P7B or PEM
Private key PEM
If the server certificate or private key is not in these formats, convert to one of the supported formats
before replacing the default certificate.
If your organization requires a higher standard of encryption, replace the default SHA-256 certificate
with one that uses SHA-384 or higher.
Replace the server certificate

Update the default server certificate used for HTTPS communication with browsers.
Before you begin

You must have access to the new certificate and private key files.

4
Task
1 Open the Edit Server Certificate page.

a Select Menu | Configuration | Server Settings.
b From the Setting Categories list, select Server Certificate, then click Edit.
2 Browse to the server certificate file, then click Open.
You can create your own self-signed certificate with Open SSL.
3 If needed, type the PKCS12 certificate password and alias name.
4 Browse to the private key file, then click Open.
5 If needed, type the private key password, then click Save.
6 Restart McAfee ePO for the change to take effect.
Install the security certificate for Internet Explorer

Prevent the certificate prompt from appearing every time you log on by installing the security
certificate.
Task
1 From your browser, open McAfee ePO. The Certificate Error: Navigation Blocked page appears.
2 Click Continue to this website (not recommended) to open the logon page. The address bar is red, indicating
the browser cannot verify the security certificate.
3 To the right of the address bar, click Certificate Error to display the Certificate Invalid warning.
4 At the bottom of the warning, click View certificates to open the Certificate dialog box.
Do not click Install Certificate on the General tab. If you do, the process fails.
5 Select the Certification Path tab, then select Orion_CA_<servername>, and click View Certificate. Another dialog
box opens to the General tab, displaying the certificate information.
6 Click Install certificate to open the Certificate Import Wizard.

a Click Next to specify where the certificate is stored.
b Select Place all certificates in the following store, then click Browse to select a location.
c Select the Trusted Root Certificate Authorities folder from the list, click OK, then click Next.
d Click Finish. In the Security Warning that appears, click Yes.
7 Close the browser.
8 Change the target of the McAfee ePO desktop shortcut to use the NetBIOS name of the McAfee ePO
server instead of "localhost."
9 Restart McAfee ePO.
Now when you log on to McAfee ePO, you are no longer prompted to accept the certificate.

4
Install the security certificate for Firefox

You can install the security certificate when using Firefox 3.5 or later, so that the warning dialog box
does not appear every time you log on.
Task
1 From your browser, open McAfee ePO. The This Connection is Untrusted page appears.
2 Click I Understand the Risks at the bottom of the page.
3 Click Add Exception.
4 Click Get Certificate. The Certification Status information is populated and the Confirm Security
Exception button is enabled.
5 Make sure that Permanently store this exception is selected, then click Confirm Security Exception.
Now when you log on to McAfee ePO, you are no longer prompted to accept the certificate.

4

You can add systems to McAfee ePO using multiple methods. Depending on the size and complexity of
your network, you might choose any or a combination of methods.
The Smart Installer URL is created by default. The URL method is the easiest method to install
the McAfee Agent. However, the system users must have administrator rights to install software
and until users run the Smart installer, the system is unprotected.
Deploying FramePkg.exe using a logon script works well, but you must know how to create the
script and make it run when the user logs on. Also, until the user logs on, the system is
unprotected.
Adding systems manually from the domain requires organized networks and domains.
Adding systems using Active Directory is the best method for large networks but requires a well
organized Active Directory configuration.
For large networks, you might choose to use one of these methods to add an initial group of system,
confirm the configuration, then use other methods to add additional systems.

4
See also
Deploying the McAfee Agent using third-party tools on page 53
Best practice: Using Active Directory to synchronize McAfee Agent deployment on page 55
Best practice: Adding the McAfee Agent to your image on page 55
Create and install the McAfee Agent URL or package on page 52
Add systems to the System Tree manually on page 54

You must install the McAfee Agent and product software on all your systems before they are protected.
What installing the McAfee Agent does

McAfee Agent is the client-side component providing secure communication between McAfee ePO and
managed products. It also serves as an update interface for managed and unmanaged McAfee
products.
This diagram shows the processes that occur when you install the McAfee Agent.
You install the McAfee Agent on a client.
The McAfee Agent establishes a secure connection between the client and McAfee ePO.
McAfee ePO downloads the product software to the client over the secure connection.
The McAfee Agent sends client events and other information back to McAfee ePO.
See also
Adding systems to manage on page 49

4
How the McAfee Agent works

The McAfee Agent is not a security product on its own; instead it communicates to all McAfee and
partner security products and passes the information to and from the McAfee ePO server.
The McAfee Agent version does not have to match the McAfee ePO version. For example, you can use
McAfee Agent 4.8 with McAfee ePO 5.9.0. See the McAfee Agent Product Guide for details.
The core McAfee Agent functionality includes:

Handling all communication to and from the McAfee ePO server and passing that data to the client
products
Pulling all product policies from the McAfee ePO server and assigning them to the appropriate
products that are installed on the client
Pulling all client tasks from the McAfee ePO server and passing them to the appropriate products
Deploying content such as anti-virus signatures, auditing checks, and engines
Deploying product upgrades, new products, patches, and hotfixes
Upgrading itself silently when a new version is released
Once a McAfee Agent is installed on a system, you can use it to update most products on that client.
Figure 4-1 One McAfee Agent communicates with many products
McAfee Agent modularity

The modular design of the agent allows you to add new security offerings to your environment as your
needs change, using the same framework. McAfee has built a standard of how policies, events, and
tasks are passed to client products. You never have to worry about communication or which ports to
open when you add a new product to your client. The McAfee Agent controls all these items. The
advantages to this modular architecture are:
One component provides communication back to the server.
You can choose which products fit your organization.
The patch process is consistent across all products.
You can add new products as they are released.
You can use the same McAfee Agent for partner products, reducing overhead.
Inside the McAfee Agent file

If you look inside the installation directory where the McAfee Agent executable file is installed, you can
see what makes it unique.
By default, you can find the McAfee Agent executable file here on your McAfee ePO server:

4
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software\Current

\EPOAGENT3000\Install\0409\
Your custom McAfee Agent executable file has the communication keys for your specific McAfee ePO
server and a Sitelist.xml file. Without these keys the agents cannot talk to your specific McAfee ePO
server. The Sitelist.xml file tells all your agents how to find the McAfee ePO server using the IP
address and DNS name. This file becomes outdated if you rename your McAfee ePO server or give it a
new IP address.
If you have multiple McAfee ePO servers, you will have multiple unique McAfee Agent files designed to
communicate with the server where the McAfee Agent was created.
Keep the McAfee Agent file up to date: best practice

It is important to download the latest McAfee Agent file so that the appropriate teams have the latest
McAfee Agent file for new deployments. Make sure that you know who has the McAfee Agent
executable in your environment and always control it by updating a central share every time you make
changes to your McAfee Agent.
If you gave this custom McAfee Agent to your desktop team a year ago, it is probably outdated. It
becomes outdated if you have made changes to your McAfee ePO server such as rebuilding it with a
new IP address, or checked in a newer version of the McAfee Agent to your server.
Deploying agents
The McAfee Agent is a 5-MB executable file that you can execute manually per client or deploy on a
larger scale to hundreds or thousands of nodes.
The McAfee Agent can be deployed to your client systems using any of these methods:
An Agent Deployment URL or McAfee Smart installer
A logon script
An image that includes the McAfee Agent
Manual execution
Third-party tools
See the McAfee Agent Product Guide for details about these deployment methods.
Create and install the McAfee Agent URL or package

Install the McAfee Agent on any systems that you want to manage with your McAfee ePO server.
Before you begin

You must have installed your licensed software before you create the McAfee Agent URL or
package.
You can install the McAfee Agent on the systems that you want to manage multiple ways. Following
are the most popular methods:
McAfee Agent URL installer
McAfee Agent package
These steps are only an overview of the McAfee Agent installation process. See the McAfee Agent
Product Guide for details.

4
Task
1 Use one of these methods to create the McAfee Agent installer.

Create the McAfee Agent URL installer.
Create the McAfee Agent package or .zip file.
2 Depending on the method you used to create the installed file, install the URL installer or package
file.
McAfee Agent URL installer Email the URL to the system users. When the user opens the URL,
they are prompted to download or run the McAfee Agent installer.
McAfee Agent package file Install the package file using one of these methods:
Manual installation on Windows
Log on scripts on Windows
Command-line options
Once the agents are installed, it takes multiple agent-server communication intervals before the
managed systems appear in the System Tree as Managed.
3 Select Menu | System | System Tree to confirm that the managed systems have successfully installed the
McAfee Agent and reported back to the McAfee ePO server.
Your McAfee ePO server is now providing protection and managing your clients.
Best practice: Deploy the McAfee Agent using a URL

You can create a client-side McAfee Agent download URL that users can click to download and install
the McAfee Agent on the managed client.
Task
1 Select Menu | Systems Section | System Tree, then click the Agent Deployment tab.
2 From the Actions menu, click Create agent deployment Url.
3 Specify the URL name, the agent version, and whether the URL applies to all Agent Handlers, or
only specific Agent Handlers.
When a user opens the URL, they are prompted to download or run the McAfee Agent installer. The
installation executable can also be saved and then included in a log-on script.
See also
Create and install the McAfee Agent URL or package on page 52
Deploying the McAfee Agent using third-party tools

You can deploy the McAfee Agent using a third-party tool that you already use for patches and new
product deployments.
Using third-party tools is not a requirement, but your organization might have strict policies that
dictate how products are deployed. Some common deployment tools include:

4
Microsoft SCCM (formerly known as SMS) BMC Client Automation (formerly Marimba)
IBM Tivoli Simple logon scripts
Novell Zenworks
The process used to deploy the McAfee Agent for the first time using these third-party tools is
straightforward. See the McAfee Agent Product Guide for details.
The McAfee Agent file, named FramePkg.exe, has several installation switches. Configure the McAfee
Agent to install itself, at a minimum. Optionally, you can use the /s switch to hide the installation
graphical user interface from the user. Here is an example of this command:
FramePkg.exe /install=agent /s
Add systems to the System Tree manually

Adding systems manually to the System Tree and then deploying the McAfee Agent works well for smaller
organized networks.
Before you begin

The McAfee ePO server must be able to communicate with the target systems.
Make sure that the client systems are reachable from the McAfee ePO server.
You must have local administrator rights on all target systems.
Perform these steps to confirm that a few target systems are accessible from the McAfee ePO server:
Use ping commands to test the ability to successfully connect from the McAfee ePO server to
managed systems.
To confirm the Admin$ share folder on Windows target systems is accessible from the McAfee ePO
server, click Windows Start | Run, then type the path to the target system's Admin$ share, specifying
system name or IP address. For example, type:
\\<System Name>\Admin$
If the systems are properly connected over the network, if your credentials have sufficient rights,
and if the Admin$ share folder is present, a Windows Explorer dialog box appears.
Task
1 Select Menu | Systems | System Tree, then click New Systems on the System Tree page.
2 From the New Systems page, click Push agents and add systems to the current group and Browse.
3 From the NT Domain Credentials dialog box, type this information and click OK.
Domain Type the domain name with your target systems.
User Name Type your domain user name.
Password Type your domain password.
4 On the Browse for Systems page, select the domain server from the Domain list.
The Systems in Selected Domain table appear in the list of systems installed on that domain server.
5 Select the systems or groups of systems to add to the System Tree, then click OK.
The systems you selected appear in the Target Systems field, separated by commas.

4
6 In Agent Version, select the Windows or Non-Windows and the version from the list.
7 In Credentials for agent installation:

Type the domain name.
Type your domain user name.
Type and confirm the domain password.
Click Remember my credentials for future deployments.
8 Use the defaults for the final settings and click OK.
The systems you selected are added to the System Tree and appear as Unmanaged in the Managed
State column. After multiple agent-server communications to install the product software and update
tasks and policies, the Managed State changes to Managed. This process can take several hours to
complete.
Best practice: Using Active Directory to synchronize McAfee Agent

deployment
You can use deployment from the McAfee ePO server on its own or with Active Directory (AD)
synchronization.
McAfee ePO can import your systems from AD and then deploy the agent software from the McAfee
ePO server using the remote deployment functionality. Use server tasks to run remote deployment at
a specific interval, such as once a day. This process requires the following:
The systems in your AD tree must be maintained. A well maintained AD is not always the case in
many larger organizations. Place systems into the appropriate containers in AD for McAfee ePO to
properly mirror your AD structure.
You must have the proper credentials, admin$ share enabled, and no local firewall blocking the
NetBIOS ports on the destination client.
The target system must be turned on. Just because the system exists in AD does not mean that it
is turned on and active on your network.
Agent deployment from the McAfee ePO server works as long you have a well maintained AD
structure. If not, you end up with excessive shell systems, or placeholders, in your System Tree. These
shells are systems that have been imported from your AD server but have never received a McAfee
Agent. Shell systems appear in the Managed State column as Unmanaged.
Make sure that your environment is properly covered with agents to avoid these shell systems. These
shell systems cause the following problems:
They leave your System Tree cluttered and unorganized.
They skew your reports and queries because they are only placeholders for systems, not systems
that are actively talking to the McAfee ePO server.
You can filter out these shell systems in your reports, but it is much better to make sure that your
environment is properly covered with a McAfee Agent.
Delete these shell systems using a McAfee ePO server task regularly.
Best practice: Adding the McAfee Agent to your image

Adding the McAfee Agent during the imaging process is a good McAfee ePO compliance strategy. It
makes sure that all your systems get a McAfee Agent installed.
This strategy requires planning and communication with your build team to obtain complete McAfee
ePO compliance. This communication and planning ensures that:

4
A McAfee Agent is part of every system.
Any required McAfee product and associated policy is pulled from the McAfee ePO server by the
McAfee Agent on your systems.
You have maximum security coverage for all systems in your environment.
You have two options to make the McAfee Agent part of your build process and install it on your
managed systems:
Option 1 Include the McAfee Agent in your Windows image before freezing or finalizing the
image. Make sure that you delete the McAfee Agent GUID before freezing the image
Option 2 Run the McAfee Agent executable after your image is created using a repeatable
script.
You can install all client products on your managed systems by:
Letting the McAfee Agent automatically call into the McAfee ePO server in 10 minutes and receive
whatever policy and products McAfee ePO dictates.
(Recommended) Making the endpoint products part of your build process and include them in the
original image. See the McAfee Agent Product Guide to install the McAfee Agent on a non-persistent
virtual image, or in Virtual Desktop Infrastructure (VDI) mode.
Here are some pointers to help you decide which option to use:
Advantage or Description
disadvantage
Disadvantage If you let the McAfee Agent pull multiple endpoint products, it can use too much
bandwidth. If you have bandwidth constraints, make the products part of your
original image.
Advantage If the endpoint products are part of your imaging process, your build process
can occur on a network where your imaged systems don't have connectivity to
the McAfee ePO server.
Disadvantage Once you install the McAfee Agent on a client it takes several more minutes to
download, install, and update the products using a client task. This lag occurs
even though the first agent-server communication occurs almost immediately.
Advantage If timing is a concern, make the McAfee products part of your image. This
avoids the 1520 minute wait for the products to install, when your systems
might be vulnerable to threats.
Confirm that you deleted the McAfee Agent GUID before freezing the image
Make sure that you delete the McAfee Agent GUID before freezing the image when you make the
McAfee Agent part of your image.
If this registry key is not deleted, all systems with this same image use the same GUID and causes
problems in your environment. See the McAfee Agent Product Guide for details.
Failure to delete the McAfee Agent GUID from the registry before finalizing your image can make it
hard to manage the images in larger environments. You might have several imaging teams involved or
an outsourcing organization might be building the images. Make sure that your imaging teams
understand how to reset the GUIDs if the computers are not displayed in the McAfee ePO directory.
See KnowledgeBase article How to reset the agent GUID if computers are not displayed in the McAfee
ePO directory, KB56086 for details.

4

The System Tree is the logical representation of your managed network in the McAfee ePO console.
You can add systems to your System Tree using these methods:
Manually add systems to an existing group
Import systems from a text file
Active Directory synchronization
You can organize your System Tree using these methods:

Manual organization from the console (drag and drop).
Automatic synchronization with your Active Directory or NT domain server.
Criteria-based sorting, using criteria applied to systems manually or automatically.
Your System Tree dictates these items:

How your policies for different products are inherited
How your client tasks are inherited
Which groups your systems go into
Which permissions your administrators have to access to change the groups in the System Tree
If you are creating your System Tree for the first time, these are the primary options available for
organizing your systems dynamically:
Using Active Directory (AD) synchronization
Dynamically sorting your systems
Best practice: Although you can use AD synchronization with dynamic System Tree sorting, pick one or
the other to avoid confusion and conflicts.
See also
Considerations when planning your System Tree on page 111
The System Tree structure

The System Tree is a hierarchical structure that organizes the systems in your network into groups
and subgroups.
The default System Tree structure includes these groups:
My Organization The root of your System Tree.
My Group The default subgroup added during the Getting Started initial software installation.
This group name might have been changed during the initial software installation.
Lost and Found The catch-all subgroup for any systems that have not been or could not be
added to other groups in your System Tree.
See also
Considerations when planning your System Tree on page 111

4
My Organization group
The My Organization group, the root of your System Tree, contains all systems added to or detected
on your network (manually or automatically).
Until you create your own structure, all systems are added by default to My Group. This group name
might have been changed during the initial software installation.
The My Organization group has these characteristics:
It can't be deleted.
It can't be renamed.
My Group subgroup
My Group is a subgroup of the My Organization group and is added by default during the Getting
Started initial software installation.
This group name might have been changed during the initial software installation.
When your network computers run the installation URL, they are grouped by default in My Group.
To rename the group, select Menu | Systems | System Tree, in the System Tree groups list click My Group,
then click System Tree Actions | Rename Group.
Lost and Found group

The Lost and Found group is a subgroup of the My Organization group.
Depending on the methods that you specify when creating and maintaining the System Tree, the
server uses different characteristics to determine where to place systems. The Lost and Found group
stores systems whose locations can't be determined.
The Lost and Found group has these characteristics:
It can't be deleted.
It can't be renamed.
Its sorting criteria can't be changed from being a catch-all group, although you can provide sorting
criteria for the subgroups that you create within it.
It always appears last in the System Tree list and is not alphabetized among its peers.
Users must be granted permissions to the Lost and Found group to see its contents.
When a system is sorted into Lost and Found, it is placed in a subgroup named for the systems
domain. If no such group exists, one is created.
If you delete systems from the System Tree, make sure that you select Remove McAfee Agent on next
agent-server communication from all systems. If the McAfee Agent is not removed, deleted systems reappear in
the Lost and Found group because the McAfee Agent still communicates with McAfee ePO.
System Tree groups

System Tree groups represent a collection of systems. Deciding which systems to group depends on
the unique needs of your network and business.
You can group systems based on any criteria that supports your needs:

4
Machine-type (for example, laptops, servers, or desktops)
Geography (for example, North America or Europe)
Department boundaries (for example, Finance or Marketing)
Groups have these characteristics:
Administrators or users create them with the appropriate permissions.
You can include both systems and other groups (subgroups).
Administrator or a user can use them, with appropriate permissions.
Grouping systems with similar properties or requirements into these units allows you to manage
policies for systems in one place, rather than setting policies for each system individually.
As part of the planning process, consider the best way to organize systems into groups before building
the System Tree.
Inheritance
Inheritance is a property that simplifies policy and task administration. Because of inheritance, child
subgroups in the System Tree hierarchy inherit policies set at their parent groups.
For example:
Policies set at the My Organization level of the System Tree are inherited by all groups below it.
Group policies are inherited by subgroups or individual systems in that group.
This table is an example of a System Tree hierarchy.
System Tree Hierarchy

My Organization Top-level group
Los Angeles Child subgroup of My Organization
Desktop Child subgroup of Los Angeles
Laptop Child subgroup of Los Angeles
Server Child subgroup of Los Angeles
Windows Child subgroup of Server
SQL Child subgroup of Server
Linux Child subgroup of Server
San Francisco Child subgroup of My Organization
Desktop Child subgroup of San Francisco
Laptop Child subgroup of San Francisco
Server Child subgroup of San Francisco
Lost and Found Child subgroup of My Organization
In this example, all policies assigned to the Los Angeles | Server group are inherited by the Windows,
SQL, and Linux child subgroups.
Inheritance is enabled by default for all groups and individual systems that you add to the System
Tree. Default inheritance allows you to set policies and schedule client tasks in fewer places.
To allow for customization, inheritance can be broken by applying a new policy at any location of the
System Tree. You can lock policy assignments to preserve inheritance.

4
Sorting your systems dynamically

You can dynamically sort your systems into your McAfee ePO System Tree using a combination of
system criteria and other elements.
Sorting dynamically requires that you create some basic groups for your tree structure. For smaller
organizations, your System Tree might not be complex and contain only a few groups. For larger
organizations, we recommend that you create some groups similar to these sample designs:
GEO Geographic location
NET Network location
BU Business unit
SBU Sub-business unit
FUNC Function of the system (web, SQL, app server)
CHS Chassis (server, workstation, laptop)
After you decide on the basic building blocks for groups in the System Tree, you must determine which
building blocks to use and in which order based on these factors:
Policy assignment Will you have many custom product policies to assign to groups based on
chassis or function? Will certain business units require their own custom product policy?
Network topology Do you have sensitive WANs in your organization that can never risk being
saturated by a content update? If you have only major locations, this is not a concern for your
environment.
Client task assignment When you create a client task, such as an on-demand scan, will you
need to do it at a group level, like a business unit, or system type, like a web server?
Content distribution Will you have an agent policy that specifies that certain groups must get
their content from a specific repository?
Operational controls Will you need specific rights delegated to your McAfee ePO administrators
that will allow them to administer specific locations in the tree?
Queries Will you need many options when filtering your queries to return results from a specific
group in the System Tree?
After you choose the basics for your tree structure, create a few sample System Tree models and look
at the pros and cons of each design. There is no right way or wrong way to build your System Tree,
just pluses and minuses depending on what you choose.
Here is a few of the most commonly used System Tree designs users tend to use:
GEO -> CHS -> FUNC
NET -> CHS -> FUNC
GEO -> BU -> FUNC
Following is an example of geographic location, chassis, and function.
GEO -> CHS -> FUNC

4
Confirm system management from the System Tree

After deploying the McAfee Agent and product software, make sure that your systems are listed in the
System Tree and appear as managed.
Before you begin

You must have deployed the McAfee Agent and downloaded the product software to your
your systems.
Task
1 Select Menu | Systems | System Tree, then click the Systems tab to show a list of managed systems.
If no systems appear, click This Group and All Subgroups in the Preset list.
2 In the Managed State column for each row of systems, confirm that Managed appears.
Figure 4-2 System Tree showing managed systems
If Unmanaged appears in the Managed State column, the system was added to the System Tree but
the McAfee Agent and product software are not installed on the system.
3 To display details about a system on the Systems Information page, double-click the system row.

When you initially install McAfee products on your McAfee ePO server, they install and configure many
default features to initially protect your managed systems.
These default features include:

4
Policies
Queries and reports
Server and client tasks
Dashboards
Becoming familiar with these features and how they are configured provides an understanding about
how McAfee ePO protects your managed systems.
Working with Product Deployment

A default Product Deployment is created automatically when you start McAfee ePO. It simplifies the
process of deploying security products to your managed systems.
Default Product Deployment example

McAfee created default product deployments to initially deploy your products to your clients. To see
the default product deployments select Menu | Software | Product Deployment.
Product Deployment actions

This table lists the changes available from the Product Deployment page.
Command or action Description

Deployment summary Lists the product deployments and allows you to filter them by type and
status to quickly view their progress. Click a deployment to view its details.
Those details are displayed in the deployment details area.
Deployment details Lists the details of the selected deployment. For example, Start Date, Type,
Status, and more.
Task Status Displays the progress and status.
Action Used to change a deployment.
Details Allows you to view deployment configuration details, status, and if needed,
click View Task Details to open the Edit Deployment page.
System name Displays a filterable list of target systems receiving the deployment.
System Actions Displays the filtered list of systems in a dialog box with more detail and
allows you to perform actions on the systems, such as update and wake-up.
Status Displays a three-section bar indicating the progress of the deployment and its
status.
Tags Displays tags associated with the row of systems.
See also
Benefits of product deployment projects on page 177
Choosing a product deployment method on page 176

4
Working with the System Tree

During initial configuration, default System Tree groups were configured to organize your managed
systems.
Default System Tree example

McAfee created default policies to protect most McAfee ePO users and their average environments. To
see the default policies and their configuration, select Menu | Systems | System Tree.
Figure 4-3 Default System Tree organization
System Tree actions

This table lists the types of actions available from the System Tree.
Command or Description
action
New Systems Opens the New Systems page where you can add systems to the System Tree.
New Subgroups Creates a subgroup in the System Tree.

4
action
System Tree Action New Subgroups Creates a subgroup in the System Tree.
Rename Group Renames the selected group.
Delete Group Deletes the selected group or groups.
Export Systems Exports a list of systems from the System Tree to a .txt file for
later use.
Sort Now Sorts selected systems into groups with criteria-based sorting
enabled.
Table Actions Choose Columns Opens the Choose Columns page, where you can select the
columns to display on the System Tree page.
Export Table Allows you to export this table.
Tag Allows you to change the tags in the Tags column.
Agent Specifies the actions that can be taken on agents on the selected
systems.
Directory Management Specifies the actions that you can use to manage systems in
your directory.
See also
Organizing systems with the System Tree on page 111
Working with policies

During initial configuration, all your licensed McAfee products are installed on your managed systems.
Those products have associated default policies that protect your systems.
Default Policy example

McAfee created default policies to protect most McAfee ePO users and their average environments. To
see the default policies and their configuration, select Menu | Policy | Policy Catalog, then select a product
and category from the drop-down lists.

4
For example, from the Product list, select McAfee Agent and the Category All.
Figure 4-4 Default McAfee Agent Policy example
Policy actions
This table lists the policy changes available on the Policy Catalog page.
Command or action Description

Delete Deletes the policy.
Duplicate Duplicates the policy so that you can change it.
Export Exports the policy as an XML file.
Rename Allows you to rename the policy.
Share or Unshare Click to share or unshare the policy with other McAfee ePO servers.
View or change Double-click the policy name to view or change the policy configuration.
To record policy revisions, type a comment in the text field next to Duplicate,
in the footer of the Policy Catalog page.
When you change a policy, the number of affected systems is listed at the top
of the page.
Import or Export Imports or exports all policies and categories selected for the product.
New Policy Opens the Create a New Policy dialog box, where you can create a policy of
the selected product and category type.
See also
Assigning policies on page 6

4
Working with client tasks

All those products have associated default client tasks that protect your systems.
The default client tasks:
Collect information about the systems and send it to McAfee ePO.
Scan systems for attack.
Automatically add and update software as it is added or new versions are installed.
Default client task example

McAfee created default client tasks to protect most McAfee ePO users and their average environments.
To see the default client tasks and their configuration, select Menu | Policy | Client Task Catalog, then
expand a product and client task type from the Client Task Types list.
For example, from the Client Task Types list, expand McAfee Agent, select McAfee Agent Statistics, and click
Collect All in the Name column.
Figure 4-5 Default McAfee Agent Statistics example client task
Client tasks actions

This table lists the available changes you can make to client tasks on the Client Task Catalog page.

4
action
New Task Opens the Create a New Policy dialog box, where you can create a client task for
the selected product.
Task Catalog Import Opens the Import page, where you can import Client Task objects from
actions an XML file.
Export All Opens the Export page, where you can export an XML file with all
client task objects for the products listed in the Task Type pane.
Client task row View Double-click the client task name to view the configuration.
actions
Delete Deletes the client task.
Duplicate Duplicates the client task so that you can change it.
Assign Opens the Select a group task page, where you can identify a group in
your System Tree to assign this task.
Share or Unshare Click to share or unshare the client task with other McAfee ePO
servers.
See also
Client tasks on page 216

4
Working with server tasks

All those products have associated default server tasks that protect your systems.
Default server task example

McAfee created default server tasks to protect most McAfee ePO users and their average
environments. To see the default server tasks and their configuration, select Menu | Automation | Server
Tasks.
Figure 4-6 Default server task example
For example, to familiarize yourself with server task configuration, in the Name column, find Download
Software Product List and click View in the Actions column.
Server task actions

This table lists the available changes you can make to server tasks on the Server Tasks page.
action
New Task Starts the Server Task Builder, where you can create and schedule a server task.
Import Tasks Opens the Import Scheduled Task, page where you can select the file to be
imported.

4
action
Table Actions Choose Columns Opens a dialog box that allows you to select which columns to
after you select display.
a server task
Delete Deletes the server task.
Duplicate Duplicates the server task so that you can change it.
Edit Opens the Server Task Builder page with the settings of the selected
server task loaded, so that you can edit and save the settings.
Enable or Disable Enables or disables the selected tasks. When a task is
disabled, it does not run, even if scheduled.
Export Table Opens the Export page. Use this option to specify the format and
the package of files to be exported. You can save or email the exported file.
Export Tasks Opens the Export page. Use this option to specify the format and
the package of files to be exported. You can save or email the exported file.
Run Immediately runs the server task,
View Allows you to view the server task configuration.
Server task row View Allows you to view the server task configuration.
Actions
Edit Opens the Server Task Builder page with the settings of the selected
server task loaded, so that you can edit and save the settings.
Run Immediately runs the server task.
See also
Server tasks on page 213

4
Working with dashboards and monitors

All those products have associated dashboards and monitors for your systems.
Dashboard example
McAfee created several default dashboards and monitors for McAfee ePO systems in an average
environment. To see the default dashboards and monitors and their configuration, select Menu |
Reporting | Dashboards.
Figure 4-7 Dashboard example
The initial dashboard that appears depends on which phase of initial configuration you are in. For the
first 24 hours, after you log on to McAfee ePO, the Getting Started with McAfee ePolicy Orchestrator
dashboard appears. After that time the ePO Summary dashboard is the default.
To familiarize yourself with dashboards configuration, in the Dashboards list, click Executive Dashboard,
Guided Configuration, or any of the dashboards added for your product software.
Dashboard actions
This table lists the actions available on the Dashboards page.
Dashboard Actions Description

New Starts the New Dashboard dialog box where you can create a dashboard.
Duplicate Opens the Duplicate Dashboard dialog so you can create a customizable copy
of the current dashboard.
Delete Deletes the duplicated monitor currently displayed.
Import Starts the Import Dashboard page where you can choose a dashboard XML file
to import.

4
Dashboard Actions Description

Export Exports the currently displayed dashboard currently to an XML file.
Add Monitor Displays a list of dashboard categories where you can add a previously saved
monitor to the display.
See also
Dashboards and monitors on page 4
Working with queries and reports

Those products have associated default queries and reports to use.
Default query example

McAfee created default queries and reports that satisfy the requirements for most McAfee ePO users
and their average environments. To see the queries and reports and their configuration, select Menu |
Reporting | Queries & Reports.
Figure 4-8 Default query example
To familiarize yourself with queries and how they work, select the Queries tab in the Queries and
Reports page. In the Groups list, click All to expand the list. You can now view queries in the Queries
tab. For example, Agent Communication Summary. In the Agent Communication Summary row Actions column, click
Run.
A pie chart displays the number of managed systems and how many are compliant with the default
McAfee ePO policy.

4
Query and report actions

This table lists the options available on the Queries and Reports page. The queries and report options
are similar to the options available when you click the Queries or Reports tab.
action
New Query or New Opens the Query Builder page or reports toolbox so that you can start creating
Report your own query or report.
Import Query or Import Imports a previously saved XML file to the selected group.
Report
Group Actions New Group Opens the Edit Group page where you can edit the name and
visibility of the selected group.
Delete Group Deletes all queries or reports in the selected group.
Edit Group Opens the New Group dialog box where you can create a query
group.
Table Actions after Delete Deletes the query or report.

you select a query
or report Duplicate Duplicates the query or report so that you can change it.
Edit Opens the configuration page with the settings of the duplicated or new
query or report loaded, so that you can edit and save the settings.
Export Queries or Export Reports Exports the selected queries or reports as XML
files.
Export Query Data Opens the Export page where you can configure the export
file options.
Move to different group Moves the selected query to the specified query group.
Or you can drag and drop the query to any query group.
New Report from Selection Starts the Report Layout populated with the details of
the selected query.
Run Immediately runs the query or report.
Schedule Opens the Server Task Builder where you can create a server task to
run the query on a schedule.
View SQL Opens the View Query SQL page where you can view or copy the
SQL script for the query.
See also
Generating queries and reports on page 4

You can run an anti-malware test file on a managed systems to see how the sample threat is deleted
and how it appears in McAfee ePO.
Virus test process

These tasks describe running the anti-malware test file on a managed systems to see how the system
virus is deleted and how it appears in McAfee ePO.
When you run this anti-malware test file on a managed systems, you can:

4
Confirm that your systems are managed and protected.
Learn how to trace an event from your managed systems to McAfee ePO.
See how and where the threat events appear in the McAfee ePO user interface.
Tasks
Run a sample threat on a managed system on page 73
You physically log on to a managed system or remotely log on to that system to run an
anti-malware test file.
Find system to test with System Tree

The System Tree lists all your managed systems and their status. Select one where you can run the
anti-malware test file.
Before you begin

You must have administrator rights on the managed system to run the anti-malware test
file.
Choose a system that's not running critical processes. For example, don't run the anti-malware test
file on a server.
Task
1 Select Menu | Systems | System Tree, then click the Systems tab to show a list of managed systems.
If no systems appear, click This Group and All Subgroups in the Preset list.
2 Click a system in the System Name column to open the System Information page.
3 Scroll down the list to find the information you need to remotely log on to the test system. For
example, you can use this information:
DNS Name
IP Address
System Description
4 Click the Products tab to see a list of products and versions installed on the test system.
5 Confirm that Endpoint Security Threat Prevention is installed on the test system.
You now have the information to remotely log on to the test system and run the anti-malware test file.
See also
Confirm system management from the System Tree on page 61
Run a sample threat on a managed system

You physically log on to a managed system or remotely log on to that system to run an anti-malware
test file.
Before you begin

You must have administrator rights on the managed system to run the anti-malware test
file.

4
Task
1 To log on to the test system with administrator rights.

You can log on to the test system by:
Going to the system and logging on.
Using a remote connection process, for example Windows Remote Desktop Connection, to log
on.
2 Using a web browser, connect to the EICAR site to download the anti-malware test file from:
http://www.eicar.org/86-0-Intended-use.html
3 Follow the instructions to download and run the 68-Byte eicar.com anti-malware test file.
The anti-malware test file either runs and is deleted or the file is blocked before it can run.
4 In Windows, click Start | All Programs | McAfee | McAfee Endpoint Security, then click Status.
A threat Summary lists the type of threat and the number of threats received.
5 Click Event Log to display the threat events in the Event table.
The bottom pane of the table lists the threat event details.
Confirm the threat response in McAfee ePO

Learning where to look for threat events in McAfee ePO is an important part of protecting your
managed systems.
Before you begin

You must run the EICAR anti-malware test file to see any threat events.
Task
1 Log on to the McAfee ePO and click Menu | Reporting | Dashboards.
2 In the title bar of the Dashboards list, select one of the dashboards described in this table.
Dashboard Threat description

ePO Summary Displays recent threats in the Malware Detection History line chart.
Executive Dashboard Displays a Malware Detection History line chart.
Threat Events Displays recent threats in these dashboards:
Most Numerous Threat Event Descriptions table
Threat Events by System Tree Group table and pie chart
Threat Event Descriptions in the Last 24 Hours table and pie chart
Threat Events in the Last 2 Weeks line chart
3 Click Menu | Reporting | Threat Event Log to see a description the recent threat.

4
What to do next
Information in the table includes:

Event Generated Time Threat Target IPv4 Address
Event ID Action Taken
Event Description Threat Type
Event Category
4 Click the event in the table to see all details about the threat.
5 At the end of the threat details, click Go to related Systems to see the detailed information about the
affected system.
See also
Run a sample threat on a managed system on page 73
What to do next
After you have performed all initial configuration and made sure that your managed systems are
protected, you might want to consider other configuration steps, depending on your network security
needs.
Simple additional steps to help you manage McAfee ePO include:
Add other McAfee ePO users and permissions.
Organize your System Tree to reflect the geographic, political, or functional borders.
Add Tags to identify and sort systems.
Configure an automatic response to occur when certain rules are met.
For more complex or larger managed networks:
Create custom server or client tasks.
Create manual policy management, product software, and update configurations.
Add Agent Handlers and remote repositories.
Create custom SSL certificates.
Monitor bandwidth usage and how it affects McAfee ePO performance.
Run maintenance tasks to optimize and protect your McAfee ePO server data.
Run automatic queries and reports.

4
What to do next

The previous parts describe initially configuring McAfee ePO and learned to
successfully run queries and reports. These chapters describe, for example
adding many more managed systems, making detailed configuration
changes, and server maintenance.
Chapter 5 Dashboards and monitors

Chapter 6 Generating queries and reports
Chapter 7 Disaster Recovery
Chapter 8 Using the System Tree and Tags
Chapter 9 User accounts and permission sets
Chapter 10 Software Manager
Chapter 11 Manual package and update management
Chapter 12 Deploying products
Chapter 13 Assigning policies
Chapter 14 Server and client tasks
Chapter 15 Setting up automatic responses
Chapter 16 Agent-server communication
Chapter 17 Automating and optimizing McAfee ePO workflow
Chapter 18 Repositories
Chapter 19 Agent Handlers
Chapter 20 Maintaining your McAfee ePO server, SQL databases, and bandwidth
Chapter 21 Reporting with queries


5 Dashboards and monitors
Dashboards help you keep constant watch on your environment.

Dashboards are collections of monitors. Monitors condense information about your environment into
easily understood graphs and charts.
Usually, related monitors are grouped on a specific dashboard. For example, the Threat Events
dashboard contains four monitors that display information about threats to your network.
You must have the right permissions to view or modify dashboards and monitors.
Contents
Using dashboards and monitors
Manage dashboards
Export and import dashboards
Specify first-time dashboards
Manage dashboard monitors
Move and resize dashboard monitors
Set default monitor refresh intervals
Using dashboards and monitors

Customize your dashboards and monitors to get the information you need for your role and
environment.
Dashboards are collections of monitors. Monitors condense information about your environment into
easily understood graphs and charts. Usually, related monitors are grouped on a specific dashboard.
For example, the Threat Events dashboard contains four monitors that display information about
threats to your network.
The McAfee ePO console has a default dashboard that appears the first time you log on. The next time
you log on, the Dashboards page displays the last dashboard you used.
If you have deleted all default dashboards, when you start McAfee ePO, this text appears in the middle
of the dashboards page: No dashboards are configured. Create a new dashboard or import an existing dashboard.
You can switch dashboards by selecting a different dashboard from the drop-down list. There are three
different kinds of dashboards you can choose from.
McAfee Dashboards McAfee dashboards are not editable, and can be viewed by all users. You can
duplicate a McAfee Dashboard as a starting point for your own customized dashboards.
Public Dashboards Public dashboards are user-created dashboards that are shared across users.
Private Dashboards These are the dashboards you have created for your own use. Private
dashboards are not shared across users.

5
Dashboards and monitors
Manage dashboards
When you create a private or public dashboard, you can drag and drop the monitors you want from
the Monitor Gallery to the new dashboard.
See also
Manage dashboards on page 80
Manage dashboard monitors on page 83
Export and import dashboards on page 81
Manage dashboards
Create, edit, duplicate, delete, and assign permissions to dashboards.
Before you begin

You must have the correct permissions to modify a dashboard.
The default dashboards and predefined queries, shipped with ePolicy Orchestrator, cannot be modified
or deleted. To change them, duplicate, rename, and modify the renamed dashboard or query.
Task
1 Select Menu | Reporting | Dashboards, to navigate to the Dashboards page.
2 Select one of these actions.
Action Steps
Create a To create a different view on your environment, create a new dashboard.
dashboard
1 Click Dashboard Actions | New.
2 Type a name, select a dashboard visibility option, and click OK.

A new blank dashboard is displayed. You can add monitors to the new dashboard
as needed.
Edit and assign Dashboards are only visible to users with proper permission. Dashboards are
permissions to assigned permissions identically to queries or reports. They can either be entirely
a dashboard private, entirely public, or shared with one or more permission sets.
1 Click Dashboard Actions | Edit.
2 Select a permission:
Private Do not share this dashboard
Public Share this dashboard with everyone
Shared Share this dashboard with the following permission sets
With this option, you must also choose one or more permission sets.
3 Click OK to change the dashboard.
It is possible to create a dashboard with more expansive permissions than one or
more queries contained on the dashboard. If you do this, users that have access
to the underlying data will see the query when opening the dashboard. Users
that do not have access to the underlying data will receive a message telling
them they do not have permission for that query. If the query is private to the
dashboard creator, only the dashboard creator can modify the query or remove it
from the dashboard.

5
Action Steps
Duplicate a Sometimes the easiest way to create a new dashboard is to copy an existing one
dashboard that's close to what you want.
1 Click Dashboard Actions | Duplicate.
2 ePolicy Orchestrator names the duplicate by appending " (copy)" to the existing
name. If you want to modify this name, do so now and click OK.
The duplicated dashboard now opens.
The duplicate is an exact copy of the original dashboard including all permissions.
Only the name is changed.
Delete a 1 Click Dashboard Actions | Delete.

dashboard
2 Click OK to delete the dashboard.
The dashboard is deleted and you see the system default dashboard. Users who
had this dashboard as their last viewed dashboard see the system default
dashboard when they next log on.
See also
Using dashboards and monitors on page 79

Once you have fully defined your dashboard and monitors, the fastest way to migrate them to other
McAfee ePO servers is to export them and import them onto the other servers.
Before you begin

To import a dashboard, you must have access to a previously exported dashboard
contained in an XML file.
A dashboard exported as an XML file can be imported to the same or a different system.
Task
1 Select Menu | Reporting | Dashboards.

5
Action Steps
Export 1 Click Dashboard Actions | Export.
dashboard
Your browser attempts to download an XML file according to your browser
settings.
2 Save the exported XML file to an appropriate location.
Import 1 Click Dashboard Actions | Import.

dashboard
The Import Dashboard dialog box appears.
2 Click Browse and select the XML file containing an exported dashboard. Click Open.
3 Click Save.
The Import Dashboard confirmation dialog box appears. The name of the
dashboard in the file is displayed, as well as how it will be named in the system.
By default, this is the name of the dashboard as exported with (imported)
appended.
4 Click OK. If you do not want to import the dashboard, click Close.
The imported dashboard is displayed. Regardless of their permissions at the time
they were exported, imported dashboards are given private permissions. If you
want them to have different permissions, change them after you import the
dashboard.
See also

Use the Dashboards server setting to determine which dashboard appears when a user logs on for the
first time.
You can specify which dashboard a user sees when they first log on by mapping the dashboard to the
user's permission set. Mapping dashboards to permission sets ensures that users assigned a particular
role are automatically presented with the information they need.
Task
1 Open the Edit Dashboards page.

b From the Setting Categories list, select Dashboards.
c Click Edit.
2 Next to Default dashboard for specific permission sets, specify the default dashboard that appears for each
permission set. Select a permission set and default dashboard from the menus.
Use and to add or remove permission set and dashboard pairs. You don't have to specify
a default dashboard for every permission set.
The order of the pairs determines which default dashboard appears to users with more than one
assigned permission set.
3 Click Save.

5
The first time a user logs on, the dashboard you specified for their permission set appears.
Subsequent logons return the user to the page they were on when they logged off.

You can create, add, and remove monitors from dashboards.
Before you begin

You must have write permissions for the dashboard you are modifying.
If you do not have the necessary rights or product licenses to view a monitor, or if the underlying
query for the monitor is no longer available, a message displays in place of the monitor.
Task
1 Select Menu | Reporting | Dashboards. Select a dashboard from the Dashboard drop-down list.

5
Action Steps
Add a 1 Click Add Monitor.
monitor
The Monitor Gallery appears at the top of the screen.
2 Select a monitor category from the View drop-down list.
The available monitors in that category appear in the gallery.
3 Drag a monitor onto the dashboard. As you move the cursor around the dashboard,
the nearest available drop location is highlighted. Drop the monitor into your
wanted location.
The New Monitor dialog appears.
4 Configure the monitor as needed (each monitor has its own set of configuration
options), then click OK.
5 After you have added monitors to this dashboard, click Save Changes to save the
newly configured dashboard.
6 When you have completed your changes, click Close.
If you add a Custom URL Viewer monitor that contains Adobe Flash content or ActiveX
controls to a dashboard, it is possible the content might obscure McAfee ePO menus,
making portions of the menu inaccessible.
Edit a Every monitor type supports different configuration options. For example, a query
monitor monitor allows the query, database, and refresh interval to be changed.
1 Choose a monitor to manage, click the arrow in its top-left corner, and select Edit
Monitor.
The monitor's configuration dialog appears.
2 When you have completed modifying the monitor's settings, click OK. If you decide
to not make changes, click Cancel.
3 If you decide to save the resulting changes to the dashboard, click Save, otherwise
click Discard.
Remove a 1 Choose a monitor to remove, select the arrow in its top-left corner, and select
monitor Remove Monitor.
The monitor's configuration dialog appears.
2 When you are finished modifying the dashboard, click Save Changes. To revert the
dashboard to its prior state, click Discard Changes.
See also

You can move and resize monitors to efficiently use screen space.
Before you begin

You must have write permissions for the dashboard you are modifying.
You can change the size of many dashboard monitors. If the monitor has small diagonal lines in its
bottom-right corner, you can resize it. Monitors are moved and resized through drag and drop within
the current dashboard.

5
Task
1 Move or resize a monitor:

To move a dashboard monitor:
1 Drag the monitor by its title bar to where you want it to appear.
As you move the cursor, the background outline of the monitor shifts to the closest available
location for the monitor.
2 When the background outline has shifted to the location you want, drop the monitor.
If you attempt to drop the monitor in an invalid location, it returns to its prior location.
To resize a dashboard monitor:

1 Drag the resize icon in the bottom-right corner of the monitor toward an appropriate
location.
As you move the cursor, the background outline of the monitor changes shape to reflect the
supported size closest to the current cursor location. Monitors might enforce a minimum or
maximum size.
2 When the background outline has changed shape to a size you want, drop the monitor.
If you attempt to resize the monitor to a shape not supported in the monitor's current
location, it returns to its prior size.
2 Click Save Changes. To revert to the prior configuration, click Discard Changes.

Use the Dashboards server setting to specify the default rate at which new monitors are refreshed.
Monitors are refreshed automatically. Each time a refresh occurs, the underlying query runs, and the
results are displayed on the dashboard. Choose a default refresh interval for new monitors that is
frequent enough to ensure accurate and timely information is displayed without consuming undue
network resources. The default interval is five minutes.
Task
1 Open the Edit Dashboards page.

b From the Setting Categories list, select Dashboards.
c Click Edit.
2 Next to Default refresh interval for new monitors, enter a value between one minute and 60 hours.
3 Click Save.
New monitors are refreshed according to the interval you specified. Existing monitors retain their
original refresh interval.
Users can always change the refresh interval of an individual monitor in the Edit Monitor window.

5

6 Generating queries and reports
McAfee ePO comes with its own querying and reporting capabilities.
Included are the Query Builder and Report Builder, which create and run queries and reports that
result in user-configured data in user-configured charts and tables. The data for these queries and
reports can be obtained from any registered internal or external database in your ePolicy Orchestrator
system.
In addition to the querying and reporting systems, you can use these logs to gather information about
activities on your McAfee ePO server and your network:
Audit Log
Server Task Log
Threat Event Log
Contents
Query and report permissions
About queries
Query Builder
Work with queries
About reports
Structure of a report
Create a report
Edit an existing report
Run a report on a schedule
View report output
Configure the template and location for exported reports
Group reports together
Query and report permissions

Restrict access to queries and reports in a number of ways.
To run a query or report, you need permissions to not only that query or report, but the feature sets
associated with their result types. A querys results pages only provide access to permitted actions
given your permission sets.

6
Generating queries and reports
About queries
Groups and permission sets control access to queries and reports. All queries and reports must belong
to a group, and access to that query or report is controlled by the permission level of the group. Query
and report groups have one of the following permission levels:
Private The group is only available to the user that created it.
Public The group is shared globally.
By permission set The group is only available to users assigned the selected permission sets.
Permission sets have four levels of access to queries or reports. These permissions include:
No permissions The Query or Report tab is not available to users with no permissions.
Use public queries Grants permission to use any queries or reports that have been placed in a Public
group.
Use public queries; create and edit personal queries Grants permission to use any queries or reports that
have been placed in a Public group, as well as the ability to use the Query Builder to create and
edit queries or reports in Private groups.
Edit public queries; create and edit personal queries; make personal queries public Grants permission to use and
edit any queries or reports placed in Public groups, create and edit queries or reports in Private
groups, as well as the ability to move queries or reports from Private groups to Public or Shared
groups.
About queries
Queries enable you to poll McAfee ePO data. Information gathered by queries is returned in the form
of charts and tables.
A query can be used to get an answer right now. Query results can be exported to several formats,
any of which can be downloaded or sent as an attachment to an email message. Most queries can also
be used as dashboard monitors, enabling near real-time system monitoring. Queries can also be
combined into reports, giving a more broad and systematic look at your McAfee ePO software system.
The default dashboards and predefined queries shipped with McAfee ePO cannot be modified or
deleted. But you can duplicate them, then rename and modify them as needed.
Query results are actionable

Query results displayed in tables (and drill-down tables) have actions available for selected items.
Actions are available at the bottom of the results page.
Queries as dashboard monitors

Most queries can be used as a dashboard monitor (except those using a table to display the initial
results). Dashboard monitors are refreshed automatically on a user-configured interval (five minutes
by default).
Exported results
Query results can be exported to four formats. Exported results are historical data and are not
refreshed like other monitors when used as dashboard monitors. Like query results and query-based
monitors displayed in the console, you can drill down into the HTML exports for more detailed
information.
Unlike query results in the console, data in exported reports is not actionable.

6
Query Builder
Reports are available in these formats:
CSV Use the data in a spreadsheet application (for example, Microsoft Excel).
XML Transform the data for scripts and other purposes.
HTML View the exported results as a webpage.
PDF Print the results.
Combining queries in reports

Reports can contain any number of queries, images, static text, and other items. They can be run on
demand or on a regular schedule, and produce PDF output for viewing outside McAfee ePO.
Sharing queries between servers

Any query can be imported and exported, allowing you to share queries between servers. In a
multi-server environment, you only have to create a query once.
Retrieving data from different sources

Queries can retrieve data from any registered server, including databases external to McAfee ePO.
Query Builder
McAfee ePO provides an easy, four-step wizard that is used to create and edit custom queries. With
the wizard, you can configure which data is retrieved and displayed, and how it is displayed.
Result types
The first selections you make in the Query Builder are the Schema and result type from a feature
group. This selection identifies from where and what type of data the query retrieves, and determines
the available selections in the rest of the wizard.
Chart types
McAfee ePO provides a number of charts and tables to display the data it retrieves. These charts and
their drill-down tables are highly configurable.
Tables do not include drill-down tables.
Table 6-1 Chart type groups

Type Chart or Table
Bar Bar Chart
Grouped Bar Chart
Stacked Bar Chart
Pie Boolean Pie Chart

Pie Chart
Bubble Bubble Chart

6
Work with queries
Table 6-1 Chart type groups (continued)

Type Chart or Table
Summary Multi-group Summary Table
Single Group Summary Table
Line Multi-line Chart

Single-Line Chart
List Table
Table columns
Specify columns for the table. If you select Table as the primary display of the data, this configures that
table. If you select a type of chart as the primary display of data, it configures the drill-down table.
Query results displayed in a table are actionable. For example, if the table is populated with systems,
you can deploy or wake up agents on those systems directly from the table.
Filters
Specify criteria by selecting properties and operators to limit the data retrieved by the query.
Work with queries

Queries can be run, exported, and more depending on your needs.
Tasks
Manage custom queries on page 90
You can create, duplicate, edit, and delete queries as needed.
Run a query on a schedule on page 92
A server task is used to run a query regularly. Queries can have sub-actions that allow you
to perform various tasks, such as emailing the query results or working with tags.
Create a query group on page 92
Query groups allow you to save queries or reports without allowing other users access to
them.
Manage custom queries

You can create, duplicate, edit, and delete queries as needed.
Task
1 Open the Queries & Reports page: select Menu | Reporting | Queries & Reports.

6
Work with queries
Action Steps
Create 1 Click New Query, and the Query Builder appears.
custom
query 2 On the Result Type page, select the Feature Group and Result Type for this query, then
click Next.
3 Select the type of chart or table to display the primary results of the query, then
click Next.
If you select Boolean Pie Chart, configure the criteria to include in the query before
proceeding.
4 Select the columns to be included in the query, then click Next.
If you selected Table on the Chart page, the columns you select here are the
columns of that table. Otherwise, these columns make up the query details table.
5 Select properties to narrow the search results, then click Run.
The Unsaved Query page displays the results of the query, which is actionable. You
can take any available action on items in any table or drill-down table.
Selected properties appear in the content pane with operators that can specify
criteria used to narrow the data that is returned for that property.
If the query didn't return the expected results, click Edit Query to go back to the
Query Builder and edit the details of this query.
If you don't want to save the query, click Close.
If you want to use this query again, click Save and continue to the next step.
6 The Save Query page appears. Type a name for the query, add any notes, and
select one of the following:
New Group Type the new group name and select either:
Private group (My Groups)
Public group (Shared Groups)
Existing Group Select the group from the list of Shared Groups.
7 Click Save.
The new query appears in the Queries list.
Duplicate 1 From the list, select a query to copy, then click Actions | Duplicate.
query
2 In the Duplicate dialog box, type a name for the duplicate and select a group to
receive a copy of the query, then click OK.
The duplicated query appears in the Queries list.
Edit query 1 From the list, select a query to edit, then click Actions | Edit.
2 Edit the query settings and click Save when done.

The changed query appears in the Queries list.
Delete 1 From the list, select a query to delete, then click Actions | Delete.
query
2 When the confirmation dialog box appears, click Yes.
The query no longer appears in the Queries list. If any reports or server tasks used
the query, they now appear as invalid until you remove the reference to the deleted
query.

6
Work with queries
Run a query on a schedule

A server task is used to run a query regularly. Queries can have sub-actions that allow you to perform
various tasks, such as emailing the query results or working with tags.
Task
1 Open the Server Task Builder.

a From the Queries and Reports page, select a query.
b Select Actions | Schedule.
2 On the Description page, name and describe the task, then click Next.
3 From the Actions drop-down menu, select Run Query.
4 In the Query field, browse to the query that you want to run.
5 Select the language for displaying the results.
6 From the Sub-Actions list, select an action to take based on the results. Available sub-actions depend
on the permissions of the user, and the products managed by your McAfee ePO server.
You are not limited to selecting one action for the query results. Click the + button to add actions to
take on the query results. Be careful to place the actions in the order you want them to be taken on
the query results.
7 Click Next.
8 Schedule the task, then click Next.
9 Verify the configuration of the task, then click Save.
The task is added to the list on the Server Tasks page. If the task is enabled (which it is by default), it
runs at the next scheduled time. If the task is disabled, it only runs when you click Run next to the
task on the Server Tasks page.
Create a query group

Query groups allow you to save queries or reports without allowing other users access to them.
Creating a group allows you to categorize queries and reports by functionality as well as controlling
access. The list of groups you see within the ePolicy Orchestrator software is the combination of
groups you have created and groups you have permission to see.
You can also create private query groups while saving a custom query.
Task
1 Select Menu | Reporting | Queries & Reports, then click Group Actions | New Group.
2 In the New Group page, enter a group name.

6
About reports
3 From Group Visibility, select one of the following:

Private group Adds the new group under My Groups.
Public group Adds the new group under Shared Groups. Any user with access to public queries and
reports can view queries and reports in the group.
Shared by permission set Adds the new group under Shared Groups. Only users assigned the selected
permission sets can access reports or queries in this group.
Administrators have full access to all Shared by permission set and Public group queries.
4 Click Save.
About reports
Reports package query results into a PDF document, enabling offline analysis.
Generate reports to share information about your network environment with security administrators
and other stakeholders.
Reports are configurable documents that display data from one or more queries, drawing data from
one or more databases. The most recently run result for every report is stored in the system and is
readily available for viewing.
You can restrict access to reports by using groups and permission sets in the same way you restrict
access to queries. Reports and queries can use the same groups, and because reports primarily
consist of queries, this configuration allows for consistent access control.
Structure of a report
Reports contain a number of elements held within a basic format.
While reports are highly customizable, they have a basic structure that contains all varying elements.
Page size and orientation

McAfee ePO currently supports six combinations of page size and orientation. These combinations
include:
Page sizes:
US Letter (8.5" x 11")
US Legal (8.5" x 14")
A4 (210 mm x 297 mm)
Orientation:
Landscape
Portrait

6
Create a report
Headers and footers

Headers and footers also have the option of using a system default, or can be customized in a number
of ways, including logos. Elements currently supported for headers and footers are:
Logo User Name
Date/Time Custom text
Page Number
Page elements
Page elements provide the content of the report. They can be combined in any order, and can be
duplicated as needed. Page elements provided with McAfee ePO are:
Images Query Tables
Static text Query Charts
Page breaks
Create a report
You can create reports and store them in McAfee ePO.
Task
1 Select Menu | Reporting | Queries & Reports, then select the Report tab.
2 Click New Report.
3 Click Name, Description and Group. Name the report, describe it, and select an appropriate group. Click
OK.
4 You can now add, remove, rearrange elements, customize the header and footer, and change the
page layout. At any point, click Run to check your progress.
5 When you are finished, click Save.

You can modify an existing report's contents or the order of presentation.
If you are creating a report, you will arrive at this screen after clicking New Report.
Task
2 Select a report from the list by selecting the checkbox next to its name.
3 Click Edit.
The Report Layout page appears.

6
Any of the following tasks can now be performed on the report.
Tasks
Add elements to a report on page 95
You can add new elements to an existing report.
Configure image report elements on page 95
Upload new images and modify the images used within a report.
Configure text report elements on page 96
You can insert static text within a report to explain its contents.
Configure query table report elements on page 96
Some queries are better displayed as a table when inside a report.
Configure query chart report elements on page 97
Some queries are better displayed as a chart when inside a report.
Customize a report on page 97
Customize a report layout to add, remove, or move the objects that you need.
Add elements to a report

You can add new elements to an existing report.
Before you begin

You must have a report open on the Report Layout page.
Task
1 Select an element from the Toolbox and drag and drop it over the Report Layout.
Report elements other than Page Break require configuration. The configuration page for the
element appears.
2 After configuring the element, click OK
Configure image report elements

Upload new images and modify the images used within a report.
Before you begin

Task
1 To configure an image already in a report, select the arrow at the top left corner of the image, then
click Configure.
This displays the Configure Image page. If you are adding an image to the report, the Configure
Image page appears immediately after you drag and drop the Image element onto the report.
2 To use an existing image, select it from the gallery.
3 To use a new image, click Browse and select the image from your computer, then click OK.

6
4 To specify a specific image width, enter the width in the Image Width field.
By default, the image is displayed in its existing width without resizing unless that width is wider
than the available width on the page. In that case, it is resized to the available width keeping
aspect ratio intact.
5 Select if you want the image aligned left, center, or right, then click OK.
Configure text report elements

You can insert static text within a report to explain its contents.
Before you begin

Task
1 To configure text already in a report, click the arrow at the top left corner of the text element. Click
Configure.
This displays the Configure Text page. If you are adding new text to the report, the Configure Text
page appears immediately after you drop the Text element onto the report.
2 Edit the existing text in the Text edit box, or add new text.
3 Change the font size as appropriate.

The default is 12-pt type.
4 Select the text alignment: left, center, or right.
5 Click OK.
The text you entered appears in the text element within the report layout.
Configure query table report elements

Some queries are better displayed as a table when inside a report.
Before you begin

Task
1 To configure a table already in a report, click the arrow at the top left corner of the table. Click
Configure.
This displays the Configure Query Table page. If you are adding query table to the report, the
Configure Query Table page appears immediately after you drop the Query Table element onto the
report.
2 Select a query from the Query drop-down list.
3 Select the database from the Database drop-down list to run the query against.

6
4 Choose the font size used to display the table data.

5 Click OK.
Configure query chart report elements

Some queries are better displayed as a chart when inside a report.
Before you begin

Task
1 To configure a chart already in a report, click the arrow at the top left corner of the chart. Click
Configure.
This displays the Configure Query Chart page. If you are adding a query chart to the report, the
Configure Query Chart page appears immediately after you drop the Query Table element onto the
report.
2 Select a query from the Query drop-down list.
3 Select whether to display only the chart, only the legend, or a combination of the two.
4 If you have chosen to display both the chart and legend, select how the chart and legend are
placed relative to each other.
5 Select the font size used to display the legend.

6 Select the chart image height in pixels.

The default is one-third the page height.
7 Click OK.
Customize a report
Customize a report layout to add, remove, or move the objects that you need.
Task
1 Select Menu | Reporting | Queries. Select the Report tab.
2 Select a report and click Actions | Edit, then perform the required actions.

6
Action Steps
Customize Headers and footers provide information about the report.
report headers
and footers The 6 fixed locations in the header and footer contain different data fields:
Header fields: The header contains 3 fields. One left-aligned logo and 2
right-aligned fields, one above the other. These fields can contain one of the 4
values:
Nothing
Date/Time
Page Number
User name of the user running the report
Footer fields: The footer contains 3 fields. One left-aligned, one centered, and
one right-aligned. These 3 fields can also contain the listed values and custom
text.
To customize the headers and footers, perform these steps:
1 Click Header and Footer.
2 By default, reports use the system setting for headers and footers. If you do
not want this, deselect Use Default Server Setting.
To change the system settings for headers and footers, select Menu | Configuration
| Server Settings, then select Printing and Exporting and click Edit.
3 To change the logo, click Edit Logo.
a If you want the logo to be text, select Text and enter the text in the edit box.
b To upload a new logo, select Image then browse to and select the image on
your computer and click OK.
c To use a previously uploaded logo, select it.
d Click Save.
4 Change the header and footer fields to match the wanted data, then click OK.
Remove You can remove elements from a report if no longer needed.

elements from
1 Click the arrow in the top left corner of the element you want to delete, then
a report
click Remove.
The element is removed from the report.
Reorder You can change the order in which elements appear in a report.
elements in a
1 To move an element, click the title bar of the element and drag it to a new
report
position.
The element positioning under the dragged element shifts as you move the
cursor around the report. Red bars appear on either side of the report if the
cursor is over an illegal position.
2 When the element is positioned where you want it, drop the element.
3 Click Save.

6

Create a server task to run a report automatically.
If you want a report to be run without manual intervention, a server task is the best approach. This
task creates a server task allowing for automatic, scheduled runs of a given report.
Task

a On the Queries and Reports page, select a report.
b Select Actions | Schedule.
2 Name the task, describe it, and assign a schedule status, then click Next.
If you want the task to be run automatically, set the Schedule status to Enabled.
3 From the Actions drop-down list, select Run Report. Select the report to run and the target language,
then click Next.
4 Choose a schedule type (frequency), dates, and time to run the report, then click Next.
The schedule information is used only if you enable Schedule status.
5 Click Save to save the server task.
The new task now appears in the Server Tasks list.
View report output

View the last run version of every report.
Every time a report runs, the results are stored on the server and displayed in the report list.
Whenever a report runs, the prior results are erased and cannot be retrieved. If you are interested in
comparing different runs of the same report, archive the output elsewhere.
Task
1 Select Menu | Reporting | Queries & Reports.
2 Select the Report tab
In the report list, you see a Last Run Result column. Each entry in this column is a link to retrieve the
PDF that resulted from the last successful run of that report. Click a link from this column to
retrieve a report.
A PDF opens within your browser, and your browser behaves as you have configured it for that file
type.
Configure the template and location for exported reports

You can define the appearance and storage location for tables and dashboards you export as
documents.
Using the Printing and Exporting server setting, you can configure:

6
Headers and footers, including a custom logo, name, and page numbering.
Page size and orientation for printing.
Directory where exported tables and dashboards are stored.
Task
For option definitions, click ? in the interface.
1 Select Menu | Configuration | Server Settings, then select Printing and Exporting in the Settings list.
2 Click Edit. The Edit Printing and Exporting page appears.
3 In the Headers and footers for exported documents section, click Edit Logo to open the Edit Logo page.
a Select Text and type the text you want included in the document header, or do one of the
following:
Select Image and browse to the image file, such as your company logo.
Select the default McAfee logo.
b Click OK to return to the Edit Printing and Exporting page.
4 From the drop-down lists, select any metadata that you want displayed in the header and footer.
5 Select a Page size and Page orientation.
6 Type a new location or except the default location to save exported documents.
7 Click Save.

Every report must be assigned to a group.
Reports are assigned to a group when initially created, but this assignment can be changed later. The
most common reasons for grouping reports together are to collect similar reports together, or to
manage permissions to certain reports.
Task
2 Select a report and click Actions | Edit.
3 Click Name, Description and Group.
4 Select a group from the Report Group drop-down list and click OK.
5 Click Save to save any changes to the report.
When you select the chosen group from the Groups list in the left pane of the report window, the report
appears in the report list.

7 Disaster Recovery
Disaster Recovery helps you quickly recover, or reinstall your McAfee ePO software. Disaster Recovery
uses a Snapshot feature that periodically saves your McAfee ePO configuration, extensions, keys, and
more to Snapshot records in the McAfee ePO database.
Contents
What is Disaster Recovery?
Disaster Recovery components
How Disaster Recovery works
Create Snapshot
Configure Disaster Recovery server settings
What is Disaster Recovery?

The McAfee ePO Disaster Recovery feature uses a Snapshot process to save specific McAfee ePO
server database records to the McAfee ePO Microsoft SQL database.
The records saved by the Snapshot contain the entire McAfee ePO configuration at the specific time
the Snapshot is taken. When the Snapshot records are saved to the database, you can use the
Microsoft SQL backup feature to save the entire McAfee ePO database and restore it to another SQL
server for an McAfee ePO restore.
Restore SQL database connection examples

Using the restored McAfee ePO SQL database server, that includes the Disaster Recovery Snapshot,
you can connect it to:
Restored McAfee ePO server hardware with the original server name and IP address Allows you to
recover from, for example, a failed McAfee ePO software upgrade.
New McAfee ePO server hardware with the original server name and IP address Allows you to
upgrade, or restore, your server hardware, and quickly resume managing your network systems.
New McAfee ePO server hardware with a new server name and IP address Allows you to move
your server from one domain to another.
This example can provide a temporary network management solution while you rebuild and reinstall
your McAfee ePO server hardware and software back to its original domain.
Restored or new McAfee ePO server hardware with multiple network interface cards (NICs) You
must confirm that the correct IP address is configured for the McAfee ePO server NIC.

7
Disaster Recovery
The Snapshot is configured, depending on your SQL database version, to automatically run every day.
If you configure a script to automatically run the SQL Backup and to copy the SQL backup file to your
restore SQL database server, then you can more easily restore your McAfee ePO server. In addition,
you can manually take a Snapshot or run your scripts to quickly save and backup complex or
important McAfee ePO changes.
The Disaster Recovery Snapshot monitor, found on your McAfee ePO dashboard, allows you to manage
and monitor your Snapshots in one place.

Use Disaster Recovery to restore your McAfee ePO software requires certain hardware, software,
access permissions, and information.
You need two hardware server platforms:
Your existing McAfee ePO server hardware, referred to as your "primary" McAfee ePO server.
Duplicate SQL Server hardware, referred to as your "restore" server, running Microsoft SQL that
matches your primary McAfee ePO server database. Keep the restore server up to date with the
latest primary McAfee ePolicy Orchestrator SQL database server configuration using Snapshot and
Microsoft SQL backup processes.
To avoid backup and restore problems, closely match your primary and restore server hardware and
SQL versions.
Snapshot Dashboard monitor

The Server Snapshot monitor, found on your McAfee ePolicy Orchestrator dashboard, allows you to
manage and monitor each Snapshot in one place.
If the Snapshot monitor does not appear in your Dashboard, create a dashboard and add the Disaster
Recovery monitor.
Using the Server Snapshot monitor allows you to:

Click Take Snapshot to manually save an McAfee ePO server Snapshot.
Click See details of last run to open the Server Task Log Details page. This page displays information and log
messages about the most recent Snapshot saved.
Confirm the date and time the last Snapshot was saved to the SQL database, next to Last Run At.
Click the Disaster Recovery link to access additional Disaster Recovery information.
The color and title of the Snapshot monitor tells you the status of your latest Snapshot. For example:
Blue, Saving Snapshot to Database Snapshot process is in progress.
Green, Snapshot Saved to Database Snapshot process completed successfully and it is up to

date.
Red, Snapshot Failed An error occurred during the Snapshot process.
Gray, No Snapshot Available No Disaster Recovery Snapshot has been saved.

7
Disaster Recovery
Orange, Snapshot Out of Date Changes to the configuration have occurred and a recent
Snapshot has not been saved. Changes that trigger a Snapshot Out of Date status include:
Any extension changed. For example updated, removed, deleted, upgraded, or downgraded.
The Keystore folder changed.
The conf folder changed.
The Disaster Recovery passphrase changed in Server Settings.
Disaster Recovery Snapshot Server Task

You can use the Disaster Recovery Snapshot Server Task to disable and enable the Snapshot server
task schedule.
The Snapshot server task schedule is enabled, by default, for the Microsoft SQL Server database and
disabled, by default, for the Microsoft SQL Server Express database.
Disaster Recovery requirements

To use Disaster Recovery, you need the hardware, software, and information listed in the following
table.
Requirement Description
Hardware requirements
Primary McAfee ePO server The server hardware requirements determine the number of systems
hardware managed.
You could have the McAfee ePO server and SQL Server database
installed on the same or separate server hardware. See the McAfee
ePolicy Orchestrator Installation Guide for detailed hardware
requirements.
Restore McAfee ePO server For best results, closely mirror your primary McAfee ePO server
hardware hardware.
Primary McAfee ePO server Run the primary server with a recent Snapshot saved in the SQL
database.
Primary SQL database The primary SQL database, stores the McAfee ePO server configuration,
client information, and Disaster Recovery Snapshot records.
Software requirements
Backup file of primary SQL Using either the Microsoft SQL Server Management Studio or the
database BACKUP (Transact-SQL) command line, you can create a backup file of
the primary database including the Snapshot records.
Restore SQL database Using the Microsoft SQL Server Management Studio or the RESTORE
software (Transact-SQL) command line, you can restore the primary SQL
database including the Snapshot records on the restore SQL database
server.
McAfee ePO software This software, downloaded from the McAfee website, is used to install
and configure the restore McAfee ePO server.
Information requirements
Disaster Recovery This passphrase was added during the initial installation of the McAfee
Keystore encryption ePO software and decrypts sensitive information stored in the Disaster
passphrase Recovery Snapshot.

7
Disaster Recovery
Requirement Description
Administrator rights You must be able to access both the primary and restore servers and the
SQL database as, for example, DBOwner and DBCreator.
Last known IP address, If you change any one of these items during the McAfee ePO server
DNS name, or NetBIOS restore, ensure that the agents have a way to locate the server. The
name of the primary easiest method is to create a Canonical Name (CNAME) record in DNS
McAfee ePO server that points requests from the old IP address, DNS name, or NetBIOS
name of the primary McAfee ePO server to the restore McAfee ePO
server information.

To quickly reinstall the McAfee ePO software, create periodic snapshots of the McAfee ePO
configuration. You must then back up and restore the database to a restore server, and reinstall the
McAfee ePO software using the Restore option.
Disaster Recovery Snapshot and backup overview

The Disaster Recovery Snapshot, SQL database backup, and copying processes create a duplicate
McAfee ePO database on a restore SQL database server.
This is an overview of the Disaster Recovery Snapshot, SQL database backup, and copying processes.
The following diagram is an overview of the McAfee ePO software Disaster Recovery process and the
hardware involved.
In this diagram, the SQL database is installed on the same server hardware as the McAfee ePO server.
The McAfee ePO server and SQL database can be installed on different server hardware.
Figure 7-1 McAfee ePO server Disaster Recovery Snapshot and backup
The Disaster Recovery configuration includes these general steps performed on the primary McAfee
ePO server:

7
Disaster Recovery
Take a Snapshot of the McAfee ePO server configuration and save it to the primary SQL
database. This step can be done manually or via a default server task.
When the Snapshot is taken, these database files are saved:
Location Description
C:\Program Files\McAfee\ePolicy The default path to McAfee ePO software
Orchestrator\Server\extensions extension information.
C:\Program Files\McAfee\ePolicy The default path to required files used by the
Orchestrator\Server\conf McAfee ePO software extensions.
C:\Program Files\McAfee\ePolicy These keys are specifically for McAfee ePO
Orchestrator\Server\keystore agent-server communication and the repositories.
C:\Program Files\McAfee\ePolicy The default path to the McAfee product
Orchestrator\Server\DB\Keystore installation server certificates.
C:\Program Files\McAfee\ePolicy The default path to the McAfee product
Orchestrator\Server\DB\Software installation files.
The Disaster Recovery Snapshot records saved include the paths you have configured for your
registered executables. The registered executable files are not backed up and you must replace
those executable files when you restore the McAfee ePO server. After you restore the McAfee
ePO server, any registered executables with broken paths are red on the Registered Executables
page.
Test your registered executable paths after you restore your McAfee ePO server. Some registered
executable paths might not appear red, but still fail because of dependency issues related to the
registered executables.
Back up the SQL database using the Microsoft SQL Server Management Studio or the BACKUP
(Transact-SQL) command-line process.
Copy the SQL database backup file to the duplicate restore SQL Server.
The McAfee ePO server Disaster Recovery Snapshot and backup process is complete. You do not need
to continue with the McAfee ePO server recovery installation unless you are reinstalling the McAfee
ePO software.
McAfee ePO server recovery installation overview

Reinstalling the McAfee ePO software is the last step in quickly restoring the McAfee ePO server.
This topic is an overview of reinstalling the McAfee ePO software on the restore McAfee ePO server. For
details, see the installation guide.

7
Disaster Recovery
The following diagram is an overview of the McAfee ePO server reinstallation. In this diagram, the SQL
database is installed on the same server hardware as the McAfee ePO server. The McAfee ePO server
and SQL database can be installed on different server hardware.
Figure 7-2 McAfee ePO server recovery installation
The McAfee ePO software installation using the Disaster Recovery Snapshot file includes these general
steps performed on the McAfee ePO restore server:
Find the SQL database backup file of the previous section. Use the Microsoft SQL Server
Management Studio or the RESTORE (Transact-SQL) command-line process to restore the
primary SQL Server configuration to the restore SQL Server.
During the McAfee ePO database software installation:
1 On the Software Welcome dialog box, click restore from Snapshot.
2 Select Microsoft SQL Server to link the McAfee ePO software to the restore SQL database that had
the primary McAfee ePO server configuration.
After the McAfee ePO software installation is started, the database records saved during the
Snapshot process are used in the software configuration instead of creating records in the
database.
Ensure that the agents can reconnect to the restore McAfee ePO server by creating a CNAME
record in DNS. This record redirects requests from the old IP address, DNS name, or NetBIOS
name of the primary McAfee ePO server to the new information for the restore McAfee ePO
server.
Now the McAfee ePO restore server is running with the exact same configuration as the primary
server. The clients can connect to the restore server and you can manage them exactly as before the
primary McAfee ePO server was removed.
See also
What is Disaster Recovery? on page 101

7
Disaster Recovery
Create Snapshot
Create Snapshot
Creating frequent Disaster Recovery Snapshots of your primary McAfee ePO server is the first step in
quickly restoring a McAfee ePO server.
After you make many configuration changes to McAfee ePO, create a Disaster Recovery Snapshot
manually using any of these tasks.
Best practice: Create a Disaster Recovery Snapshot Server task to automate server snapshots.
Tasks
Create a snapshot from the McAfee ePO on page 107
Use the ePolicy Orchestrator Dashboard to take Disaster Recovery Snapshots of your
primary McAfee ePO server and to monitor the Snapshot process as the Dashboard status
changes.
Create snapshot from Web API on page 107
Use the McAfee ePO Web API to take Disaster Recovery snapshots of your primary McAfee
ePO server. Doing so enables you to use one command string to complete the process.
Create a snapshot from the McAfee ePO

Use the ePolicy Orchestrator Dashboard to take Disaster Recovery Snapshots of your primary McAfee
ePO server and to monitor the Snapshot process as the Dashboard status changes.
Task
1 Select Menu | Reporting | Dashboards to see the ePO Server Snapshot monitor.
If needed, click Add Monitor, select ePO Server Snapshot from the list, and drag it to the dashboard.
2 Click Take Snapshot to start saving the McAfee ePO server configuration.
During the Snapshot process, the Snapshot Monitor title bar changes to indicate the status of the
process.
The Snapshot process takes from 10 minutes to more than an hour to complete, depending on the
complexity and size of your network. This process does not affect your McAfee ePO server
performance.
3 If needed, click See details of current run to open the Server Task Log Details of the last saved Snapshot.
After the Snapshot process is complete, you click See details of current run to open the Server Task Log
Details of the last saved Snapshot.
The latest Disaster Recovery Snapshot is saved to the McAfee ePO server primary SQL database. The
database is now ready to back up and copy to the restore SQL database server.
Create snapshot from Web API

Use the McAfee ePO Web API to take Disaster Recovery snapshots of your primary McAfee ePO server.
Doing so enables you to use one command string to complete the process.
All commands described in this task are typed in your web browser address bar to access your McAfee
ePO server remotely.
You are prompted for the administrator user name and password before the output is displayed.
See the McAfee ePolicy Orchestrator Web API Scripting Guide for detailed Web API use and examples.

7
Disaster Recovery
Create Snapshot
Task
1 Use the following McAfee ePO Web API Help command to determine the parameters for running the
Snapshot:
https://localhost:8443/remote/core.help?command=scheduler.runServerTask
localhost: The name of your McAfee ePO server name.
8443 Destination port, identified as "8443" (the default).
/remote/core.help?command= Calls the Web API Help.
scheduler.runServerTask Calls the specific server task Help.
The runServerTask command is case-sensitive.
The example command returns this Help.

OK:
scheduler.runServerTask taskName
Runs a server task and returns the task log ID. Use task log ID with the
'tasklog.listTaskHistory' command to view the running task's status. Returns the
task log ID or throws on error.
Requires permission to run server tasks.
Parameters:
[taskName (param 1) | taskId] - The unique id or name of the task
2 Use the following command to list all server tasks and determine the taskName parameter to run
the Snapshot server task:
https://localhost:8443/remote/scheduler.listAllServerTasks?:output=terse
The previous example command returns a list that looks similar to the following. The exact list
displayed depends on your permissions and the extensions installed.
3 Using the task name, Disaster Recovery Snapshot Server, run the Snapshot server task using
this command:
https://localhost:8443/remote/scheduler.runServerTask?taskName=Disaster%20Recovery
%20Snapshot%20Server
If the task is successful, output similar to the following appears.

OK
102
The Snapshot process can take from 10 minutes to more than an hour to complete, depending on
the complexity and size of your network. This process normally does not affect your McAfee ePO
server performance.

7
Disaster Recovery
4 Confirm that the Web API server task Snapshot ran successfully.
a Use this command to find the Disaster Recovery Snapshot Server task log ID:
https://localhost:8443/remote/tasklog.listTaskHistory?taskName=Disaster
%20Recovery%20Snapshot%20Server
This command displays all Disaster Recovery Snapshot Server tasks. Find the most recent task
and note the ID number. For example, ID: 102 in the following:
ID: 102
Name: Disaster Recovery Snapshot Server
Start Date: [date]
End Date: [date]
User Name: admin
Status: Completed
Source: scheduler
Duration: Less than a minute
b Use this command and that Task ID number 102 to display all task log messages.
https://localhost:8443/remote/tasklog.listMessages?taskLogId=102

You can change the Keystore encryption passphrase used when you installed McAfee ePO and link it to
an SQL database restored with Disaster Recovery Snapshot records.
Before you begin

You must have administrator rights to change the Keystore encryption passphrase.
Using Disaster Recovery to create an McAfee ePO server Snapshot provides you with a quick recovery
method for the McAfee ePO server.
As an administrator, this setting is helpful if you have lost, or forgotten, the Keystore encryption
passphrase configured during McAfee ePO installation. You can change the existing passphrase without
knowing the previously configured passphrase.
Task
1 Select Menu | Configuration | Server Settings, select Disaster Recovery from the Setting Categories, then click
Edit.
2 From Keystore encryption passphrase, click Change passphrase and type the new passphrase and confirm it.
The Keystore encryption passphrase is used to encrypt and decrypt the sensitive information stored
in the server Snapshot. This passphrase is required during the McAfee ePO server recovery
process. Make note of this passphrase.
The McAfee ePO database must be periodically copied to a restore Microsoft SQL Database server to
create an actual backup database.

7
Disaster Recovery

8 Using the System Tree and Tags
You can organize, group, and tag your managed systems using the System Tree and Tags features.
Contents
Organizing systems with the System Tree
Tags

Use McAfee ePO software to automate and customize your systems' organization.
The structure you put in place affects how security policies are inherited and enforced throughout your
environment.
The System Tree is the graphical representation of this structure. You can organize your System Tree
using these methods:
Manual organization from the console (drag and drop).
Automatic synchronization with your Active Directory or NT domain server.
Criteria-based sorting, using criteria applied to systems manually or automatically.
Considerations when planning your System Tree

An efficient and well-organized System Tree can simplify maintenance. Many administrative, network,
and political realities of each environment can affect how your System Tree is structured.
Plan the organization of the System Tree before you build and populate it. Especially for a large
network, you want to build the System Tree only once.
Because every network is different and requires different policies, and possibly different management,
plan your System Tree before adding the systems.
Regardless of the methods you choose to create and populate the System Tree, consider your
environment while planning the System Tree.
Administrator access
When planning your System Tree organization, consider the access requirements of users who must
manage the systems.
For example, you might have decentralized network administration in your organization, where
different administrators have responsibilities over different parts of the network. For security reasons,
you might not have an administrator account that can access every part of your network. In this
scenario, you might not be able to set policies and deploy agents using a single administrator account.
Instead, you might need to organize the System Tree into groups based on these divisions and create
accounts and permission sets.

8
Using the System Tree and Tags
Consider these questions:
Who is responsible for managing which systems?
Who requires access to view information about the systems?
Who should not have access to the systems and the information about them?
These questions impact both the System Tree organization, and the permission sets you create and
apply to user accounts.
Environmental borders and their impact on system organization

How you organize the systems for management depends on the borders that exist in your network.
These borders influence the organization of the System Tree differently than the organization of your
network topology.
We recommend evaluating these borders in your network and organization, and whether they must be
considered when defining the organization of your System Tree.
Topological borders
NT domains or Active Directory containers define your network. The better organized your network
environment, the easier it is to create and maintain the System Tree with the synchronization
features.
Geographic borders
Managing security is a constant balance between protection and performance. Organize your System
Tree to make the best use of limited network bandwidth. Consider how the server connects to all parts
of your network, especially remote locations that use slower WAN or VPN connections, instead of
faster LAN connections. You might want to configure updating and agent-server communication
policies differently for remote sites to minimize network traffic over slower connections.
Political borders
Many large networks are divided by individuals or groups responsible for managing different portions
of the network. Sometimes these borders do not coincide with topological or geographic borders. Who
accesses and manages the segments of the System Tree affects how you structure it.
Functional borders
Some networks are divided by the roles of those using the network; for example, Sales and
Engineering. Even if the network is not divided by functional borders, you might need to organize
segments of the System Tree by functionality if different groups require different policies.
A business group might run specific software that requires special security policies. For example,
arranging your email Exchange Servers into a group and setting specific exclusions for on-access
scanning.

8
Subnets and IP address ranges

In many cases, organizational units of a network use specific subnets or IP address ranges, so you can
create a group for a geographic location and set IP address filters for it.
You can also use network location, such as IP address, as the primary grouping criterion, if your
network isnt spread out geographically
Best practice: Consider using sorting criteria based on IP address information to automate System
Tree creation and maintenance. Set IP address subnet masks or IP address range criteria for applicable
groups within the System Tree. These filters automatically populate locations with the appropriate
systems.
Operating systems and software

Consider grouping systems with similar operating systems to manage products and policies more
easily. If you have legacy systems, you can create a group for them and deploy and manage security
products on these systems separately. Also, by giving these systems a corresponding tag, you can
automatically sort them into a group.
Tags and systems with similar characteristics

You can use tags and tag groups to automate sorting into groups.
Tags identify systems with similar characteristics. If you can organize your groups by characteristics,
you can create and assign tags based on that criteria. Then you use these tags as group sorting
criteria to ensure that systems are automatically placed within the appropriate groups.
If possible, use tag-based sorting criteria to automatically populate groups with the appropriate
systems. Plus, to help sort your systems, you can create tag groups nested up to four levels deep,
with up to 1,000 tag subgroups in each level. For example, if you can organize your systems using
geographic location, chassis type (server, workstation, or laptop), platform (Windows, Macintosh,
Linux, or SQL), and user, you might have the tag groups in this table.
Location Chassis type Platform Users

Los Angeles Desktop Windows General
Laptop Macintosh Sales
Training
Windows Accounting
Management
Server Linux Corporate
Windows Corporate
SQL Corporate
San Francisco Desktop Windows General
Laptop Macintosh Sales
Training
Windows Accounting
Management
Server Linux Corporate
Windows Corporate
SQL Corporate

8

If your network runs Active Directory, you can use Active Directory synchronization to create,
populate, and maintain parts of the System Tree.
Once defined, the System Tree is updated with any new systems (and subcontainers) in your Active
Directory.
Leverage Active Directory integration to perform these system management tasks:
Synchronize with your Active Directory structure, by importing systems, and the Active Directory
subcontainers (as System Tree groups), and keeping them up-to-date with Active Directory. At
each synchronization, both systems and the structure are updated in the System Tree to reflect the
systems and structure of Active Directory.
Import systems as a flat list from the Active Directory container (and its subcontainers) into the
synchronized group.
Control what to do with potential duplicate systems.
Tag newly imported or updated systems.
Use the system description, which is imported from Active Directory with the systems.
Use this process to integrate the System Tree with your Active Directory systems structure:
1 Configure the synchronization settings on each group that is a mapping point in the System Tree.
At the same location, configure whether to:
Deploy agents to discovered systems.
Delete systems from the System Tree when they are deleted from Active Directory.
Allow or disallow duplicate entries of systems that exist elsewhere in the System Tree.
2 Use the Synchronize Now action to import Active Directory systems (and possibly structure) into the
System Tree according to the synchronization settings.
3 Use an NT Domain/Active Directory synchronization server task to regularly synchronize the

systems (and possibly the Active Directory structure) with the System Tree according to the
synchronization settings.
Types of Active Directory synchronization

There are two types of Active Directory synchronization (systems only and systems and structure).
Which one you use depends on the level of integration you want with Active Directory.
With each type, you control the synchronization by selecting whether to:
Deploy agents automatically to systems new to ePolicy Orchestrator. You might not want to
configure this setting on the initial synchronization if you are importing many systems and have
limited bandwidth. The agent MSI is about 6 MB in size. However, you might want to deploy agents
automatically to any new systems that are discovered in Active Directory during subsequent
synchronization.
Delete systems from ePolicy Orchestrator (and remove their agents) when they are deleted from
Active Directory.
Prevent adding systems to the group if they exist elsewhere in the System Tree. This setting
ensures that you don't have duplicate systems if you manually move or sort the system to another
location.
Exclude certain Active Directory containers from the synchronization. These containers and their
systems are ignored during synchronization.

8
Systems and structure

When using this synchronization type, changes in the Active Directory structure are carried over into
your System Tree structure at the next synchronization. When systems or containers are added,
moved, or removed in Active Directory, they are added, moved, or removed in the corresponding
locations of the System Tree.
When to use this synchronization type

Use this to ensure that the System Tree (or parts of it) look exactly like your Active Directory
structure.
If the organization of Active Directory meets your security management needs and you want the
System Tree to continue to look like the mapped Active Directory structure, use this synchronization
type with subsequent synchronization.
Systems only
Use this synchronization type to import systems from an Active Directory container, including those in
non-excluded subcontainers, as a flat list to a mapped System Tree group. You can then move these to
appropriate locations in the System Tree by assigning sorting criteria to groups.
If you choose this synchronization type, make sure to select not to add systems again if they exist
elsewhere in the System Tree. This synchronization type prevents duplicate entries for systems in the
System Tree.
When to use this synchronization type

Use this synchronization type when:
You use Active Directory as a regular source of systems for ePolicy Orchestrator.
The organizational needs for security management do not coincide with the organization of
containers and systems in Active Directory.
NT domain synchronization
Use your NT domains as a source for populating your System Tree.
When you synchronize a group to an NT domain, all systems from the domain are put in the group as
a flat list. You can manage these systems in the single group, or you can create subgroups for more
granular organizational needs. Use a method, like automatic sorting, to populate these subgroups
automatically.
If you move systems to other groups or subgroups of the System Tree, make sure you select to not
add the systems when they exist elsewhere in the System Tree. This setting prevents duplicate entries
for systems in the System Tree.
Unlike Active Directory synchronization, only the system names are synchronized with NT domain
synchronization; the system description is not synchronized.
Criteria-based sorting
You can use IP address information to automatically sort managed systems into specific groups. You
can also create sorting criteria based on tags, which are like labels assigned to systems. You can use
either or both to ensure that systems are where you want them in the System Tree.
Systems must match only one criterion of a group's sorting criteria to be placed in the group.
After creating groups and setting your sorting criteria, perform a Test Sort action to confirm the
criteria and sorting order.

8
Once you have added sorting criteria to your groups, you can run the Sort Now action. The action
moves selected systems to the appropriate group automatically. Systems that do not match the
sorting criteria of any group are moved to Lost and Found.
New systems that call into the server for the first time are added automatically to the correct group.
However, if you define sorting criteria after the initial agent-server communication, you must run the
Sort Now action on those systems to move them immediately to the appropriate group, or wait until
the next agent-server communication.
Sorting status of systems

On any system or collection of systems, you can enable or disable System Tree sorting. If you do
disable System Tree sorting on a system, it is excluded from sorting actions, except when the Test
Sort action is performed. During a test sort, the sorting status of the system or collection is considered
and can be moved or sorted from the Test Sort page.
System Tree sorting settings on the McAfee ePO server

For sorting to take place, it must be enabled on the server and on the systems. By default, once
sorting is enabled, systems are sorted at the first agent-server communication (or next, if applying
changes to existing systems) and are not sorted again.
Test sorting systems

Use this feature to view where systems are placed during a sort action. The Test Sort page displays
the systems and the paths to the location where they are sorted. Although this page does not display
the sorting status of systems, if you select systems on the page (even ones with sorting disabled),
clicking Move Systems places those systems in the location identified.
How settings affect sorting

You can choose three server settings that determine whether and when systems are sorted. Also, you
can choose whether any system can be sorted by enabling or disabling System Tree sorting on
selected systems in the System Tree.
Server settings
The server has three settings:
Disable System Tree sorting Prevents other ePolicy Orchestrator users from mistakenly configuring
sorting criteria on groups and moving systems to undesirable locations in the System Tree.
Sort systems on each agent-server communication Sorts systems again at each agent-server
communication. When you change sorting criteria on groups, systems move to the new group at
their next agent-server communication.
Sort systems once Systems are sorted at the next agent-server communication and not sorted again
as long as this setting is selected. You can still sort a system, however, by selecting it and clicking
Sort Now.
System settings
You can disable or enable System Tree sorting on any system. If disabled on a system, that system
isn't sorted, regardless of how the sorting action is taken. However, performing the Test Sort action sorts
this system. If enabled, systems can be sorted using the manual Sort Now action, and can be sorted at
agent-server communication.

8
IP address sorting criteria

In many networks, subnets and IP address information reflect organizational distinctions, such as
geographical location or job function. If IP address organization coincides with your needs, consider
setting IP address sorting criteria for groups.
In this version of McAfee ePO, this functionality has changed, and now allows for the setting of IP
address sorting criteria randomly throughout the tree. As long as the parent has no assigned criteria,
you no longer need to ensure that the sorting criteria of the child groups IP address is a subset of the
parents. Once configured, you can sort systems at agent-server communication, or only when a sort
action is manually initiated.
IP address sorting criteria must not overlap between different groups. Each IP address range or subnet
mask in a groups sorting criteria must cover a unique set of IP addresses. If criteria does overlap, the
group where those systems end up depends on the order of the subgroups on the System Tree Group
Details tab. You can check for IP address overlap using the Check IP Integrity action in the Group
Details tab.
Tag-based sorting criteria

In addition to using IP address information to sort systems into the appropriate group, you can define
sorting criteria based on the tags assigned to systems.
Tag-based criteria can be used with IP address-based criteria for sorting.
Group order and sorting

For additional flexibility with System Tree management, configure the order of a groups subgroups,
and the order of their placement during sorting.
When multiple subgroups have matching criteria, changing this order can change where a system ends
up in the System Tree. If you are using catch-all groups, they must be the last subgroup in the list.
Catch-all groups
Catch-all groups are groups whose sorting criteria is set to All others on the group's Sorting Criteria
page.
Only subgroups at the last position of the sort order can be catch-all groups. These groups receive all
systems that were sorted into the parent group, but were not sorted into any of the catch-alls peers.
How a system is added to the System Tree when sorted

When the McAfee Agent communicates with the server for the first time, the server uses an algorithm
to place the system in the System Tree. When it cannot find an appropriate location for a system, it
puts the system in the Lost and Found group.
On each agent-server communication, the server attempts to locate the system in the System Tree by
McAfee Agent GUID. Only systems whose agents have already called into the server for the first time
have a McAfee Agent GUID in the database. If a matching system is found, it is left in its existing
location.
If a matching system is not found, the server uses an algorithm to sort the systems into the
appropriate groups. Systems can be sorted into any criteria-based group in the System Tree, as long
as each parent group in the path does not have non-matching criteria. Parent groups of a
criteria-based subgroup must have no criteria or matching criteria.

8
The sorting order assigned to each subgroup (defined in the Group Details tab) determines the order that
the server considers subgroups for sorting.
1 The server searches for a system without a McAfee Agent GUID (the McAfee Agent has never
before called in) with a matching name in a group with the same name as the domain. If found, the
system is placed in that group. This can happen after the first Active Directory or NT domain
synchronization, or when you have manually added systems to the System Tree.
2 If a matching system is still not found, the server searches for a group of the same name as the
domain where the system originates. If such a group is not found, one is created under the Lost
and Found group, and the system is placed there.
3 Properties are updated for the system.
4 The server applies all criteria-based tags to the system if the server is configured to run sorting
criteria at each agent-server communication.
5 What happens next depends on whether System Tree sorting is enabled on both the server and the
system.
If System Tree sorting is disabled on either the server or the system, the system is left where it
is.
If System Tree sorting is enabled on the server and system, the system is moved based on the
sorting criteria in the System Tree groups.
Systems that were added using Active Directory or NT Domain synchronization have System Tree
sorting disabled by default. With System Tree sorting disabled, systems are not sorted on the
first agent-server communication
6 The server considers the sorting criteria of all top-level groups according to the sorting order on the
My Organization groups Group Details tab. The system is placed in the first group with matching
criteria or a catch-all group it considers.
Once sorted into a group, each of its subgroups is considered for matching criteria according to
their sorting order on the Group Details tab.
Sorting continues until there is no subgroup with matching criteria for the system, and is placed
in the last group found with matching criteria.
7 If such a top-level group is not found, the subgroups of top-level groups (without sorting criteria)
are considered according to their sorting.
8 If such a second-level criteria-based group is not found, the criteria-based third-level groups of the
second-level unrestricted groups are considered.
Subgroups of groups with criteria that doesn't match are not considered. A group must have
matching criteria or have no criteria for its subgroups to be considered for a system.
9 This process continues down through the System Tree until a system is sorted into a group.
If the server setting for System Tree sorting is configured to sort only on the first agent-server
communication, a flag is set on the system. The flag means that the system can never be sorted
again at agent-server communication unless the server setting is changed to enable sorting on
every agent-server communication.
10 If the server cannot sort the system into any group, it is placed in the Lost and Found group within
a subgroup that is named after its domain.
View system information details

You can view detailed information and status about a system in the System Tree.

8
Task
1 Open the System Tree page.

1 Select Menu | Systems | System Tree.
2 Click Systems tab and any system row.
2 Click Customize to change the information displayed in the three system information monitors:
Summary Displays the results of the McAfee Agent Communication Summary, by default.
Properties Displays information about the systems location in your network and the agent
installed, by default.
Query monitor Displays the system-specific results for the Threat Events in the Last 2 Weeks
query, by default.
3 Click one of these tabs, to view additional details about the selected system:
Option Description
System Properties Displays details about the system. For example, operating system, memory
installed, and connection information.
Products Lists one of these product states:
Installed Product The state of the installed product for which the McAfee
Agent has communicated with the install event.
Uninstalled Product The state of the uninstalled product for which the
McAfee Agent has communicated with the uninstall event.
Deployment Task status of product The state of the deployment task of a

newer version of an existing product which is getting installed.
The status of the deployment task of the same version of the product or an
older version of the same product is ignored.
Applied Policies Displays the name of policies applied to this system and lists them alphabetically.
Applied Client Displays the name of client tasks assigned to this system and lists them
Tasks alphabetically.
Threat Events Lists threat and other events, plus detailed information about those events,
McAfee Agent List configuration information about the McAfee Agent installed on the system.
Click More to display additional McAfee Agent configuration and status information.
Creating and populating System Tree groups

To help you visualize your managed systems by geographic or machine-type values, create System
Tree groups and populate the groups with systems.
Best practice: Drag selected systems to any group in the System Tree to populate groups. Drag and
drop to move groups and subgroups in the System Tree.
There is no single way to organize a System Tree. Because every network is different, your System
Tree organization can be as unique as your network layout. You can use more than one method of
organization.

8
For example, if you use Active Directory in your network, consider importing your Active Directory
containers rather than your NT domains. If your Active Directory or NT domain organization does not
make sense for security management, you can create your System Tree in a text file and import it. If
you have a smaller network, you can create your System Tree by hand and add each system manually.
Add systems to an existing group manually

Add specific systems to a selected group.
Task
1 Open the New Systems page.

a Select Menu | Systems | System Tree.
b Click New Systems.
2 Select whether to deploy the McAfee Agent to the new systems, and whether the systems are
added to the selected group, or to a group according to sorting criteria.
3 Next to Target systems, type the NetBIOS name for each system in the text box, separated by
commas, spaces, or line breaks. Alternatively, click Browse to select the systems.
4 Specify additional options as needed.

If you selected Push agents and add systems to the current group, you can enable automatic System Tree
sorting. Do this to apply the sorting criteria to these systems.
5 Click OK.
Create groups manually

Create System Tree subgroups. .
Task
1 Open the New Subgroups dialog box.

b Select a group, then click New Subgroup.
You can also create more than one subgroup at a time.
2 Type a name then click OK.
The new group appears in the System Tree.
3 Repeat as necessary until you are ready to populate the groups with systems. Use one of these
processes to add systems to your System Tree groups:
Typing system names manually.
Importing them from NT domains or Active Directory containers. You can regularly synchronize
a domain or a container to a group for ease of maintenance.
Setting up IP address-based or tag-based sorting criteria on the groups. When agents check in
from systems with matching IP address information or matching tags, they are automatically
placed in the appropriate group.

8
Export systems from the System Tree

Export a list of systems from the System Tree to a .txt file for later use. Export at the group or
subgroup level while retaining the System Tree organization.
It can be useful to have a list of the systems in your System Tree. You can import this list into your
McAfee ePO server to quickly restore your previous structure and organization.
This task does not remove systems from your System Tree. It creates a .txt file that contains the names
and structure of systems.
Task
2 Select the group or subgroup containing the systems you want to export, then click System Tree
Actions | Export Systems.
3 Select whether to export:

All systems in this group Exports the systems in the specified Source group, but does not export
systems listed in nested subgroups under this level.
All systems in this group and subgroups Exports all systems at and below this level.
4 Click OK.
The Export page opens. You can click the systems link to view the system list, or right-click the link to
save a copy of the ExportSystems.txt file.
Create a text file of groups and systems

Create a text file of the NetBIOS names for your network systems that you want to import into a
group. You can import a flat list of systems, or organize the systems into groups.
Define the groups and their systems by typing the group and system names in a text file. Then import
that information into McAfee ePO.
For large networks, use network utilities, such as the NETDOM.EXE utility available with the Microsoft
Windows Resource Kit, to generate text files with complete lists of the systems on your network. Once
you have the text file, edit it manually to create groups of systems, and import the whole structure
into the System Tree.
Regardless of how you generate the text file, you must use the correct syntax before importing it.
Task
1 List each system on its own line. To organize systems into groups, type the group name followed
by a backslash (\), then list the system belonging to that group, each on a separate line.
GroupA\system1
GroupA\system2
GroupA\GroupB\system3
GroupC\GroupD
2 Verify the names of groups and systems, and the syntax of the text file, then save the text file to a
temporary folder on your server.

8
Import systems and groups from a text file

Import systems or groups of systems into the System Tree from a text file you have created and
saved.
Task
1 Open the New Systems page.

b Click New Systems.
2 Select Import systems from a text file into the selected group, but do not push agents.
3 Select whether the import file contains:

Systems and System Tree Structure
Systems only (as a flat list)
4 Click Browse, then select the text file.
5 Select what to do with systems that already exist elsewhere in the System Tree.
6 Click OK.
The systems are imported to the selected group in the System Tree. If your text file organized the
systems into groups, the server creates the groups and imports the systems.
Sort systems into criteria-based groups

Configure and implement sorting to group systems. For systems to sort into groups, sorting must be
enabled, and sorting criteria and the sorting order of groups must be configured.
Tasks
Add sorting criteria to groups on page 122
Sorting criteria for System Tree groups can be based on IP address information or tags.
Enable System Tree sorting on the server on page 123
For systems to be sorted, System Tree sorting must be enabled on both the server and the
systems.
Enable or disable System Tree sorting on systems on page 123
The sorting status of a system determines whether it can be sorted into a criteria-based
group.
Sort systems manually on page 124
Sort selected systems into groups with criteria-based sorting enabled.
Add sorting criteria to groups

Sorting criteria for System Tree groups can be based on IP address information or tags.
Task
1 Select Menu | Systems | System Tree, click the Group Details tab, then select the group in the System Tree.
2 Next to Sorting criteria click Edit. The Sorting Criteria page for the selected group appears.

8
3 Select Systems that match any of the criteria below, then the criteria selections appear.
Although you can configure multiple sorting criteria for the group, a system only has to match a
single criterion to be placed in this group.
4 Configure the criteria. Options include:

IP addresses Use this text box to define an IP address range or subnet mask as sorting criteria.
Any system whose address falls within it is sorted into this group.
Tags Click Add Tags and perform these steps in the Add Tags dialog box.
1 Click the tag name, or names, to add and sort the systems in this parent group.
To select multiple tags, click Ctl + the tag names.
2 Click OK.
The tags selected appear in Tags on the Sorting Criteria page and next to Sorting Criteria on the
Group Details page.
5 Repeat as needed until sorting criteria is reconfigured for the group, then click Save.
Enable System Tree sorting on the server

For systems to be sorted, System Tree sorting must be enabled on both the server and the systems.
In this task, if you sort only on the first agent-server communication, all enabled systems are sorted
on their next agent-server communication and are never sorted again for as long as this option is
selected. However, these systems can be sorted again manually by taking the Sort Now action, or by
changing this setting to sort on each agent-server communication.
If you sort on each agent-server communication, all enabled systems are sorted at each agent-server
communication as long as this option is selected.
Task
1 Select Menu | Configuration | Server Settings, then select System Tree Sorting in the Setting Categories list and
click Edit.
2 Select whether to sort systems only on the first agent-server communication or on each
Enable or disable System Tree sorting on systems

The sorting status of a system determines whether it can be sorted into a criteria-based group.
You can change the sorting status on systems in any table of systems (such as query results), and
also automatically on the results of a scheduled query.

8
Task
1 Select Menu | Systems | System Tree | Systems, then select the systems you want.
2 Select Actions | Directory Management | Change Sorting Status, then select whether to enable or disable
System Tree sorting on selected systems.
3 In the Change Sorting Status dialog box, select whether to disable or enable System Tree sorting
on the selected system.
Depending on the setting for System Tree sorting, these systems are sorted on the next
agent-server communication. Otherwise, they can only be sorted with the Sort Now action.
Sort systems manually

Sort selected systems into groups with criteria-based sorting enabled.
Task
1 Select Menu | Systems | System Tree | Systems, then select the group that contains the systems.
2 Select the systems then click Actions | Directory Management | Sort Now. The Sort Now dialog box
appears.
If you want to preview the results of the sort before sorting, click Test Sort instead. (However, if you
move systems from within the Test Sort page, all selected systems are sorted, even if they have
System Tree sorting disabled.)
3 Click OK to sort the systems.
Import Active Directory containers

Import systems from Active Directory containers directly into your System Tree by mapping source
containers to System Tree groups.
Mapping Active Directory containers to groups allows you to:
Synchronize the System Tree structure to the Active Directory structure so that when containers
are added or removed in Active Directory, the corresponding group in the System Tree is added or
removed.
Delete systems from the System Tree when they are deleted from Active Directory.
Prevent duplicate entries of systems in the System Tree when they exist in other groups.
Task
1 Select Menu | Systems | System Tree | Group Details, then select a group in the System Tree for mapping an
Active Directory container to.
You cannot synchronize the Lost and Found group of the System Tree.
2 Next to Synchronization type, click Edit. The Synchronization Settings page for the selected group
appears.
3 Next to Synchronization type, select Active Directory. The Active Directory synchronization options
appear.

8
4 Select the type of Active Directory synchronization you want to occur between this group and the
Active Directory container (and its subcontainers):
Systems and container structure Select this option if you want this group to truly reflect the Active
Directory structure. When synchronized, the System Tree structure under this group is changed
to reflect the Active Directory container that it's mapped to. When containers are added or
removed in Active Directory, they are added or removed in the System Tree. When systems are
added, moved, or removed from Active Directory, they are added, moved, or removed from the
System Tree.
Systems only Select this option if you only want the systems from the Active Directory container
(and non-excluded subcontainers) to populate this group, and this group only. No subgroups are
created when mirroring Active Directory.
5 Select whether to create a duplicate entry for systems that exist in another group of the System Tree.
If you are using Active Directory synchronization as a starting point for security management, and
plan to use System Tree management functionality after mapping your systems, do not select this
option.
6 In the Active Directory domain section, you can:

Type the fully qualified domain name of your Active Directory domain.
Select from a list of already registered LDAP servers.
7 Next to Container, click Add and select a source container in the Select Active Directory Container dialog box,
then click OK.
8 To exclude specific subcontainers, click Add next to Exceptions and select a subcontainer to exclude,
then click OK.
9 Select whether to deploy the McAfee Agent automatically to new systems. If you do, configure the
deployment settings.
Best practice: Because of its size, do not deploy the McAfee Agent during the initial import if the
container is large. Instead, import the container, then deploy the McAfee Agent to groups of systems
at a time, rather than all at once.
10 Select whether to delete systems from the System Tree when they are deleted from the Active
Directory domain. Optionally choose whether to remove agents from the deleted systems.
11 To synchronize the group with Active Directory immediately, click Synchronize Now.
Clicking Synchronize Now saves any changes to the synchronization settings before synchronizing the
group. If you have an Active Directory synchronization notification rule enabled, an event is
generated for each system that is added or removed. These events appear in the Audit Log, and are
queryable. If you deployed agents to added systems, the deployment is initiated to each added
system. When the synchronization completes, the Last Synchronization time is updated, displaying the
time and date when the synchronization finished, not when any agent deployments completed.
Best practice: Schedule an NT Domain/Active Directory synchronization server task for the first
synchronization. This server task is useful if you are deploying agents to new systems on the first
synchronization, when bandwidth is a larger concern.
12 When the synchronization is complete, view the results with the System Tree.
When the systems are imported, distribute agents to them if you did not select to do so automatically.
Best practice: Set up a recurring NT Domain/Active Directory synchronization server task to keep your
System Tree current with any changes to your Active Directory containers.

8
Import NT domains into an existing group

Import systems from an NT domain into a group you created manually.
You can populate groups automatically by synchronizing entire NT domains with specified groups. This
approach is an easy way to add all systems in your network to the System Tree at once as a flat list
with no system description.
If the domain is large, you can create subgroups to assist with policy management or organization. To
do this, first import the domain into a group of your System Tree, then manually create logical
subgroups.
To manage the same policies across several domains, import each of the domains into a subgroup under
the same group. The subgroups will inherit the policies set for the top-level group.
When using this method:

Set up IP address or tag sorting criteria on subgroups to automatically sort the imported systems.
Schedule a recurring NT Domain/Active Directory synchronization server task for easy

maintenance.
Task
1 Select Menu | Systems | System Tree | Group Details and select or create a group in the System Tree.
2 Next to Synchronization type, click Edit. The Synchronization Settings page for the selected group appears.
3 Next to Synchronization type, select NT Domain. The domain synchronization settings appear.
4 Next to Systems that exist elsewhere in the System Tree, select what to do with systems that exist in another
group of the System Tree.
Best practice: Don't select Add systems to the synchronized group and leave them in their current System Tree location,
especially if you are using the NT domain synchronization only as a starting point for security
management.
5 Next to Domain, click Browse and select the NT domain to map to this group, then click OK.
Alternatively, you can type the name of the domain directly in the text box.
When typing the domain name, do not use the fully-qualified domain name.
6 Select whether to deploy the McAfee Agent automatically to new systems. If you do so, configure
the deployment settings.
Best practice: Because of its size, do not deploy the McAfee Agent during the initial import if the
container is large. Instead, import the container, then deploy the McAfee Agent to groups of systems
at a time, rather than all at once.
7 Select whether to delete systems from the System Tree when they are deleted from the NT domain.
You can optionally choose to remove agents from deleted systems.
8 To synchronize the group with the domain immediately, click Synchronize Now, then wait while the
systems in the domain are added to the group.
Clicking Synchronize Now saves changes to the synchronization settings before synchronizing the
group. If you have an NT domain synchronization notification rule enabled, an event is generated
for each system added or removed. These events appear in the Audit Log, and are queryable. If you
selected to deploy agents to added systems, the deployment is initiated to each added system.
When the synchronization is complete, the Last Synchronization time is updated. The time and date are
when the synchronization finished, not when any agent deployments completed.

8
9 To synchronize the group with the domain manually, click Compare and Update.
a If you are going to remove any systems from the group with this page, select whether to
remove their agents when the system is removed.
b Select the systems to add to and remove from the group as necessary, then click Update Group to
add the selected systems. The Synchronize Setting page appears.
10 Click Save, then view the results in the System Tree if you clicked Synchronize Now or Update Group.
Once the systems are added to the System Tree, distribute agents to them if you did not select to deploy
agents as part of the synchronization.
Consider setting up a recurring NT Domain/Active Directory synchronization server task to keep this
group current with new systems in the NT domain.
Schedule System Tree synchronization

Schedule a server task that updates the System Tree with changes in the mapped domain or Active
Directory container.
Depending on group synchronization settings, this task automates these actions:
Adds new systems on the network to the specified group.
Adds new corresponding groups when new Active Directory containers are created.
Deletes corresponding groups when Active Directory containers are removed.
Deploys agents to new systems.
Removes systems that are no longer in the domain or container.
Applies site or group policies and tasks to new systems.
Prevents or allows duplicate entries of systems that still exist in the System Tree after you moved
them to other locations.
The McAfee Agent can't be deployed to all operating systems in this manner. You might need to
distribute the McAfee Agent manually to some systems.
Task

a Select Menu | Automation | Server Tasks.
b Click New Task.
2 On the Description page, name the task and choose whether it is enabled once it is created, then
click Next.
3 From the drop-down list, select Active Directory Synchronization/NT Domain.
4 Select whether to synchronize all groups or selected groups. If you are synchronizing only some
groups, click Select Synchronized Groups and select specific ones.
5 Click Next to open the Schedule page.

8
7 Review the task details, then click Save.
In addition to running the task at the scheduled time, you can run this task immediately: on the
Server Tasks page next to the task, click Run.
Update a synchronized group with an NT domain manually

Update a synchronized group with changes to the associated NT domain.
The update includes the following changes:
Adds systems currently in the domain.
Removes systems from your System Tree that are no longer in the domain.
Removes agents from all systems that no longer belong to the specified domain.
Task
1 Select Menu | Systems | System Tree | Group Details, then select the group that is mapped to the NT
domain.
2 Next to Synchronization type, click Edit.
3 Select NT Domain, then click Compare and Update near the bottom of the page.
4 If you are removing systems from the group, select whether to remove the agents from systems
that are removed.
5 Click Add All or Add to import systems from the network domain to the selected group.
Click Remove All or Remove to delete systems from the selected group.
6 Click Update Group when finished.
Move systems within the System Tree

Move systems from one group to another in the System Tree. You can move systems from any page
that displays a table of systems, including the results of a query.
In addition to the steps below, you can also drag and drop systems from the Systems table to any
group in the System Tree.
Even in a perfectly organized System Tree that's regularly synchronized, you might need to move
systems manually between groups. For example, you might need to periodically move systems from
the Lost and Found group.
Task
1 Select Menu | Systems | System Tree | Systems, then browse to and select the systems.
2 Click Actions | Directory Management | Move Systems to open the Select New Group page.

8
3 Select whether to enable or disable System Tree sorting on the selected systems when they are
moved.
4 Select the group to place the systems in, then click OK.
If you move systems between groups, the moved systems inherit the policies assigned to their new
group.
How Transfer Systems works

You can use the Transfer Systems command to move managed systems from one McAfee ePO server
to another. For example, from an old McAfee ePO server to a new McAfee ePO 5.x server.
You might need to transfer managed systems if:
You're upgrading the server hardware and operating system.
You're upgrading the server hardware and the McAfee ePO software version.
This graphic shows the major processes to transfer systems from one McAfee ePO server to another.
Export your security keys from the old server.
Import the security keys in the new server.
Register the new McAfee ePO server to the old server.
Transfer your current systems to the new McAfee ePO server.
Confirm that you can view the systems in the new server's System Tree.
Confirm that the systems no longer appear in the old server's System Tree.

8
Transfer systems from one server to another

Use the Transfer Systems option to move systems from an old McAfee ePO 4.x server to a new McAfee
ePO 5.x server.
You might see the following error when you register the servers and enable the Transfer Systems options
with Automatic Sitelist Import:
ERROR: Master agent-server keys must be imported into the remote server before importing the sitelist. Go to Server
Settings to export security keys from this server. Visiting this link now causes you to lose any unsaved changes to this
registered server.
Both keys (1024 and 2048) must be imported for successful registration so the Automatic Sitelist Import
can save without issue.
Tasks
Export security keys from the old server on page 130
Export the 2048-bit and 1024-bit security keys.
Import security keys to the new server on page 131
Import the 2048-bit and 1024-bit security keys from the old server on the new server.
Register the old server to the new server on page 131
Register the new server. For example, register a McAfee ePO 5.x server to a McAfee ePO
4.x server.
Transfer systems between servers on page 132
After you have imported the keys and registered the new server, you can use the old server
to initiate the transfer process.
Check the status of transferred computers on page 132
Verify that your systems now appear on the new server.
Export security keys from the old server

Export the 2048-bit and 1024-bit security keys.
Task
1 Log on to the console.
2 Select Menu | Configuration | Server Settings.
3 Click Security Keys under the Setting Categories column, click Edit.
The Edit Security Keys page opens.
4 Save the 2048-bit keys listed under the Agent-server secure communication keys list.
a Click the 2048-bit key and click Export.
b Click OK to confirm the export key confirmation message.
c Click Save.
d Type or browse to a path where you want to save the security key .zip file.
e Click Save again.
5 Save the 1024-bit keys listed under the Agent-server secure communication keys list.
a Click the 1024-bit key and click Export.
b Click OK to confirm the export key confirmation message.

8
c Click Save.
d Type or browse to a path where you want to save the security key .zip file.
e Click Save again.
Import security keys to the new server

Import the 2048-bit and 1024-bit security keys from the old server on the new server.
Task
1 Log on to the new console.
3 Click Security Keys from the Setting Categories column, then click Edit.
4 Click Import.
5 Import the 2048-bit key.

a Click Browse, locate the exported 2048-bit security key .zip file.
b Click Open.
c Click Next.
d Confirm that you have selected the correct key on the Summary tab, and click Save.
6 Import the 1024-bit key.

a Click Browse, locate the exported 1024-bit security key .zip file.
b Click Open.
c Click Next.
d Confirm that you have selected the correct key on the Summary tab, and click Save.
Register the old server to the new server

Register the new server. For example, register a McAfee ePO 5.x server to a McAfee ePO 4.x server.
Task
1 From the old server, log on to the console.
2 Click Menu | Configuration | Registered Servers.
3 Click New Server.
4 Select ePO from the Server type drop-down list, type a name for this server in the Name section, and
click Next.
5 Type the credentials to the new server and click Test Connection.
6 If the test is successful, select Enable for the Transfer systems entry.
7 Ensure that Automatic sitelist import is selected, and click Save.

8
The Manual sitelist import option is also available and can be used if you want to do a manual import by
selecting an existing SiteList.xml file.
You can obtain the SiteList.xml file to use for this process in the following folder on the server
where the agents are being transferred to: <ePO_Installation_Directory>\DB\SiteList.xml
On a McAfee ePO 4.6 server, you can select only version 4.6 or previous versions as the McAfee
ePO version. When you test the connection to the database of the registered server, you see the
following warning:
Database connection successful! Warning Versions mismatch!
You can safely ignore the warning. TheMcAfee ePO version selected (4.6) does not match the
database (5.x) you have tested.
Transfer systems between servers

After you have imported the keys and registered the new server, you can use the old server to initiate
the transfer process.
Task
1 Log on to the old server.
3 Select the systems you want to transfer.
Ensure that the selected systems are communicating to the old server, before you transfer them.
4 Click Actions | Agent | Transfer Systems.
5 Select the new server and click OK to transfer.
Two agent-server communication intervals must occur before the system appears in the System Tree
of the new server. The length of time required depends on your configuration. The default
agent-server communication interval is one hour.
Check the status of transferred computers

Verify that your systems now appear on the new server.
Task
1 From the new server, select Menu | System Tree | Systems.
Your systems are listed in the System Tree.
2 From the old server, select Menu | System Tree | Systems.
Your systems are not listed in the System Tree.

8
Tags
How the Automatic Responses feature interacts with the

System Tree
Before you plan the implementation for Automatic Responses, understand how this feature works with
the System Tree.
This feature does not follow the inheritance model used when enforcing policies.
Automatic Responses use events that occur on systems in your environment and configured response
rules. These rules are associated with the group that contains the affected systems and each parent
above it. When an event occurs, it is delivered to the server. If the conditions of a rule are met,
designated actions are taken.
This design allows you to configure independent rules at different levels of the System Tree. These
rules can have different:
Thresholds for sending a notification message. For example, an administrator of a particular

group wants to be notified if viruses are detected on 100 systems in 10 minutes. But an
administrator does not want to be notified unless viruses are detected on 1,000 systems in the
whole environment in the same amount of time.
Recipients for the notification message. An administrator for a particular group might want to
be notified only if a specified number of virus detection events occur in the group. Or, an
administrator wants each group administrator to be notified if a specified number of virus detection
events occur in the whole System Tree.
System Tree location does not filter Server events.
Tags
Use tags to identify and sort systems. Tags and tag groups allow you to select groups of systems and
simplify the creation of tasks and queries.
Create tags using the New Tag Builder

Use the New Tag Builder to create tags quickly.
Tags can use criteria that is evaluated against every system:
Automatically at agent-server communication.
When the Run Tag Criteria action is taken.
Manually on selected systems, regardless of criteria, with the Apply Tag action.
Tags without criteria can only be applied manually to selected systems.
Task
1 Select Menu | Systems | Tag Catalog | New Tag.
2 On the Description page, enter a name and meaningful description, then click Next. The Criteria page
appears.

8
Tags
3 Select and configure the criteria, then click Next. The Evaluation page appears.
To apply the tag automatically, configure criteria for the tag.
4 Select whether systems are evaluated against the tag's criteria only when the Run Tag Criteria action
is taken, or also at each agent-server communication, then click Next. The Preview page appears.
These options are unavailable if criteria was not configured. When systems are evaluated against a
tag's criteria, the tag is applied to systems that match the criteria and have not been excluded from
the tag.
5 Verify the information on this page, then click Save.
If the tag has criteria, this page displays the number of systems that receive this tag when
evaluated against its criteria.
The tag is added under the selected tag group in the Tag Tree on the Tag Catalog page.
Manage tags
Once tags are created using the New Tag Builder, use the Actions list to edit, delete, and move the
tags.
Task
1 Select Menu | Systems | Tag Catalog.
2 From the Tags list, select a tag or multiple tags, click Actions, then select an action.
Action Steps
Edit a tag From the Edit Tag Builder:
1 On the Description page, type a name and meaningful description, then
The number of
affected click Next.
systems is 2 Select and configure the criteria, then click Next.
listed at the top
of the page.
To apply the tag automatically, you must configure criteria for the tag.
3 Select whether systems are evaluated against the tag's criteria only
when the Run Tag Criteria action is taken, or also at each agent-server
communication, then click Next.
These options are unavailable if criteria was not configured. When

systems are evaluated against a tag's criteria, the tag is applied to
systems that match the criteria and are not excluded from the tag.
4 Verify the information about this page, then click Save.
If the tag has criteria, this page displays the number of systems that
receive this tag when evaluated against its criteria.
The tag is updated on the Tag Catalog page under the selected tag group in
the Tag Tree.
Delete a tag Click Delete, then click OK to delete the tag.

8
Tags
Action Steps
Export a tag Click Export Table.
Move tags From the Move Tags dialog box, select the tag group where you wan the
tags to appear, then click OK.
You can also drag and drop the tags into the tag groups in the Tag Tree.
Create, delete, and modify tag subgroups

Tag subgroups allow you to nest tag groups up to four levels deep, with up to 1,000 tag subgroups
under a single parent group. These tag groups allow you to use criteria-based sorting to automatically
add systems to the correct groups.
Task
1 Select Menu | Systems | Tag Catalog.
2 From the Tag Catalog page, select one of these actions.
Action Steps
Create a tag 1 In the Tag Tree, select the tag group (or parent tag group) where you want to
subgroup create the tag subgroup.
My Tags is the default top-level tag group added during McAfee ePO installation.
2 Click New Subgroup to see the New Subgroup dialog box.
3 In the Name field, enter a descriptive name for the new tag subgroup.
4 Click OK to create the tag subgroup.
Rename a tag 1 In the Tag Tree, select the tag subgroup that you want to rename.
subgroup
2 Click Tag Tree Actions | Rename Group to open the Rename Subgroup dialog box.
3 In the Name field, enter the new name for the tag subgroup.
4 Click OK and the tag subgroup is renamed.
Delete a tag 1 In the Tag Tree, select the tag subgroup that you want to delete.
subgroup
2 Click Actions | Delete. An Action: Delete confirmation dialog box appears.
3 If you are sure you want to delete the tag subgroup, click OK and the tag
subgroup is removed.
Exclude systems from automatic tagging

Prevent systems from having specific tags applied.
You can also use a query to collect systems, then exclude the tags from those systems from the query
results.

8
Tags
Task
1 Select Menu | Systems | System Tree | Systems, then select the group that contains the systems in the
System Tree.
2 Select one or more systems in the Systems table, then click Actions | Tag | Exclude Tag.
3 In the Exclude Tag dialog box, select the tag group, select the tag to exclude, then click OK.
To limit the list to specific tags, type the tag name in the text box under Tags.
4 Verify that the systems have been excluded from the tag:
a Select Menu | Systems | Tag Catalog, then select the tag or tag group from the list of tags.
b Next to Systems with tag, click the link for the number of systems excluded from the criteria-based
tag application. The Systems Excluded from the Tag page appears.
c Verify that the systems are in the list.
Create a query to list systems based on tags

Schedule a query to create a list that displays, applies, or removes tags on systems, based on selected
tags.
Task

b Click New Task.
2 On the Description page, name and describe the task, then click Next.
4 In the Query field, select one of these queries from the McAfee Groups tab, then click OK.
Inactive Agents
Duplicate Systems Names
Systems with High Sequence Errors
Systems with no Recent Sequence Errors
Unmanaged Systems
5 Select the language for displaying the results.
6 From the Sub-Actions list, select one of these subactions to take based on the results.
Apply Tag Applies a selected tag to the systems returned by the query.
Clear Tag Removes a selected tag on the systems returned by the query. Select Clear All to
remove all tags from the systems in the query results.
Exclude Tag Excludes systems from the query results if they have the selected tag applied to
them.

8
Tags
7 From the Select Tag window, select a tag group from the Tag Group Tree and optionally filter the list of
tags using the Tags text box.
You are not limited to selecting one action for the query results. Click the + button to add additional
actions. Be careful to place the actions in the order that you want them to occur. For example, you
can apply the Server tag, then remove the Workstation tag. You can also add other subactions, such
as assigning a policy to the systems.
8 Click Next.
10 Verify the configuration of the task, then click Save.
The task is added to the list on the Server Tasks page. If the task is enabled (default), it runs at the
next scheduled occurrence. If the task is disabled, it only runs by clicking Run next to the task.
Apply tags to selected systems

Apply a tag manually to selected systems in the System Tree.
Task
1 Select Menu | Systems | System Tree | Systems, then select the group that contains the systems you
want.
2 Select the systems, then click Actions | Tag | Apply Tag.
3 In the Apply Tag dialog box, select the tag group, select the tag to apply, then click OK.
4 Verify that the tags have been applied:

a Select Menu | Systems | Tag Catalog, then select a tag or tag group from the list of tags.
b Next to Systems with tag in the details pane, click the link for the number of systems tagged
manually. The Systems with Tag Applied Manually page appears.
Clear tags from systems

Remove tags from selected systems.
Task
1 Select Menu | Systems | System Tree | Systems, then select the group that contains the systems you
want.
2 Select the systems, then click Actions | Tag | Clear Tag.
3 In the Clear Tag dialog box, perform one of these steps, then click OK.
Remove a specific tag Select the tag group, then select the tag.

8
Tags
Remove all tags Select Clear All.
4 Verify that the tags have been removed:

a Select Menu | Systems | Tag Catalog, then select a tag or tag group in the list of tags.
b Next to Systems with tag in the details pane, click the link for the number of systems tagged
manually. The Systems with Tag Applied Manually page appears.
c Verify that the systems are not included in the list.
Apply criteria-based tags to all matching systems

Apply a criteria-based tag to all non-excluded systems that match the specified criteria.
Task
1 Select Menu | Systems | Tag Catalog, then select a tag or tag group from the Tags list.
2 Click Actions | Run Tag Criteria.
3 On the Action pane, select whether to reset manually tagged and excluded systems.
Resetting manually tagged and excluded systems removes the tag from systems that don't match
the criteria, and applies the tag to systems that match criteria but were excluded from receiving the
tag.
4 Click OK.
5 Verify that the systems have the tag applied:

a Select Menu | Systems | Tag Catalog, then select a tag or tag group in the list of tags.
b Next to Systems with tag in the details pane, click the link for the number of systems with the
tag applied by criteria. The Systems with Tag Applied by Criteria page appears.
The tag is applied to all systems that match its criteria.
Apply criteria-based tags on a schedule

Schedule a regular task that applies a tag to all systems that match the tag criteria.
Task

b Click New Task.
2 On the Description page, name and describe the task and select whether the task is enabled once it
is created, then click Next. The Actions page appears.
3 Select Run Tag Criteria from the drop-down list, then select a tag from the Tag drop-down list.
4 Select whether to reset manually tagged and excluded systems.

8
Tags
Resetting manually tagged and excluded systems does two things:

Removes the tag on systems that dont match the criteria
Applies the tag to systems that match the criteria but were excluded from receiving the tag
5 Click Next to open the Schedule page.
6 Schedule the task for the times you want, then click Next.
7 Review the task settings, then click Save.
The server task is added to the list on the Server Tasks page. If you selected to enable the task in the
Server Task Builder, it runs at the next scheduled time.

8
Tags

9 User accounts and permission sets
Each user account is associated with one or more permission sets, which define what the user is
allowed to do with the software.
Contents
Users
Authenticating with certificates
Permission sets
Users
User accounts allow you to control how people access and use McAfee ePO.
You can create user accounts manually, then assign each account an appropriate permission set. You
can also configure your McAfee ePO server to allow users to log on using Windows authentication, but
this requires configuration and set up of multiple settings and components.
While user accounts and permission sets are closely related, they are created and configured using
separate steps.
Manage user accounts

You can create, edit, and delete user accounts manually from the Users page.
Best practice: Disable the logon status of an account instead of deleting it. You can delete the logon
status when you are sure that all valuable information associated with the account has been moved to
other users.
Task
1 Open the Users page: select Menu | User Management | Users.
2 Select one of these tasks.

9
User accounts and permission sets
Users
Task Steps
Create a 1 Click New User.
user
2 Type a user name.
3 Select whether to enable or disable the logon status of this account. If this account
is for someone who is not yet a part of the organization, you might want to disable
it.
4 Select the authentication type that you want the new account to use, then provide
the required credentials, or browse to and select the certificate.
5 [Optional] Provide the user's full name, email address, phone number, and a
description.
6 Make the user an administrator, or select the appropriate permission sets for the
user.
7 Click Save to return to the Users tab.
The new user appears in the Users list.
Edit a user 1 From the Users list, select the user you want to edit, then click Action | Edit.
2 Edit the account as needed.
3 Click Save.
The user changes appear in the Users list.
Delete a 1 From the Users list, select the user you want to delete, then click Action | Delete.
user
2 When prompted, click OK.
The user disappears from the Users list.
Managing McAfee ePO users with Active Directory

Use pre-existing Windows authenticated user credentials to automatically create McAfee ePO users
and assign permissions to them.
Authenticate credentials by mapping McAfee ePO permission sets to Active Directory groups in your
environment. This feature can reduce the management overhead when you have many McAfee ePO
users in your organization. To complete the configuration, use this process:
Configure user authentication.
Register LDAP servers.
Assign permission sets to the Active Directory group.
User authentication
McAfee ePO users can be authenticated with McAfee ePO password authentication or Windows
authentication. If you use Windows authentication, you can specify whether users authenticate:
Against the domain that your McAfee ePO server is joined to (default).
Against a list of one or more domain controllers.
Against a list of one or more DNS-style domain names.
Using a WINS server to look up the appropriate domain controller.
If you use domain controllers, DNS-style domain names, or a WINS server, configure the Windows
authentication server setting.

9
Users
Registered LDAP servers

You must register LDAP servers with your McAfee ePO server to permit dynamically assigned
permission sets for Windows users. Dynamically assigned permission sets are permission sets
assigned to users based on their Active Directory group memberships.
Users trusted via one-way external trusts are not supported.
The user account used to register the LDAP server with McAfee ePO is trusted through a bidirectional
transitive trust. Otherwise, it must physically exist on the domain that the LDAP server belongs to.
Windows authorization
The server setting for Windows authorization specifies which Active Directory (AD) server McAfee ePO
uses to gather user and group information for a particular domain. You can specify multiple domain
controllers and AD servers. This server setting supports the ability to dynamically assign permission
sets to users that supply Windows credentials at logon.
McAfee ePO can dynamically assign permission sets to Windows Authenticated users even if Active
Directory User Login is not enabled.
Assigning permissions
Assign at least one permission set to an AD group other than a user's Primary Group. Dynamically
assigning permission sets to a user's Primary Group is not supported, and results in application of only
those permissions manually assigned to the individual user. The default Primary Group is "Domain
Users."
Active Directory User Login

You can enable the Active Directory User Login server setting, which allows user records to be automatically
created when the following conditions are met:
Users provide valid credentials, using the <domain\name> format. For example, a user with
Windows credentials jsmith1, who is a member of the Windows domain named eng, supplies these
credentials: eng\jsmith1, with the appropriate password.
An Active Directory server that contains information about this user has been registered with
McAfee ePO.
The user is a member of at least one Domain Local or Domain Global group that maps to a McAfee
ePO permission set.
Support for Universal Groups

McAfee ePO partially supports Active Directory Universal Groups.
It restricts its communication to one domain when retrieving group information.
It supports these features when retrieving group memberships for a Universal Group:
Direct membership lookup in a Universal Group
Indirect membership lookup through a nested Universal Group
Indirect membership lookup through Global or Domain Local Groups, if that group resides in the
same domain as the Global Catalog being used to perform the lookup
Finally, it does not support indirect membership when that group resides on a different domain from
the Global Catalog being used to perform the lookup.

9
Users
Windows authentication and authorization strategies

You can take several approaches when planning how to register your LDAP servers. Taking the time in
advance to plan your server registration strategy helps you get it right the first time and reduce
problems with user authentication.
Ideally, authentication and authorization is a process you do once, and only alter if your overall
network topology changes. Once servers are registered and Windows authentication is configured, you
do not have to modify these settings often.
Authentication versus authorization

Authentication involves verifying the user's identity by matching as authentic the credentials supplied
by the user to something the system trusts. This trust could be a McAfee ePO server account, Active
Directory credentials, or a certificate. If you want to use Windows authentication, examine how the
domains (or servers) containing your user accounts are organized.
The software completes Authorization after you verify the user's credentials. You can apply permission
sets and determine what the user can do within the system. Windows authentication allows you to set
permission for users from different domains. Attach permission sets to groups contained within these
domains.
User account network topology

The effort required to fully configure Windows authentication and authorization depends on your
network topology, and the distribution of user accounts across your network.
If the credentials for users are contained in a small set of domains or servers in a single domain
tree, register the root of the tree.
If your user accounts are more spread out, register a number of servers or domains. Determine the
minimum number of domain (or server) subtrees you need and register the roots of those trees.
Try to register them in the order of usage. Placing the most commonly used domains at the top of
the list improves average authentication performance.
Permission structure
For users to be able to log on to a McAfee ePO server using Windows authentication, attach a
permission set to the Active Directory group on the domain their account belongs to. When
determining how permission sets are assigned, consider the following capabilities:
Permission sets can be assigned to multiple Active Directory groups.
Permission sets can be dynamically assigned only to an entire Active Directory group. They cannot
be assigned to just some users within a group.
If you want to assign special permissions to an individual user, you can do so by creating an Active
Directory group that contains only that user.
Enable Windows authentication in the McAfee ePO server

Before more advanced Windows authentication can be used, the server must be prepared.
To activate the Windows Authentication page in the server settings, stop the ePolicy Orchestrator
service. Perform this task on the McAfee ePO server.

9
Users
Task
1 From the server console, select Start | Settings | Control Panel | Administrative Tools
2 Select Services.
3 In the Services window, right-click McAfee ePolicy Orchestrator Applications Server and select Stop.
4 Rename Winauth.dll to Winauth.bak.

In a default installation, this file is found in C:\Program Files\McAfee\ePolicy Orchestrator
\Server\bin.
5 Restart the server.
When you next open the Server Settings page, a Windows Authentication option appears.
Configure Windows authentication

There are many ways to use existing Windows account credentials within ePolicy Orchestrator.
Before you begin

You must have first prepared your server for Windows authentication.
How you configure these settings depends on several issues:

Do you want to use multiple domain controllers?
Do you have users spread across multiple domains?
Do you want to use a WINS server to look up which domain your users are authenticating against?
Users can authenticate using Windows credentials for the domain that the McAfee ePO server is joined
to. They can also authenticate to any domain that has a two-way trust relationship with the McAfee
ePO server's domain. If you have users in domains that don't meet that criteria, configure Windows
authentication.
Task
1 Select Menu | Configuration | Server Settings, then select Windows Authentication from the Settings Categories list.
2 Click Edit.
3 Specify whether you want to use one or more domains, one or more domain controllers, or a WINS
server.
Domains must be provided in DNS format. (for example, internaldomain.com) Domain controllers
and WINS servers must have fully-qualified domain names. (for example, dc.internaldomain
.com)
You can specify multiple domains or domain controllers, but only one WINS server. Click + to add
more domains or domain controllers to the list.
4 Click Save when you are finished adding servers.
If you specify domains or domain controllers, the McAfee ePO server attempts to authenticate users
with servers in the order they are listed. It starts at the first server in the list and continues down the
list until the user authenticates successfully.

9
Users
Configure Windows authorization

Users attempting to log on to an McAfee ePO server with Windows authentication need a permission
set assigned to one of their Active Directory groups.
Task
1 Select Menu | User Management | Permission Sets.
2 Either choose an existing permission set from the Permission Sets list and click Edit in the Name and users
section, or click New Permission Set.
3 Select any individual users the permission set applies to.
4 Select a Server name from the list and click Add.
5 In the LDAP browser, navigate through the groups and select the groups to which this permission
set applies.
Selecting an item in the Browse pane displays the members of that item in the Groups pane. You can
select any number of those groups to receive the permission set dynamically. Only members from
one item at a time can be added. To add more, repeat steps 4 and 5 until you are finished.
6 Click Save.
The permission set is applied to all users from the groups you specified by logging on to the server
using Windows authentication.
Create a custom logon message

Create and display a custom logon message to be displayed on the Log On page.
Your message can be written in plain text, or formatted using HTML. If you create an HTML formatted
message, you are responsible for all formatting and escaping.
Task
1 Select Menu | Configuration | Server Settings, select Login Message from the Settling Categories, then click Edit.
2 Select Display custom login message, then type your message and click Save.
Restrict a user session to a single IP address

Restricting logons to a single IP address can prevent attacks that take advantage of persistent session
information.
By default, user sessions are maintained across IP addresses. Maintaining user sessions enables users
to change locations without having to log on repeatedly.
If your network requires more security, you can restrict user sessions to a single IP address. Doing so
forces users to resubmit their credentials every time their IP address changes, such as when they take
their laptop to a different location.

9
Users
Task
1 Select Menu | Configuration | Server Settings, select User Session from the Settings Categories, then click Edit.
2 Select Restrict session to a single IP address.
3 Click Save.
Any time a user changes IP addresses, they must re-enter their credentials to access the McAfee ePO
console.
The Audit Log

Use the Audit Log to maintain and access a record of all McAfee ePO user actions. The Audit Log
entries are displayed in a sortable table. For added flexibility, you can also filter the log so that it
displays only failed actions, or only entries that are in a certain age.
The Audit Log displays these columns:
Action The name of the action the McAfee ePO user tried.
Completion Time The time the action finished.
Details More information about the action.
Priority Importance of the action.
Start Time The time the action was initiated.
Success Whether the action was successfully completed.
User Name User name of the logged-on user account that was used to take the action.
Audit Log information appears in the language of the Enterprise Administrator locale.
Audit Log entries can be queried against. You can create queries with the Query Builder that target
this data, or you can use the default queries that target this data. For example, the Failed Logon
Attempts query retrieves a table of all failed logon attempts.
View user actions

The Audit Log displays past user actions. Use the Audit Log to track access to your McAfee ePO server,
and what changes users make.
Task
1 Open the Audit Log: select Menu | Reporting | Audit Log.
2 Sort and filter the table to focus on relevant entries.

To change which columns are displayed, click Choose Columns.
To order table entries, click a column title.
To hide unrelated entries, select a filter from the drop-down list.
3 To view additional details, click an entry.

9
Remove outdated actions from the Audit Log

Periodically remove outdated actions from the Audit Log to improve database performance.
Items removed from the Audit Log are deleted permanently.
Task
1 Open the Audit Log: select Menu | Reporting | Audit Log.
2 Click Purge.
3 In the Purge dialog box, enter a number, then select a time unit.
4 Click OK.
Any items of the specified age or older are deleted, including items not in the current view. The
number of removed items is displayed in the lower right corner of the page.
Create a server task to automatically remove outdated items.

Enable certificate-based authentication to allow your users to access McAfee ePO with a valid client
certificate instead of a user name and password.
Client certificate authentication is a type of public-key authentication. It differs from public-key
authentication because you grant trust to a trusted third party, known as a certification authority (or
CA). Certificates are digital documents that combine identity information and public keys. The CA
digitally signs the certificates and verifies that the information is accurate.
When a user tries to access McAfee ePO using certificate-based authentication, McAfee ePO checks the
client certificate to make sure that it was signed. After the client certificate is verified, the user is
granted access.
Certificates have predefined expiration dates, which force the review of user permissions.
For users configured with valid certificates, certificate-based authentication replaces password
authentication. All other users continue to use passwords to access McAfee ePO.
Before your organization can use certificate-based authentication, install the CA certificate on McAfee
ePO and a signed client certificate on your endpoints.
Configure McAfee ePO for certificate-based authentication

Before users access McAfee ePO with certificate-based authentication, enable the authentication
method and upload a signed CA certificate.
Before you begin

You must have a signed certificate in P7B, PKCS12, DER, or PEM format.

9
Task
1 Open the Edit Certificate-based Authentication page.

b From the Setting Categories list, select Certificate-based Authentication, and click Edit.
2 Select Enable certificate-based Authentication.
3 Next to CA certificate for client certificate, click Browse, navigate to and select the certificate file, then click
OK.
When a file is applied, the prompt changes to Replace current CA certificate.
Replace the certificate when it expires, or if your organization's security requirements change. For
example, your organization might require SHA-256 certificates for authentication.
4 (Optional) If you provided a PKCS12 certificate, enter a password.
5 Configure any advanced or optional settings as needed.

If you have a certificate revocation list (CRL), click Browse, navigate to and select the CRL file,
then click OK.
The CRL file must be in PEM format.
(Optional) As an alternative or additional method of checking a certificate's authenticity,

configure the Online Certificate Status Protocol (OCSP).
1 Click Enable OCSP checking.
2 Type the URL to the OCSP server.
3 (Optional) Select Enable CRL Distribution Point checks when the McAfee ePO server receives no response from
OCSP.
If the connection to the default OCSP URL fails, McAfee ePO tries to connect to the
certification authority CRL mentioned within the certificate under CRL Distribution Point
Check instead.
4 (Optional) Select Make the default OCSP URL the primary OCSP URL.
If that connection fails, McAfee ePO falls back to the other OCSP responder, if mentioned in
the certificate under Authority Information Access.
To require certificate-based authentication for all remote users,, click Remote users use the certificate to
sign in.
To make the user name the same as the subject Distinguished Name (DN) specified in the
certificate, click Default certificate user name is the subject DN.
Configure Active Directory Integration.
For these settings to work, you must have Active Directory user logon enabled and the user
group added to a permission set.
To automatically assign Active Directory users to a permission set, select Automatically assign
permission for user logon with an Active Directory certificate.
To automatically create an McAfee ePO user account for anyone who accesses McAfee ePO
with the valid AD certificate, select Automatically create user for Active Directory certificate owners.

9
6 Click Save.
7 Restart ePolicy Orchestrator to activate certificate authentication.
Disable certificate-based authentication

If certificates are no longer used in your network environment, remove certificate-based
authentication as an authentication option.
Task
1 Open the Edit Certificate-based Authentication page.

b From the Setting Categories list, select Certificate-based Authentication, and click Edit.
2 Deselect Enable Certificate Based Authentication, then click Save.
Once you disable certificate-based authentication, your users can no longer access McAfee ePO with a
certificate, and must log on with their user name and password instead. Your previous configuration
settings are reset.
Restart the server to complete the configuration change.
Configure user accounts for certificate-based authentication

Users must have certificate-based authentication configured before they can authenticate with a client
certificate.
The client certificates used for certificate-based authentication are typically acquired with a smart card
or similar device. Software bundled with the smart card hardware can extract the certificate file. This
extracted certificate file is usually the file uploaded in this procedure.
Task
1 Open the Edit User page.

a Select Menu | User Management | Users.
b From the Users list, select a user, then click Actions | Edit.
2 Next to Authentication type, select Change authentication or credentials | Certificate-Based Authentication.
3 Use one of these methods to provide credentials.

Copy the DN field from the certificate file and paste it into the Personal Certificate Subject DN Field edit
box.
Upload the signed certificate file: click Browse to navigate to and select the certificate file, then
click OK.
This certificate file was uploaded in the procedure, Configure MFS certificate-based
authentication.
User certificates can be in PEM or DER format. The actual certificate format does not matter as long
as the format is X.509 or PKCS12 compliant.
4 Click Save to save changes to the user's configuration.

9
The certificate information is verified. A warning appears if the certificate is invalid. If the certificate is
vaild, the McAfee ePO logon page appears. The user can choose a language and click Log On without
entering a user name and password.
Update the certificate revocation list

To prevent access to McAfee ePO by specific users that were configured for certificate-based
authentication, add the user's client certificate to the certificate revocation list (CRL) installed on your
McAfee ePO server.
Before you begin

You must already have a CRL file in ZIP or PEM format.
The CRL file is a list of revoked McAfee ePO users and their digital certificate status. The list includes
the revoked certificates, the reasons for revocation, dates of certificate issue, and the issuing entity.
When a user tries to access the McAfee ePO server, the CRL file is checked and it allows or denies
access for that user.
Task
2 Select Certificate-based Authentication, then click Edit.
3 To update the CRL file, next to Certificate revocation list file, click Choose File, navigate to the CRL file, then
click OK.
4 Click Save to save all changes.
5 Restart McAfee ePO to activate certificate authentication.
McAfee ePO checks the updated CRL file to confirm that the client certificate has not been revoked
every time a user tries to access the McAfee ePO.
You can also use the cURL command line to update the CRL file.
To run cURL commands from the command line, install the cURL and grant remote access to the McAfee
ePO server. See the McAfee ePolicy Orchestrator Web API Scripting Guide for cURL download details and
other examples.
At the cURL command-line type:
curl -k --cert <admin_cert>.pem --key <admin_key>.pem https://<localhost>:<port>/

remote/console.cert.updatecrl.do -F crlFile=@<crls>.zip
In this command:
<admin_cert> Administrator client certificate .PEM file name
<admin_key> Administrator client private key .PEM file

9
Permission sets
<localhost>:<port> McAfee ePO server name and communication port number
<crls> CRL .PEM or .zip file name
Troubleshooting certificate-based authentication

A few problems cause most authentication issues using certificates.
If a user cannot log on with their certificate, try one of these options to resolve the problem:
Verify that the user has not been disabled.
Verify that the certificate has not expired or been revoked.
Verify that the certificate is signed with the correct certificate authority.
Verify that the DN field is correct on the user configuration page.
Verify that the browser is providing the correct certificate.
Check the Audit Log for authentication messages.
Permission sets
Permission sets control the level of access users have to the features available in the software.
To create a more secure environment, specify and control the access users have to different parts of
the system for even the smallest installations.
Contents
How users, groups, and permission sets fit together
Manage permission sets
How users, groups, and permission sets fit together

McAfee ePO controls access to items using interactions between users, groups, and permission sets.
A user account grants log on access to the McAfee ePO console and when mapped with a permission
set, it defines what the user is allowed to access. Administrators can create accounts for individual
users and assign permissions, or they can create a permission set that maps to users or groups in
your Active Directory/NT server.
McAfee ePO users fall into two general categories. Either they are administrators, having full rights
throughout the system, or they are regular users. Regular users can be assigned any number of
permission sets to define their access levels in McAfee ePO.
Administrators
Administrators have read and write permissions and rights to all operations. When you install the
server, an administrator account is created automatically. By default, the user name for this account is
admin. If the default value is changed during installation, this account is named accordingly.
You can create additional administrator accounts for people who require administrator rights.
Permissions exclusive to administrators include:
Create, edit, and delete source and fallback sites.
Change server settings.

9
Permission sets
Add and delete user accounts.
Add, delete, and assign permission sets.
Import events into McAfee ePO databases and limit events that are stored there.
Users
Users can be assigned any number of permission sets to define their access levels in McAfee ePO.
User accounts can be created and managed in several ways. You can:
Create user accounts manually, then assign each account an appropriate permission set.
Configure your McAfee ePO server to allow users to log on using Windows authentication.
Allowing users to log on using their Windows credentials is an advanced feature that requires
configuration and setup of multiple settings and components.
Groups
Queries and reports are assigned to groups. Each group can be private (to that user only), globally
public (or "shared"), or shared to one or more permission sets.
Permission sets
A particular access profile is defined in a permission set. This profile usually involves a combination of
access levels to various parts of McAfee ePO. For example, one permission set might grant the ability
to read the Audit Log, use public and shared dashboards, and create and edit public reports or
queries.
Permission sets can be assigned to individual users, or if you are using Active Directory, to all users
from specific Active Directory servers.
Default permission sets

McAfee ePO provides these four default permission sets that provide permissions to its functionality.
Executive Reviewer Provides view permissions to dashboards, events, contacts, and can view
information that relates to the whole System Tree.
Global Reviewer Provides view access globally across functionality, products, and the System
Tree, except for extensions, multi-server roll up data, registered servers, and software.
Global Admin Provides view and change permissions across McAfee ePO features. Users that are
assigned this permission set each need at least one more permission set that grants access needed
products and groups of the System Tree.
Group Reviewer Provides view permissions across McAfee ePO features. Users that are assigned
this permission set each need at least one more permission set that grants access needed products
and groups of the System Tree.
A user group administrator or the global administrator can edit the canned permission sets as
required.
When you upgrade a product extension:
An edited canned permission set for the product is retained with the default canned permission set.
A deleted permission set for the product is added again.

9
Permission sets
Manage permission sets

Control user access, create, change, export, and import permission sets from the Permission Sets
page.
Once you have fully defined your permission sets, the fastest way to migrate them is to export them,
then import them to the other servers.
Task
1 Open the Permission Sets page: select Menu | User Management | Permission Sets.
Action Steps
Add a 1 Click New Permission Set.
permission set
2 Type a unique name for the new permission set.
3 To immediately assign specific users to this permission set, select their user
names in the Users section.
4 To map any Active Directory groups to this permission set, select the server
from the Server Name list, then click Add.
5 If you added any Active Directory servers that you want to remove, select them
in the Active Directory list box, then click Remove.
6 Click Save to create the permission set.
Edit a 1 Select a permission set to change. Its details appear to the right.
permission set
If you created a permission set, it is already selected for you.
2 Select a category of permissions to change by clicking Edit in that category row.
3 Change the permissions, then click Save.
Copy a 1 From the Permission Sets list, select a permission set to duplicate, then click
permission set Actions | Duplicate.
2 Type a new name for the duplicate permission set. By default, the software
appends (copy) to the existing name.
3 Click OK.
Delete a 1 Select the permission set that you want to delete From the Permission Sets list,
permission set select the permission set that you want to delete. Its details appear to the
right.
2 Click Actions | Delete, then click OK.

9
Permission sets
Action Steps
Export Click Export All.
permission The McAfee ePO server sends an XML file to your browser. What happens next
sets depends on your browser settings. Most browsers ask you to save the file.
The XML file contains only roles with a defined level of permissions. If, for
example, a Permission Set has no permissions for queries and reports, no entry
appears in the file.
Import 1 Click Import.

permission
sets 2 Click Browse to navigate to and select the XML file with the permission sets that
you want to import.
3 Choose whether to keep permission sets with the same name as an imported
permission set by selecting the appropriate option. Click OK.
If McAfee ePO cannot locate a valid permission set in the indicated file, an error
message is displayed and the import process is stopped.
The permission sets are added to the server and displayed in the Permission Sets
list.

9
Permission sets

10 Software Manager
Use the Software Manager to review and acquire McAfee software and software components.
Contents
What's in the Software Manager
Check in, update, and remove software using the Software Manager
Checking product compatibility
What's in the Software Manager

The Software Manager eliminates the need to access the McAfee Product Download website to obtain
new McAfee software and software updates.
You can use the Software Manager to download:
Licensed software is any software your organization has purchased from McAfee. The Software Not
Checked In product category provides a list of licensed software that is not currently installed on
your server. The number displayed next to each subcategory in the Product Categories list indicates
how many products are available.
Evaluation software is software for which your organization does not currently possess a license. You
can install evaluation software on your server, but functionality might be restricted until you
acquire a product license.
Software updates are a new update for the released software you are using. You can use the Software
Manager to check in new packages and extensions. Available software updates are listed in the
Updates Available category.
Product documentation is new and updated product documentation you can obtain from the Software
Manager. Help extensions can be installed automatically. PDF and HTML documentation such as
Product Guides and Release Notes can also be downloaded from the Software Manager.
DATs and Engines are not available from the Software Manager.
About software component dependencies

Many of the software products you can install for use with your McAfee ePO server have predefined
dependencies on other components. Dependencies for product extensions are installed automatically.
For all other product components, you must review the dependencies list in the component details
page, and install them first.
Software Manager user interface

The Software Manager user interface has these main features to help you view and manipulate your
new and existing software.

10
Software Manager
Check in, update, and remove software using the Software Manager
Option Definition
Product Categories This is where you search for or select products to
view or manipulate in the selected product tables.
Selected product tables, separated into three parts:
List of products and their status Select a product in this list and details and
manipulation features appear in the details and
component rows.
Product details row Lists a product description, its status, allows a
language filter, and provides these actions:
Check In All Checks in all new versions and components of the
selected product.
Update All Updates all existing versions and components of the
selected product to the latest version.
Remove All Removes all versions and components of the selected
product.
Component rows Displays all components of the selected product and,
depending on the component, allows you to check in,
update, remove, or download the individual
component.
Check in, update, and remove software using the Software

Manager
From the Software Manager, you can check in, update, and remove managed product components
from your server.
Both licensed and evaluation software can be accessed in the Software Manager.
Software availability, and whether it is in the Licensed or Evaluation category, depends on your license key.
For more information, contact your administrator.
Task
1 Click Menu | Software | Software Manager.
2 In the Software Manager page Product Categories list, select one of the following categories, or use the
search box to find your software:
Updates Available Lists any available updates to licensed software components already installed
or checked in to the McAfee ePO server.
Checked in Software Displays all software (both Licensed and Evaluation) installed or checked in to
this server.
If you recently added the license for a product and it appears as Evaluation, click Refresh to update
the Licensed count and display the product as Licensed under Checked In Software.
Software Not Checked in Displays any software that is available, but not installed on this server.
Software (by Label) Displays software by function as described by McAfee product suites.

10
Software Manager
3 When you have located the correct software, select an action that applies to all the components in
the software, or individual components.:
For all the components in the software, click:
Check In All to check in all components of the new product on this server.
Update All to update all components of the existing product on this server.
Remove All to remove all components of the existing product on this server.
For individual components in the software, click:

Download to download software or product documentation to a location on your network.
Check In (branch) to check in a new product package on this server.
Check In to check in a new product extension on this server.
Update to update an existing package or extension that is already installed or checked in to

this server.
Remove to uninstall a package or extension that is installed or checked in to this server.
4 In the Check In Software Summary page, review and accept the product details and End User License
Agreement (EULA), then click OK to complete the operation.

You can configure a Product Compatibility Check to automatically download a Product Compatibility
List from McAfee.
This list identifies products that are no longer compatible in your McAfee ePO environment.
McAfee ePO performs this check any time the installation and startup of an extension might leave your
server in an undesirable state. The check occurs:
During an upgrade from a previous version of McAfee ePO
When an extension is installed from the Extensions menu
Before a new extension is retrieved from the Software Manager
When a new compatibility list is received from McAfee
When the Data Migration Tool runs
See the McAfee ePolicy Orchestrator Installation Guide for details.
Product Compatibility Check

The Product Compatibility Check uses an XML file, the Product Compatibility List, to determine which
product extensions aren't compatible with a version of McAfee ePO.
An initial list is included in the McAfee ePO software package from the McAfee website. When you run
setup during installation or upgrade, McAfee ePO automatically retrieves the most current list of
compatible extensions from a trusted McAfee source. If the Internet source is unavailable or if the list
can't be verified, McAfee ePO uses the latest version it has available.
The McAfee ePO server updates the Product Compatibility List in the background once per day.

10
Software Manager
Remediation
When you view the list of incompatible extensions through the installer or the Upgrade Compatibility
Utility, you are notified if a known replacement extension is available.
In some cases during an upgrade:

An extension blocks the upgrade and must be removed or replaced before the upgrade can
continue.
An extension is disabled, but you must update it after the McAfee ePO upgrade is complete.
Disabling automatic updates

You might want to disable automatic updates of the Product Compatibility List. The download occurs:
As part of a background task.
When the Software Manager content is refreshed (helpful when your McAfee ePO server does not
have inbound Internet access).
When you re-enable the download setting for the Product Compatibility List (also re-enables
Software Manager automatic updates of the Product Compatibility List).
Using a manually downloaded Product Compatibility List

If your McAfee ePO server does not have Internet access, you can use a manually downloaded Product
Compatibility List.
You can manually download the list:

When you install McAfee ePO.
When using Server Settings | Product Compatibility List to manually upload a Product Compatibility List.
This list takes effect immediately after upload.
Best practice: Disable automatic updating of the list to prevent overwriting the manually
downloaded Product Compatibility List.
Open https://epo.mcafee.com/ProductCompatibilityList.xml to manually download the list.
Blocked or disabled extensions

If an extension is blocked in the Product Compatibility List, it prevents the McAfee ePO software
upgrade. If an extension is disabled, it doesn't block the upgrade, but the extension isn't initialized
after the upgrade until a known replacement extension is installed.
Command-line options for installing the Product Compatibility List

You can use these command-line options with the setup.exe command to configure Product
Compatibility List downloads.
Command Description
setup.exe DISABLEPRODCOMPATUPDATE=1 Disables automatic downloading of the
Product Compatibility List from the
McAfee website.
setup.exe Specifies an alternate Product
PRODCOMPATXML=<full_filename_including_path> Compatibility List file.
Both command-line options can be used together in a command string.

10
Software Manager
Reconfigure Product Compatibility List download

You can download the Product Compatibility List from the Internet, or use a manually downloaded list
to identifying products that are no longer compatible in your McAfee ePO environment.
Any manually downloaded Product Compatibility List must be a valid XML file provided by McAfee. If
you make any changes to the Product Compatibility List XML file, the file is no longer valid.
Task
1 Select Menu | Configuration | Server Settings, select Product Compatibility List from the Setting Categories, then
click Edit.
A list of disabled incompatible extensions appears.
2 Click Disabled to stop automatic and regular downloads of the Product Compatibility List from
McAfee.
3 Click Browse and navigate to the Upload Product Compatibility List, then click Save.
Automatic downloading of the Product Compatibility List is disabled. Your McAfee server uses the same
list until you upload a new list, or connect your server to the Internet and enable automatic
downloading.

10
Software Manager

11 Manual package and update
management
When you want to roll out new products outside of your normally scheduled tasks, you can check them
in manually.
Contents
Bring products under management
Check in packages manually
Delete DAT or engine packages from the Master Repository
Move DAT and engine packages between branches
Check in Engine, DAT, and Extra.DAT update packages manually
Best practice: Automating DAT file testing
Bring products under management

A product's extension must be installed before McAfee ePO can manage the product.
Before you begin

Make sure that the extension file is in an accessible location on the network.
Task
1 From the McAfee ePO console, select Menu | Software | Extensions | Install Extension.
You can only have one task updating the Master Repository at once. If you try to install an
extension at the same time as a Master Repository update is running, the following error appears:
Unable to install extension com.mcafee.core.cdm.CommandException: Cannot check in the selected package

while a pull task is running.
Wait until the Master Repository update is done and try to install your extension again.
2 Browse to and select the extension file, then click OK.
3 Verify that the product name appears in the Extensions list.
Check in packages manually

Check in the deployment packages to the Master Repository so that the ePolicy Orchestrator software
can deploy them.

11
Manual package and update management
Task
1 Open the Check In Package wizard.

a Select Menu | Software | Master Repository.
b Click Check In Package.
2 Select the package type, then browse to and select the package file.
3 Click Next.
4 Confirm or configure the following:

Package info Confirm this is the correct package.
Branch Select the branch. If there are requirements in your environment to test new packages
before deploying them throughout the production environment, use the Evaluation branch
whenever checking in packages. Once you finish testing the packages, you can move them to
the Current branch by selecting Menu | Software | Master Repository.
Options Select whether to:

Move the existing package to the Previous branch When selected, moves packages in the Master
Repository from the Current branch to the Previous branch when a newer package of the same
type is checked in. Available only when you select Current in Branch.
Package signing Specifies if the package is a McAfee or a third-party package.
5 Click Save to begin checking in the package, then wait while the package is checked in.
The new package appears in the Packages in Master Repository list.

Delete DAT or engine packages from the Master Repository. As you check in new update packages
regularly, they replace the older versions or move them to the Previous branch, if you are using the
Previous branch.
Task
1 Click Menu | Software | Master Repository.
2 In the row of the package, click Delete.
3 Click OK.
Move DAT and engine packages between branches

Move packages manually between the Evaluation, Current, and Previous branches after they are
checked in to the Master Repository.

11
Task
1 Select Menu | Software | Master Repository.
2 In the row of the package, click Change Branch.
3 Select whether to move or copy the package to another branch.
4 Select which branch receives the package.

If you have McAfee NetShield for NetWare in your network, select Support NetShield for NetWare.
5 Click OK.

Check in update packages to the Master Repository to deploy them using the McAfee ePO software.
Some packages can only be checked in manually.
Task
1 Open the Check In Package wizard.

a Select Menu | Software | Master Repository.
b Click Check In Package.
2 Select the package type, browse to and select a package file, then click Next.
3 Select a branch:
Current Use the packages without testing them first.
Evaluation Use the packages in a lab environment first.
Once you finish testing the packages, you can move them to the Current branch by selecting Menu
| Software | Master Repository.
Previous Use the previous version to receive the package.
4 Next to Options, select Move the existing package to the Previous branch to archive the existing package.
5 Click Save to begin checking in the package. Wait while the package is checked in.
The new package appears in the Packages in Master Repository list.

Use the built-in functionality of McAfee ePO to automatically validate DAT file compatibility and content
files that are downloaded from the McAfee public site.
McAfee Labs rigorously tests the content, such as DAT and engine files, before they are released on
the public update servers. Because every organization is unique, you can perform your own
compatibility validation to ensure the compatibility of DATs and content in your unique environment.

11
The compatibility validation processes vary by organization. The process in this section is meant to
automate much of the compatibility validation process and reduce the need for administrator
intervention.
Best practice: To confirm that only compatible DAT files are distributed in your environment, you might
chose move the content manually from the Evaluation branch into the Current branch of the repository.
DAT file validation overview
Figure 11-1 Automatic DAT file testing steps
A server task pulls DAT updates from the McAfee public site to the Evaluation branch of the
Master Repository.
A McAfee Agent policy applies the DAT files from the Evaluation repository branch restricted to a
group of systems in a Test group.
A McAfee Agent update client task installs the DAT on the Test group systems.
An on-demand scan task runs frequently on the Test group.
Depending on the on-demand scan output, one of these scenarios occurs:

11
If the DAT is not compatible with the test group, an Automatic Response email is sent to the
appropriate administrators. The email tells the administrators to stop distribution of the DAT files
from the Current repository.
Otherwise, after a specified time, a server task copies the files from the Evaluation branch to the
Current branch of the repository. Then those files are automatically sent to the rest of the
managed systems.
Pull and copy DAT updates from McAfee

To create an automated DAT file testing process requires configuring tasks to pull the DATs from
McAfee and copy them to the Current branch of the repository.
The McAfee ePO platform provides three repository branches in your Master and Distributed
Repositories:
Current branch By default, the main repository branch for the latest packages and updates.
Evaluation branch Used to test new DAT and engine updates before deploying to your whole
organization.
Previous branch Used to save and store prior DAT and engine files before adding the new ones to
the Current branch.
You must create two server tasks to automate the DAT file testing.
One task pulls the DAT files hourly to the Evaluation branch to ensure that the latest DAT is in the
Evaluation branch shortly after McAfee releases it to the public.
Best practice: Run the task hourly to get an extra DAT file in case the initial file, released at 11:00
a.m., was replaced later in the day.
One server task waits until a few hours after the test group of systems is scanned. Then, unless
the administrator stops the server task, it automatically copies the DAT files from the Evaluation
branch to the Current branch.
Tasks
Best practices: Configure task to pull DAT to Evaluation branch on page 167
To automate your DAT file testing process, you must create a task to automatically pull DAT
files from the McAfee public site into the Evaluation repository branch.
Best practices: Configure server task to copy files from Evaluation to Current branch on
page 168
To automate your DAT file testing process, create a task to automatically copy DAT files
from the Evaluation branch of the repository to the Current branch.
Best practices: Configure task to pull DAT to Evaluation branch

To automate your DAT file testing process, you must create a task to automatically pull DAT files from
the McAfee public site into the Evaluation repository branch.
You might want to configure this task to distribute only DAT files, if your organization tests the engine
for a longer time, than the few hours in this example, or restricts their automatic release.
Task
1 Select Menu | Automation | Server Tasks, then click Actions | New Task to display the Server Task Builder wizard.
2 In the Description tab, type a server task name, for example, DAT pull hourly to Evaluation
repository, and a description to appear on the Server Task page.

11
3 In Schedule status, click Enable, then click Next.
4 In the Actions tab, configure these settings:

From the Actions list, select Repository Pull.
From the Source site list, select the McAfee public site you want to use, McAfeeFtp or McAfeeHttp.
From the Branch list, select Evaluation.
Deselect Move existing package to Previous branch, if needed.
From Package types, click Select packages.
5 From the Available Source Site Packages dialog box, select DAT and Engine, then click OK.
We recommend that, at minimum, you pull the DAT and engine files from the McAfee public
website.
If you have multiple distributed repositories, you can chain a replication task to the same pull task
to replicate your Evaluation branch to your distributed repositories.
6 In the Schedule tab, configure these settings:

For the Schedule type, click Hourly.
For the Start date, select today's date.
For the End date, click No end date.
From Schedule, configure the task to run every hour at 10 minutes past the hour.
7 Click Next, confirm that all settings are correct in the Summary tab, then click Save.
To confirm that the automatic DAT file pull is working, go to Menu | Software | Master Repository and use the
Check-In date information to confirm that the Evaluation branch DAT file was updated within the last
two hours.
Best practices: Configure server task to copy files from Evaluation to

Current branch
To automate your DAT file testing process, create a task to automatically copy DAT files from the
Evaluation branch of the repository to the Current branch.
Before you begin

You must have created the server task to automatically copy the DAT and content files to
the Evaluation branch of the repository.
Task
1 Select Menu | Automation | Server Tasks, then click Actions | New Task.
2 In the Server Task Builder Descriptions tab, type a task name and notes, then in Schedule status, click
Enabled, then click Next.

11
3 In the Actions tab, configure these settings, then click Next:

For Actions list, select Change the Branch for a Package, select All packages of type 'DAT' in branch 'Evaluation' as
the package to change, Copy as the action, then click Current as the target branch.
Click + to create another action, and from the second Actions list, select Change the Branch for a
Package, select All packages of type 'Engine' in branch 'Evaluation' as the package to change, Copy as the
action, and Current as the target branch.
4 In the Schedule tab, change these settings:

For Schedule type, click Daily.
For Start date, select today's date.
For End date, click No end date.
Change the Schedule settings to configure the task to run at 4:00 or 5:00 p.m.
Historically, McAfee releases DAT files only once a day, at about 3:00 p.m. Eastern Time (19:00
UTC or GMT). In the rare case that a second DAT file is released later in the day, it requires an
administrator to disable the copy task to your Current Branch.
Click Next, confirm that all settings are correct in the Summary tab, then click Save.
To confirm that the DAT file copy from the Evaluation branch to the Current branch is working, go to
Menu | Software | Master Repository and use the Check-In date information to confirm that the Evaluation
branch DAT file was copied to the Current branch at the time configured in the schedule.
See also
Best practices: Configure task to pull DAT to Evaluation branch on page 167
Best practice: Create a test group of systems

To safely test DAT and content files, create a test group of systems used to run the files in your
Evaluation repository.
Make sure that the test group of systems you use meet the following criteria:
Use a representative sampling of system server builds, workstation builds, and operating systems
and Service Packs in your environment for validation.
Use 2030 systems for validation for organizations with less than 10,000 nodes. For larger
organizations, include at least 50 types of systems.
You can use VMware images that replicate your operating system builds. Make sure that these
systems are in a "clean" state to ensure that no malware has been introduced.
Use Tags to apply policies and tasks to individual systems that are scattered throughout your
System Tree. Tagging these systems has the same effect as creating an isolated test group, but
allows you to keep your systems in their current groups.
Task
1 To create a System Tree group, select Menu | Systems Section | System Tree.
2 From the System Tree group list, select where you want to add your new group, then click System
Tree Actions | New Subgroups, and in the New Subgroups dialog box, type a name, for example DAT
Validation, then click OK.
3 To add systems to your test group, you can drag systems from other groups to your newly created
subgroup, add new systems, or add virtual machine systems.

11
You created a test group as an isolated group of systems. This test group allows you to test new DAT
and engine updates before you deploy the updates to all other systems in your organization.
Best practice: Configure an agent policy for the test group

Create a McAfee Agent policy with an update task that automatically copies DAT and content files to
the systems in your test group.
Task
1 In the System Tree, select Menu | Systems Section | System Tree, then click the test group that you created.
2 To duplicate the existing policy, click the Assigned Policies tab, select McAfee Agent from the Product list,
then in the Category list in the General policy row, click My Default.
3 On the My Default page, click Duplicate, and in the Duplicate Existing Policy dialog box, type the name, for
example Update from Evaluation, add any notes, then click OK.
This step adds a policy, Update from Evaluation, to the Policy Catalog.
4 Click the Updates tab to change the repository used by this policy.
5 In the Repository branch to use for each update type, click the DAT and Engine list down-arrows,
then change the listed repositories to Evaluation.
6 Click Save.
Now you have created a McAfee Agent policy to use with an update task that automatically copies the
DAT and content files to the systems in your test group from the Evaluation repository.
Best practice: Configure an on-demand scan of the test group

Create an on-demand scan task that starts after you update the DAT files to your test group, to scan
for any problems that occur in your test group.
Before you begin

You must have created the test group in your System Tree.
This configuration assumes that you are not using user systems as your test systems. If you are using
actual user systems, you might need to change some of these scan configurations.
Task
1 To create a new on-demand scan task, select Menu | Policy | Client Task Catalog, then from the Client Task
Catalog page in the Client Task Types list, expand VirusScan Enterprise and click On Demand Scan.
2 In the Client Task Catalog page, click New Task, and in the New Task dialog box, confirm that On
Demand Scan is selected and click OK.
3 On the Client Task Catalog: New Task page, type a name, for example, Evaluation test group ODS
task, and add a detailed description.

11
4 Click the Scan Locations tab, then configure these settings:

a For the Locations to scan, configure:
Memory for rootkits
Running Processes
All local disks
Windows folder
b For the Scan options, select Include subfolders and Scan boot sectors.
5 Click the Scan Items tab, then configure these settings:

a For File types to scan, select All files.
b For Options, select Detect unwanted programs.
c For Heuristics, select Find unknown program threats and Find unknown macro threats.
6 In the Actions tab:

a For When a threat is found, configure Clean files, then Delete files.
b For When an unwanted program is found, configure Clean files, then Delete files.
7 Click the Performance tab and configure System utilization as Low and Artemis as Very Low.
Do not change any settings on the Reports tab.
8 In the Task tab:

a For Platforms where this task will run, select Run this task on servers and Run this task on workstations.
b For User account to use when running task, set your credentials and select the test group domain.
9 Click Save.
Now the on-demand scan task is configured to scan for any problems that might occur in your test
group. Next configure a client task to schedule when to launch the task.
See also
Best practice: Create a test group of systems on page 169
Best practice: Schedule an on-demand scan of the test group

Schedule your on-demand scan task to run five minutes after each McAfee Agent policy update from
the Evaluation repository to the test group.
Before you begin

You must have created a test group of systems and an on-demand scan of the test group.
Task
1 Select Menu | Policy | Client Task Catalog.
2 On the Client Task Catalog page, select VirusScan Enterprise and On Demand Scan in Client Task Types.
3 Find the on-demand scan you created, click Assign in the Actions column, select the test group of
systems that you created to assign the task, then click OK.

11
4 In the Client task Assignment Builder, configure these settings, then click Next:
a For Product list, select VirusScan Enterprise.
b For Task Type list, select On Demand Scan.
c For Task Name list, select the ODS task you created.
5 In the Schedule tab, configure these settings:

a For Schedule status, select Enabled.
b For Schedule type, select Daily from the list.
c For Effective period, select today's date as the Start date, then select No end date.
d For Start time, configure these settings:

Select 9:05 AM from the time lists.
Click Run at that time, and then repeat until, then select 2:00 PM from the time lists.
For During repeat, start task every, select 5 minute(s) from the lists.
e For Task runs according to, click Local time on managed systems.
f For Options, deselect everything.
6 Click Next, check the Summary page, then click Save.
Your on-demand scan task is now scheduled to run every 5 minutes, from 9:05 a.m. until 2:00 p.m.,
after each agent policy update, from the Evaluation repository to the test group.
See also
Best practice: Create a test group of systems on page 169
Best practice: Configure an on-demand scan of the test group on page 170
Best practice: Configure an Automatic Response for malware

detection
If malware is found by the on-demand scan in the test group, you want to block the files from being
copied automatically to the Current repository. Set up an automatic notification to the administrator.
Before you begin

You must have already created an on-demand scan task to scan for any problems that
might occur in your test group.
Task
1 To display the Response Builder, select Menu | Automation | Automatic Responses, click New Response, then
configure these settings in the Descriptions tab, then click Next.
a Type a name, for example Malware found in test group, and a detailed description
b For Language, select a language from the list.
c For Event Group, select ePO Notification Events from the list.
d From Event type, select Threat from the list.
e For Status, select Enabled.

11
2 Configure these settings in the Filter tab, then click Next.

a For Available Properties list, select Threat Category.
Optionally, you can add additional categories, such as an access protection rule being triggered.
b In the Required Criteria column and the Defined at row, click ... to select the test group of systems
that you created in the Select System Tree Group dialog box, then click OK.
c In the Threat Category row, select Belongs to from the Comparison list and Malware from the Value
list. Click + to add another category.
d Select Belongs to from the Comparison list and Access Protection from the Value list.
3 Configure these settings in the Aggregation tab, then click Next.

a For Aggregation, click Trigger this response for every event.
b Do not configure any Grouping or Throttling settings.
4 Configure these settings in the Actions tab:

a Select Send Email from the Actions list.
b For Recipients, type the email address of the administrator to be notified.
c For Importance, select High from the list.
d For Subject, type an email header, for example Malware found in the Test Group!
e For Body, type a message, for example Research this NOW and stop the server task that
pulls content into the Current branch!
f Following the message body, insert these variables to add to the message, and click Insert:
OS Platform
Threat Action Taken
Threat Severity
Threat Type
5 Click Next, confirm that the configuration is correct in the Summary tab, then click Save.
Now you have an Automatic Response configured that sends an email to an administrator any time
malware is detected in the test group running the Evaluation DAT file.

11

12 Deploying products
McAfee ePO simplifies the process of deploying security products to the managed systems in your
network by providing a user interface to configure and schedule deployments.
There are two processes you can follow to deploy products using McAfee ePO:
Product Deployment projects, which streamline the deployment process and provide more
functionality.
Individually created and managed client task objects and tasks.
Contents
Product deployment steps
Choosing a product deployment method
Benefits of product deployment projects
The Product Deployment page
Viewing Product Deployment audit logs
View product deployment
Deploy products using a deployment project
Monitor and edit deployment projects
Deploy new product example
Global updating
Deploy update packages automatically with global updating
Product deployment steps

You can deploy product software to your managed systems using automatic or manual configuration
methods. The method you choose depends on the level of detail you want to configure to complete the
process.
The following diagram shows the processes you can use to add and update software on the Master
Repository, then deploy that software to your managed systems.

12
Deploying products
Use the Software Manager to automatically review and update McAfee software and software
components.
From the Master Repository, you can manually check in deployment packages then use Product
Deployment or client tasks to deploy them to your managed systems.
The Product Deployment feature offers a simplified workflow and increased functionality to
deploy products to your McAfee ePO managed systems.
Create client tasks to manually assign and schedule product deployments to groups or individual
managed system.
Product deployment is the output process that keeps your security software as current as
possible to protect your managed systems.
See also
Check in, update, and remove software using the Software Manager on page 158
Check in packages manually on page 163
Create client tasks on page 225
Deploy products using a deployment project on page 181

Deciding which product deployment method to use depends on what you have already configured.
Product Deployment projects offer a simplified workflow and increased functionality for deploying
products to your McAfee ePO managed systems. However, you can't use a Product Deployment project
to act on or manage client task objects and tasks created in a version of the software before 5.0.
To maintain and use client tasks and objects created outside of a Product Deployment project, use the
client task object library and assignment interfaces. You can maintain existing tasks and object while
using the Product Deployment project interface to create new deployments.

12
Deploying products

Product deployment projects simplify the process of deploying security products to your managed
system by reducing the time and overhead to schedule and maintain deployments throughout your
network.
Product deployment projects streamline the deployment process by consolidating many of the steps to
create and manage product deployment tasks individually. They also add the ability to:
Run a deployment continuously You can configure your deployment project so that when new
systems matching your criteria are added, products are deployed automatically.
Stop a running deployment If you must stop a deployment once it's started, you can. Then
you can resume that deployment when you're ready.
Uninstall a previously deployed product If a deployment project has been completed, and
you want to uninstall the associated product from the systems assigned to your project, select
Uninstall from the Action list.
The following table compares the two processes for deploying products individual client task objects
and product deployment projects.
Table 12-1 Product deployment methods compared

Client task objects Function Product deployment project
comparison
Name and Same Name and description
description
Collection of product Same Collection of product software to deploy
software to deploy
Use tags to select Enhanced in Product Select when the deployment occurs:
target systems Deployment project
Continuous Continuous deployments use System Tree
groups or tags which allow you to move systems to
those groups or assign systems tags and cause the
deployment to apply to those systems.
Fixed Fixed deployments use a fixed, or defined, set
of systems. System selection is done using your
System Tree or Managed Systems Query output
tables.
Deployment Similar Simplified deployment schedule allows you to either run

schedule the deployment immediately or run it once at a
scheduled time.
Not specified New in Product Monitor the current deployment status, for example
Deployment project deployments scheduled but not started, in progress,
stopped, paused, or completed.
Not specified New in Product (Fixed deployments only) View a historical snapshot of
Deployment project data about the number of systems receiving the
deployment.

12
Deploying products
Table 12-1 Product deployment methods compared (continued)

Client task objects Function Product deployment project
comparison
Not specified New in Product View the status of individual system deployments, for
Deployment project example systems installed, pending, and failed.
Not specified New in Product Modify an existing deployment assignment using:
Deployment project
Create New for modifying an existing deployment
Edit
Duplicate
Delete
Stop and Pause Deployment
Continue and Resume Deployment
Uninstall

12
Deploying products

The Product Deployment page is one location where you can create, monitor, and manage your
product deployment projects.
The page is separated into two main areas. The second area is separated into five smaller areas.
Figure 12-1 Product Deployment page
The main areas are:
Deployment summary Lists the product deployments and allows you to filter them by type
and status and quickly view their progress. If you click a deployment, details about the
deployment are displayed in the deployment details area.
An exclamation point icon, , indicates that either deployment is an uninstallation in progress

or that a package that the deployment uses has been moved, deleted, or expired.
Deployment details Lists the details of the selected deployment and includes the following
areas.

12
Deploying products
Status monitor Displays the progress and status depending on the type of deployment and its
status:
Continuous deployments display a calendar if the deployment is pending, or a bar chart during
the deployment.
Fixed deployments display a calendar if the deployment is pending, a bar chart if Current is
selected, or a histogram if Duration is selected.
You can use Action to change a deployment.
Details Allows you to view deployment configuration details, status, and if needed, click View
Task Details to open the Edit Deployment page.
System name Displays a filterable list of target systems receiving the deployment. The systems
are displayed according to the deployment type and whether the systems were selected
individually, as tags, as System Tree groups, or query output tables.
Clicking System Actions displays the filtered list of systems in a dialog box with more detail and
allows you to perform actions on the systems, such as update and wake-up.
Status Displays a three-section bar indicating the progress of the deployment and its status.
Tags Displays tags associated with the row of systems.

Audit logs from your deployment projects contain records of all product deployments made from the
console using the Product Deployment feature.
Audit log entries are displayed in a sortable table within the Deployment details area of the Product
Deployment page. Audit log entries are also available on the Menu | Reporting | Audit Log page, which
contains log entries from all auditable user actions. You can use these logs to track, create, edit,
duplicate, delete, and uninstall product deployments. Click a log entry to display entry details.
View product deployment

During the initial product deployment, McAfee ePO automatically creates a product deployment
process. You can use this product deployment process as a base to create other product deployments.
Before you begin

You must run the Getting Started dashboard process to create a product deployment or
create a product deployment manually.
Task
1 Find the initially created product deployment: select Menu | Product Deployment.
The initially created product deployment uses the name of the System Tree group you configured in
the Getting Started dashboard process and appears in the Deployment summary list with the name
Initial Deployment My Group.

12
Deploying products
2 To view the product deployment details, select the name of the product deployment assigned to the
initial product deployment URL that you created. The page changes to display details of the product
deployment configuration.
Don't change this default product deployment. This deployment is running daily to update your
managed systems if any products or the McAfee Agent are updated.
Now you know the location and configuration of the initially created product deployment. You can
duplicate this product deployment, for example, to deploy the McAfee Agent to platforms using
different operating systems.
You can also change the initially created client task named, for example Initial Deployment My Group. To
find the client task, select Menu | Client Task Catalog; it is listed in the Client task Types under Product
Deployment.

A deployment project allows you to easily select products to deploy to your target systems, and
schedule the deployment.
Expired products appear in the Packages list. You can uninstall them from target systems in Actions.
Task
1 Select Menu | Software | Product Deployment.
2 Select New Deployment to start a new project.
3 Type a name and description for this deployment. This name appears on the Product Deployment
page after you save the deployment.
4 Choose the type of deployment:

Continuous Uses your System Tree groups or tags to configure the systems receiving the
deployment. This feature allows these systems to change over time as they are added or
removed from the groups or tags.
Fixed Uses a fixed (defined) set of systems to receive the deployment. System selection is
done using your System Tree or the output of Managed Systems Queries.
5 To automatically update your products, make sure that the Auto Update checkbox is selected.
If the checkbox is deselected, products are still updated with the latest patches, hotfixes, and
content packages, but major and minor releases are ignored.
During a new deployment, the McAfee Agent checks for new updates, hotfixes, and content
packages of all installed products on the client. See the McAfee Agent documentation for details.
6 To specify which software to deploy or uninstall, select a product from the Package list. Click + or - to
add or remove packages.
Your software must be checked in to the Master Repository before it can be deployed. The Language
and Branch fields are populated automatically, as determined by the location and language specified
in the Master Repository.
7 From the Actions list, select Install or Uninstall.

12
Deploying products
8 In the Command line text field, specify any command-line installation options. For information about
command-line options, see the product documentation for the software you're deploying.
9 Under Select the systems, click Select Systems.

The System Selection dialog box is a filter that allows you to select groups in your System Tree
using these tabs:
System Tree Select System Tree groups or subgroups and their associated systems.
Tags Select tag groups or tag subgroups and their associated systems.
Selected Systems Displays the total selections you made in each tab, creating the target systems
for your deployment.
For example, if your System Tree contains Group A, which includes both servers and workstations,
you can target the entire group. You can also target only the servers or only the workstations (if
they are tagged correctly), or a subset of either system type in Group A.
For a fixed deployment, the maximum number of systems that can receive the deployment is 500.
If needed, configure the following:

Run at every policy enforcement (Windows only)
Allow end users to postpone this deployment (Windows only)
Maximum number of postponements allowed
Option to postpone expires after
Display this text
10 Under Select a start time select a schedule for your deployment:

Run Immediately Starts the deployment task during the next ASCI.
Once or Daily Opens the scheduler so you can configure the start date, time, and
randomization.
11 Click Save at the top of the page. The Product Deployment page opens with your new project added
to the list of deployments.
After you create a deployment project, a client task is automatically created with the deployment
settings.

Use the Product Deployment page to create, track, and change deployment projects.
Task
1 Select Menu | Software | Product Deployment.
2 Filter the list of deployment projects using the following:

Type Filters the deployments that appear by All, Continuous, or Fixed.
Status Filters the deployments that appear by All, Finished, In Progress, Pending, Running, or
Stopped.

12
Deploying products
3 From the list on the left side of the page, click a deployment to display its details on the right side
of the page.
If a package in this deployment expires, the deployment is invalid. If you mouse-over the
deployment, you see this message: "Package(s) in this deployment have been moved, deleted, or
expired."
4 Use the progress section of the details display to view:

Calendar displaying the start date for pending continuous and fixed deployments.
Histogram displaying systems and the time to completion for fixed deployments.
Status bar displaying system deployment and uninstallation progress.
Under the status bar, Task Status lists Successful, Failed, and Pending for the number of target
systems in parentheses.
5 Click Action and one of these actions to modify a deployment:

Edit Resume
Delete Stop
Duplicate Uninstall
Mark Finished
6 In the details section, click View Task Details to view and modify the settings for the deployment.
7 In the Systems table, select an option in the Filter list to change which systems appear.
The options in the list depend on the status of the deployment.
For the Uninstall action, the filters include All, Packages Removed, Pending, and Failed.
For all other actions, the filters include All, Install Successful, Pending, and Failed.
8 In the Systems table you can:

Check the status of each row of target systems in the Status column. A three-section status bar
indicates the progress of the deployment.
Check the tags associated with the target systems in the Tags column.
Click System Actions to perform system-specific actions on the systems you select.

After your McAfee ePO installation and initial product deployment, any additional product deployments
must be created using a Product Deployment project or manually using a Client Task object.
This example walks you through creating a Product Deployment project for McAfee Endpoint Security.
Task
1 Select Menu | Software | Product Deployment, then click New Deployment.
2 On the New Deployment page, configure these settings.

12
Deploying products
Option Description
Name and Type a name and description for this deployment.
Description
This name appears on the Deployment page after the deployment is saved.
Type From the list, select Continuous.

This type uses your System Tree groups or tags to configure the systems receiving
the deployment. Selecting this type allows these systems to change over time as
they are added to or removed from the groups or tags.
To automatically update your security products, select Auto Update, which also
deploys the hotfixes and patches for your product automatically.
You cannot uninstall a product if you selected Auto Update.
Package From the list, select VirusScan Enterprise.

Language and If not using the defaults, select the language and branch.
Branch
Command line In the text field, specify any command-line installation options. See the McAfee
Endpoint Security Installation Guide for details.
Select the Click Select Systems to open the System Selection dialog box.
systems The System Selection dialog box is a filter that allows you to select groups in your
System Tree, tags, or a subset of grouped or tagged systems. The selections you
make in each tab within this dialog box are concatenated to filter the complete set
of target systems for your deployment.
If needed, configure the following:
Run at every policy enforcement (Windows only)
Allow end users to postpone this deployment (Windows only)
Maximum number of postponements allowed
Option to postpone expires after
Display this text
Select a start time Pick a start time or schedule for your deployment:
Run Immediately Starts the deployment task after the next ASCI.
Once Opens the scheduler so that you can configure the start date, time, and
randomization.
Save When finished, click Save at the top of the page. The Product Deployment page
opens with your new project added to the list of deployments.
After you create a deployment project, a client task is automatically created with the deployment
settings.
3 On the Product Deployment page, confirm that the product deployment project is correctly working
by checking this information.

12
Deploying products
Global updating
Option Description
Deployment Click the product deployment project that you created in the previous step. The
summary details appear on the right side of the page.
The infinity symbol appears under In Progress because this is a continuous

deployment.
Deployment details Allows you to:

Click Actions to modify the selected deployment.
View Progress, Status, and Details of the selected deployment.
View the Systems, System Actions, Status, and Tags associated with the selected
deployment.
Global updating
Global updating automates replication to your distributed repositories and keeps your managed
systems current.
Replication and update tasks are not required. Checking contents into your Master Repository initiates
a global update. The entire process finishes within an hour in most environments.
You can also specify which packages and updates initiate a global update. When you specify that
certain content initiates a global update, make sure to create a replication task to distribute content
that was not selected.
Best practice: When using global updating, schedule a regular pull task (to update the Master
Repository) at a time when network traffic is minimal. Although global updating is much faster than
other methods, it increases network traffic during the update.
Global updating process

1 Contents are checked in to the Master Repository.
2 The server performs an incremental replication to all distributed repositories.
3 The server issues a SuperAgent wake-up call to all SuperAgent in the environment.
4 The SuperAgent broadcasts a global update message to all agents within the SuperAgent subnet.
5 Upon receipt of the broadcast, the agent is supplied with a minimum catalog version needed for
updating.
6 The agent searches the distributed repositories for a site that has this minimum catalog version.
7 Once a suitable repository is found, the agent runs the update task.
If the agent does not receive the broadcast, the minimum catalog version is supplied at the next
If the agent receives notification from a SuperAgent, the agent is supplied with the list of updated
packages. If the agent finds the new catalog version at the next agent-server communication, it is not
supplied with the list of packages to update, and updates all packages available.

12
Deploying products
Requirements
These requirements must be met to implement global updating:
A SuperAgent must use the same agent-server secure communication (ASSC) key as the agents
that receive its wake-up call.
A SuperAgent is installed on each broadcast segment. Managed systems cannot receive a

SuperAgent wake-up call if there is no SuperAgent on the same broadcast segment. Global
updating uses the SuperAgent wake-up call to alert agents that new updates are available.
Distributed repositories are set up and configured throughout your environment. We recommend
SuperAgent repositories, but they are not required. Global updating functions with all types of
distributed repositories.
If using SuperAgent repositories, managed systems must be able to access the repository where its
updates come from. Although a SuperAgent is required on each broadcast segment for systems to
receive the wake-up call, SuperAgent repositories are not required on each broadcast segment.

You can enable global updating on the server to automatically deploy user-specified update packages
to managed systems.
Task
1 Click Menu | Configuration | Server Settings, select Global Updating, then click Edit at the bottom of the page.
2 On the Edit Global Updating page next to Status, select Enabled.
3 Edit the Randomization interval, if wanted.

Each client update occurs at a randomly selected time within the randomization interval, which
helps distribute network load. The default is 20 minutes.
For example, if you update 1000 clients using the default randomization interval of 20 minutes,
roughly 50 clients update each minute during the interval. This randomization lowers the load on
your network and on your server. Without the randomization, all 1000 clients would try to update
simultaneously.
4 Next to Package types, select which packages initiate an update.

12
Deploying products
Global updating initiates an update only if new packages for the components specified here are
checked in to the Master Repository or moved to another branch. Select these components
carefully.
Signatures and engines Select Host Intrusion Prevention Content, if needed.
Selecting a package type determines what initiates a global update (not what is updated during the
global update process). Agents receive a list of updated packages during the global update process.
The agents use this list to install only updates that are needed. For example, agents only update
packages that have changed since the last update and not all packages if they have not changed.
5 When finished, click Save.

Once enabled, global updating initiates an update the next time you check in any of the selected
packages or move them to another branch.
Make sure to run a Pull Now task and schedule a recurring Repository Pull server task, when you are
ready for the automatic updating to begin.

12
Deploying products

13 Assigning policies
Policies ensure that product features are configured correctly on managed systems.
Contents
About policies
Policy assignment rules
Create and manage policies
Move and share policies between McAfee ePO servers
Create and manage policy assignment rules
Policy management users
Assign policies to managed systems
Copy and paste policy assignments
View policy information
About policies
A policy is a collection of settings that you create and configure, then enforce.
Policies are organized by product, then by categories within each product. For example, the McAfee
Agent product includes categories for General, Repository, and Troubleshooting.
To see policies in a specific policy category, select Menu | Policy | Policy Catalog, then select a product and
category from the drop-down lists. On the Policy Catalog page, users can see only policies for products
they have permissions to.
Each category includes two default policies, McAfee Default and My Default. You can't delete, edit, export,
or rename these policies, but you can copy them and edit the copy.
When policies are applied

Policies are applied to systems according to the agent-server communication and policy enforcement
intervals.
When you configure policy settings, the new settings are applied to specified managed systems at the
next agent-server communication. By default, the agent-server communication occurs every 60
minutes. You can adjust this interval on the General tab of the McAfee Agent policy pages.
Alternatively, depending on how you implement agent-server communication, you could modify the
ASCI using a McAfee Agent Wake-up client task.
After policy settings are in effect on the managed system, the McAfee Agent continues to enforce
policy settings according to the policy enforcement interval. By default, the policy enforcement occurs
every 60 minutes. You can adjust this interval on the General tab as well.

13
Assigning policies
How policies are applied

Policies are applied to any system by one of two methods: inheritance or assignment.
You can assign any policy in the Policy Catalog to any group or system. Assignment allows you to
define policy settings once for a specific need, then apply the policy to multiple locations.
Inheritance determines whether the policy settings and client tasks for a group or system are taken
from its parent. By default, inheritance is enabled throughout the System Tree.
When you copy and paste policy assignments, only true assignments are pasted. If the source location
inherited a policy that you selected to copy, it is the inheritance characteristic that was pasted to the
target. The target then inherits the policy (for that particular policy category) from its parent.
The inherited policy might be a different policy than the source policy.
Assignment locking
You can lock the assignment of a policy on any group or system. Assignment locking prevents other
users from inadvertently replacing a policy. Assignment locking is inherited with the policy settings.
Assignment locking is valuable when you want to assign a certain policy at the top of the System Tree
and make sure that no other users move it.
Assignment locking does not prevent the policy owner from changing policy settings. Therefore, if you
intend to lock a policy assignment, make sure that you are the owner of the policy.
Policy ownership
Each policy is assigned an owner the user who created it. You must have the correct permissions to
edit a policy you don't own.
If you want to use a policy owned by a different user, we recommend that you duplicate the policy,
then use the duplicate. Duplicating policies prevents unexpected policy changes from affecting your
network. If you assign a policy that you don't own, and the owner modifies the policy, all systems that
were assigned the policy receive the modifications.
You can specify multiple users as owners of a single policy.

Policy assignments rules reduce the overhead of managing numerous policies for individual users or
systems that meet specific criteria, while maintaining more generic policies across your System Tree.
This level of granularity in policy assignments limits the instances of broken inheritance in the System
Tree to accommodate the policy settings that particular users or systems require. Policy assignments
can be based on either user specific or system-specific criteria:
User-based policies Policies that include at least one user-specific criteria. For example, you can
create a policy assignment rule that is enforced for all users in your engineering group. You can
then create another policy assignment rule for members of your IT department. This rule allows
them to log on to any computer in the engineering network with the access rights to troubleshoot
problems on a specific system in that network. User-based policies can also include system-based
criteria.
System-based policies Policies that include only system-based criteria. For example, you can
create a policy assignment rule that is enforced for all servers on your network based on the tags
you have applied, or all systems in a specific location in your System Tree. System-based policies
cannot include user-based criteria.

13
Assigning policies
Policy assignment rule priority

Policy assignment rules can be prioritized to simplify maintenance of policy assignment management.
When you set priority to a rule, it is enforced before other assignments with a lower priority.
In some cases, the outcome can be that some rule settings are overridden. For example, consider a
system that is included in two policy assignment rules, rules A and B. Rule A has priority level 1, and
allows included systems unrestricted access to Internet content. Rule B has priority level 2, and
heavily restricts the same system's access to Internet content. In this scenario, rule A is enforced
because it has higher priority. As a result, the system has unrestricted access to Internet content.
How multi-slot policies work with policy assignment rule priority

Priority of rules is not considered for multi-slot policies. When a single rule containing multi-slot
policies of the same product category is applied, all settings of the multi-slot policies are combined.
Similarly, if multiple rules containing multi-slot policy settings are applied, all settings from each
multi-slot policy are combined. As a result, the applied policy is a combination of the settings of each
individual rule.
When multi-slot policies are aggregated, they are aggregated only with multi-slot policies of the same
type. However, multi-slot policies assigned using policy assignment rules are not aggregated with
multi-slot policies assigned in the System Tree. Multi-slot policies assigned using policy assignment
rules override policies assigned in the System Tree. Furthermore, user-based policies take priority over
system-based policies.
Scenario: Using multi-slot policies to control Internet access

In your System Tree, there is a group named "Engineering" which consists of systems tagged with
either "IsServer" or "IsLaptop." In the System Tree, policy A is assigned to all systems in this group.
Assigning policy B to any location in the System Tree above the Engineering group using a policy
assignment rule overrides the settings of policy A, and allows systems tagged with "IsLaptop" to
access the Internet. Assigning policy C to any group in the System Tree above the Engineering group
allows users in the Admin user group to access the Internet from all systems, including those in the
Engineering group tagged with "IsServer."
Policy type Assignment type Policy Policy settings

name
Generic policy Policy assigned in the A Prevents Internet access from all systems to
System Tree which the policy is assigned.
System-based Policy assignment rule B Allows Internet access from systems with the
tag "IsLaptop."
System-based Policy assignment rule C Allows unrestricted Internet access to all
users in the Admin user group from all
systems.
User-based Policy assignment rule C Allows unrestricted Internet access to all
users in the Admin user group from all
systems.
Excluding Active Directory objects from aggregated policies.

Because rules that consist of multi-slot policies are applied to assigned systems without regard to
priority, you might need to prevent policy setting aggregation in some instances. You can prevent
aggregation of user-based multi-slot policy settings across multiple policy assignment rules by
excluding a user (or other Active Directory objects such as a group or organizational unit) when
creating the rule. For more information on the multi-slot policies that can be used in policy assignment
rules, see the product documentation for the managed product you are using.

13
Assigning policies
User-based policy assignment

User-based policy assignment rules give you the ability to create user-specific policy assignments.
These assignments are enforced at the target system when a user logs on.
When a user logs on to a managed system for the first time, there can be a slight delay while the
McAfee Agent contacts its assigned server for the policy assignments specific to this user. During this
time, the user has access only to that functionality allowed by the default computer policy, which
typically is your most secure policy.
On a managed system, the agent keeps a record of the users who log on to the network. The policy
assignments you create for each user are pushed down to the system they log on to, and are cached
during each agent-server communication. The McAfee ePO server applies the policies that you
assigned to each user.
To use user-based policy assignments, register and configure a registered LDAP server for use with your
McAfee ePO server.
System-based policy assignment

System-based assignments allow you to assign policies based on System Tree location or tags.
System-based policies are assigned based on selection criteria you define using the Policy Assignment
Builder.
All policy assignment rules require that System Tree location is specified. Tag-based policiy
assignments are useful when you want all systems of a particular type to have the same security
policy, regardless of their System Tree location.
Scenario: Creating new SuperAgents using tags

You have decided to create a set of SuperAgents in your environment, but you don't have time to
manually identify the systems in your System Tree to host these SuperAgents. Instead, you can use
the Tag Builder to tag all systems that meet a specific set of criteria with a new tag: "isSuperAgent."
Once you have built the tag, you can create a Policy Assignment Rule that applies your SuperAgent
policy settings to every system tagged with "isSuperAgent."
Once the tag is created, you can use the Run Tag Criteria action from the Tag Catalog page to assign the
new policy. As each system with the new tag calls in at its regular interval, it is assigned a new policy
based on your isSuperAgent Policy Assignment Rule.

McAfee ePO provides a number tools to manage policies, including the Policy Catalog, Policy History,
and Policy Comparison.

13
Assigning policies
Tasks
Create a policy from the Policy Catalog page on page 193
Custom policies created using the Policy Catalog are not assigned to any groups or
systems. You can create policies before or after a product is deployed.
Enforcing product policies on page 194
Policy enforcement is enabled by default, and is inherited in the System Tree, but you can
manually enable or disable enforcement on specified systems.
Enforce policies for a product in a System Tree group on page 194
Enable or disable policy enforcement in a group.
Enforce policies for a product on a system on page 194
Enable or disable policy enforcement on a managed system.
Manage policy history on page 195
You can view and compare policy history entries, or revert to a previous version of a policy.
Edit policy history permission sets on page 196
Configure the permission sets for your products so that users can revert policies to
previous versions using the Policy History page.
Compare policies on page 196
Policy Comparison can help you identify differences between similar policies.
Change the owners of a policy on page 196
By default, ownership is assigned to the user who creates the policy. If you have the
required permissions, you can change the ownership of a policy.
Create a policy from the Policy Catalog page

Custom policies created using the Policy Catalog are not assigned to any groups or systems. You can
create policies before or after a product is deployed.
Task
1 Open the New Policy dialog box.

a Select Menu | Policy | Policy Catalog.
b Select the product and category from the drop-down lists.
All created policies for the selected category appear in the Details pane.
c Click New Policy.
2 Select the policy you want to duplicate from the Create a policy based on this existing policy drop-down list.
3 Type a name for the new policy and click OK.
The policy appears in the Policy Catalog.
4 Click the name of the new policy.
The Policy Settings Builder opens.
5 Edit the policy settings as needed.
6 Click Save.

13
Assigning policies
Enforcing product policies

Policy enforcement is enabled by default, and is inherited in the System Tree, but you can manually
enable or disable enforcement on specified systems.
You can manage policy enforcement from these locations:
Assigned Policies tab of the System Tree Choose whether to enforce policies for products or
components on the selected group.
Policy Catalog page View policy assignments and enforcement. You can also lock policy
enforcement to prevent changes below the locked node.
If policy enforcement is turned off, systems in the specified group don't receive updated site lists during
an agent-server communication. As a result, managed systems in the group might not function as
expected.
For example, you might configure managed systems to communicate with Agent Handler A. If policy
enforcement is turned off, the managed systems do not receive the new site list with this information
and the systems report to a different Agent Handler listed in an expired site list.
Enforce policies for a product in a System Tree group

Enable or disable policy enforcement in a group.
Task
1 Select Menu | Systems | System Tree, click Assigned Policies tab, then select a group in the System Tree.
2 Select the product you want, then click the link next to Enforcement Status.
3 To change the enforcement status, select Break inheritance and assign the policy and settings below.
4 Next to Enforcement status, select Enforcing or Not enforcing accordingly.
5 Choose whether to lock policy inheritance.

Locking inheritance for policy enforcement prevents breaking enforcement for groups and systems
that inherit this policy.
6 Click Save.
Enforce policies for a product on a system

Enable or disable policy enforcement on a managed system.
Task
1 Select Menu | Systems | System Tree, click Systems tab, then select the group under System Tree where the
system belongs.
The list of systems belonging to this group appears in the details pane.
2 Select a system, then click Actions | Modify Policies on a Single System.

The Policy Assignment page appears.
3 Select a Product, then click Enforcing next to Enforcement status.

The Enforcement page appears.

13
Assigning policies
4 If you want to change the enforcement status you must first select Break inheritance and assign the policy
and settings below.
5 Next to Enforcement status, select Enforcing or Not enforcing accordingly.
6 Click Save.
Managing policy history

When you change a policy from the Policy Catalog, a Policy History entry is created where you can
describe the change for future reference.
Policy History entries appear in three places: Policy History, Server Task Log Details, and Audit Log
Details.
Only policies you create in the Policy Catalog have Policy History entries. Make sure that you leave a
comment when you revise a policy. Consistent commenting creates a strong history of your changes.
To record policy revisions, type a comment in the text field next to Duplicate, in the footer of the Policy
Catalog page.
If you have policy users configured to create and edit policies, the Status column options vary
depending on your permissions. For example:
McAfee ePO administrators have full control of all policy history functions.
Policy administrators can Approve or Decline changes submitted by policy users.
Policy users can monitor the status of their policies. Status includes Pending Review, Approved, or
Declined.
Manage policy history

You can view and compare policy history entries, or revert to a previous version of a policy.
Before you begin

You must have appropriate permissions to revert to a previous policy history entry. You
need only view permission to see policy history entries.
Task
1 To view the Policy History, select Menu | Policy | Policy History.
No Policy History entries appear for McAfee Default policies. You might need to use the page filter to
select a created or duplicated McAfee Default policy.
2 Use the Product, Category, and Name filters to select Policy History entries.
3 To manage a policy or Policy History entry, click Actions, then select an action.
Choose Columns Opens a dialog box that allows you to select which columns to display.
Compare Policy Opens the Policy Comparison page where you can compare two selected policies.
The current version of a policy has the latest date. To compare the current revision of a policy
and a previous policy revision, select the latest revision and a previous revision to compare.

13
Assigning policies
Export Table Opens the Export page where you can specify the package and format of Policy
History entry files to export, then email the file.
Revert Policy Reverts the policy to the selected policy version.

You can select only one target policy.
When you revert a policy, you are prompted to add a comment to the Policy History entry.
Edit policy history permission sets

Configure the permission sets for your products so that users can revert policies to previous versions
using the Policy History page.
Before you begin

You must have appropriate permissions to change permission sets.
Task
1 Select Menu | User Management | Permission Sets .
2 In the right pane, click Edit in the Permission row for the product associated with the policy. For

example, select EEFF Policy Permission to change McAfee Endpoint Encryption for Files and Folders
policy permissions.
3 Click View and change policy and task settings, then click Save.
Now you can revert existing policies to Policy History entries from the Policy History page.
Compare policies
Policy Comparison can help you identify differences between similar policies.
Many of the values and variables included on the Policy Comparison page are specific to each product.
For option definitions not included in the table, see the documentation for the product that provides
the policy you want to compare.
Task
1 Select Menu | Policy Comparison, then select a product, category, and Show settings from the lists.
Best practice: Change the Show setting from All Policy Settings to Policy Differences or Policy Matches to
reduce the data displayed.
These settings populate the policies to compare in the Policy 1 and Policy 2 lists.
2 Select the policies to compare in the Compare policies row from the Policy 1 and Policy 2 column lists.
The top two rows of the table display the number of settings that are different and identical.
3 Click Print to open a printer friendly view of the comparison.
Change the owners of a policy

By default, ownership is assigned to the user who creates the policy. If you have the required
permissions, you can change the ownership of a policy.

13
Assigning policies
Task
1 Select Menu | Policy | Policy Catalog, then select the Product and Category.
All created policies for the selected category appear in the details pane.
2 Locate the policy you want, then click the owner of the policy.
The Policy Ownership page appears.
3 Select the owners of the policy from the list, then click OK.

In environments with multiple McAfee ePO servers, you can move and share policies to avoid
re-creating them on each server.
You can move and share policies only with equal or earlier major versions of McAfee ePO. For example,
you can share a policy created on a version 5.3 server with a 5.1 server; you can't share a policy from
a 5.1 server to a 5.3 server.
Tasks
Register servers for policy sharing on page 197
Register servers to share a policy.
Designate policies for sharing on page 197
You can designate a policy for sharing among multiple McAfee ePO servers.
Schedule server tasks to share policies on page 198
The Share Policies server task ensures that any changes you make to shared policies are
pushed to sharing-enabled McAfee ePO servers.
See also
Working with policies on page 64
Register servers for policy sharing

Register servers to share a policy.
Task
1 Select Menu | Configuration | Registered Servers, then click New Server. The Registered Server Builder opens to
the Description page.
2 From the Server type menu, select ePO, specify a name and any notes, then click Next. The Details page
appears.
3 Specify any details for your server and click Enable in the Policy sharing field, then click Save.
Designate policies for sharing

You can designate a policy for sharing among multiple McAfee ePO servers.

13
Assigning policies
Task
1 Select Menu | Policy | Policy Catalog, then click Product menu and select the product whose policy you
want to share.
2 In the Actions column for the policy to be shared, click Share.
Shared policies are automatically pushed to McAfee ePO servers with policy sharing enabled. When
you click Share in step 2, the policy is immediately pushed to all registered McAfee ePO servers that
have policy sharing enabled. Changes to shared policies are similarly pushed.
Schedule server tasks to share policies

The Share Policies server task ensures that any changes you make to shared policies are pushed to
sharing-enabled McAfee ePO servers.
If you set a long server task interval, or disable the Share Policies server task, we recommend manually
running the task whenever you edit shared policies.
Task

b Click New Task.
2 On the Description page, specify the name of the task and any notes, then click Next.
New server tasks are enabled by default. If you do not want this task to be enabled, in the
Schedule status field, select Disabled.
3 From the Actions drop-down menu, select Share Policies, then click Next.
4 Specify the schedule for this task, then click Next.
5 Review the summary details, then click Save.

Configure policy assignment rules to simplify policy management.
Tasks
Create policy assignment rules on page 198
Creating policy assignment rules allows you to enforce policies for users or systems based
on configured rule criteria.
Manage policy assignment rules on page 199
Perform common management tasks when working with policy assignment rules.
Create policy assignment rules

Creating policy assignment rules allows you to enforce policies for users or systems based on
configured rule criteria.

13
Assigning policies
Task
1 Open the Policy Assignment Builder.

a Select Menu | Policy | Policy Assignment Rules.
b Click New Assignment Rule.
2 Specify the details for this policy assignment rule, including:

A unique name and description.
The rule type you specify determines which criteria is available on the Selection Criteria page.
By default, the priority for new policy assignment rules is assigned sequentially based on the
number of existing rules. After creating the rule, you can edit the priority by clicking Edit Priority on
the Policy Assignment Rules page.
3 Click Next.
4 Click Add Policy to select the policies that you want to enforce with this policy assignment rule.
5 Click Next.
6 Specify the criteria you want to use in this rule. Your criteria selection determines which systems or
users are assigned this policy.
7 Review the summary and click Save.
Manage policy assignment rules

Perform common management tasks when working with policy assignment rules.
Task
1 Select Menu | Policy | Policy Assignment Rules.
2 Select one of these actions:
Action Steps
Delete a policy Click Delete in the selected assignment row.
assignment rule
Edit a policy Click the selected assignment. The Policy Assignment Builder opens.
assignment rule Work through each page to modify this policy assignment rule.
Export policy Select Actions | Export. The Download Policy Assignment Rules page opens,
assignment rules where you can view or download the PolicyAssignmentRules.xml file.
Import policy Select Actions | Import. The Import Policy Assignment Rules dialog box
assignment rules opens, from which you can browse to a previously downloaded
PolicyAssignmentRules.xml file. You are prompted to choose which
rules included in the file to import. You can select which rules to import
and, if any rules in the file have the same name as those already in your
Policy Assignment Rules list, you can select which to retain.
Edit the priority of a Select Actions | Edit Priority. The Edit Priority page opens, where you change
policy assignment rule the priority of policy assignment rules using the drag and drop handle.
View the summary of a Click > in the selected assignment row.
policy assignment rule

13
Assigning policies

As a McAfee ePO administrator you can assign different permission sets to different policy users so
they can create and modify specific product policies. Some users can approve or deny policy changes
from policies submitted by other users.
Policies can be managed by three users with different permissions. The
McAfee ePO administrator creates these other two user levels and permissions.
As the McAfee ePO administrator, you can create users with hierarchical levels of policy permissions.
For example, you can create these policy users:
Policy administrator They can approve policies created and modified by other users.
Policy user They can duplicate and create policies that they submit to the policy administrator for
approval before they are used.
Overview of creating different policy users

As the McAfee ePO administrator it takes these general steps to create a policy administrator and
policy user:
1 In Server Settings, enable Policy Administration.
2 In Permission Sets, create different permission sets for the policy administrator and policy user.
3 In User Management, create policy administrator and policy user then manually assign them the
different permission sets.
Overview of policy user and policy administrator processes

Once the policy user and policy administrator are created, they can perform these policy tasks:
The policy user:
1 In the Policy Catalog can duplicate, modify, or create policies for their assigned types and
submit them to the policy administrator for approval.
2 In the Policy History, can monitor the approval status by the policy administrator.
The policy administrator can do everything the policy user can do plus, in the Policy History page,
approve or deny the policy changes submitted by policy users.
Best practice: Set policy management globally

As administrator, you can use Server Settings to globally configure Policy Administration to allow users
to change or create policies with or without administrator approval.
Before you begin

You must have administrator rights to change Policy Administration.

13
Assigning policies
Task
1 To change the Policy Administration settings, select Menu | Configuration | Server Settings, then select
Policy Administration and click Edit.
2 From Edit Policy Administration, select one of the following options, and click Save:
Table 13-1 Option definitions
Option Definition
Needs administrator approval Forces the users to request approval from the administrator before
they can save a new or changed policy.
Administrators can give users permission to approve or deny policy

changes in Permission Sets under Policy Management.
Does not need administrator Allows the user to save a new or changed policy without administrator
approval approval.
3 (Optional) Create policy management permission sets to change policy management for individual
users.
See also
Create policy management permission sets on page 201
Create policy management permission sets

As administrator you can create permission sets for different policy user levels. The Permission Sets
allow some policy users to create and modify policies, plus allow some policy users to approve or
decline policies created by other users.
Before you begin

You must have administrator rights to change Permission Sets.
To help you manage policy creation, you can create permission sets for users who can create and
modify specific product policies. For example, you can create permission sets that allow one user to
change policies and another user permission to approve or decline those changes.
These steps describe creating two different permission sets:

Policy User (policyUserPS) permission set Allows the policy user permission to create and modify
specific product policies, but the policy changes must be approved before the policy is saved.
Policy Administrator (policyAdminPS) permission set Allows the policy administrator permission
to create and modify specific product policies, plus approve or decline the changes created by
policy users.
Task
1 To create the two permission sets, select Menu | User Management | Permission Sets, then click New
Permission Sets.
2 To create the policy administrator permission set from the New Permission Set page, type the name, for
example policyAdminPS and click Save.
3 With the policyAdminPS permission set selected, scroll down to the Policy Management row and
click Edit.

13
Assigning policies
4 From Edit Permission Sets policyAdminPS: Policy Management page, select Can save policy changes
directly and approve or decline the policy changes submitted by other users, and click Save.
This allows the policy administrator user to approve or decline policy changes for other users
without administrator approval.
5 With the policyAdminPS permission set still selected, scroll down to a setting, for example the
Endpoint Security Common, row and click Edit.
6 From Edit Permission Sets policyAdminPS: Endpoint Security Common page, select View and change
policy and task settings and click Save.
This allows the policy administrator user to make policy changes to Endpoint Security Common
policies.
Continue selecting settings and configuring the edit permissions as needed.
7 To duplicate the policy administrator permission set and create the policy user permission set, click
Actions | Duplicate.
8 In the Actions: Duplicate pop-up window, type the policy user permission set name, for example
policyUserPS and click OK.
These two steps create a duplicate of the policy administrator permission set. The one following
change creates the policy user (policyUserPS) permission set.
9 From the Permission Sets list, click the policyUserPS permission set created in step 7.
10 Scroll down to the Policy Management row and click Edit.
11 From Edit Permission Sets policyUserPS: Policy Management page, select Policy Approval setting No
Permissions, and click Save:
This setting forces the users assigned this permission set to request approval from the
administrator before they can save a new or changed policy.
Now you have created the two permission sets to use when creating the two policy user and policy
administrator users.
See also
Create policy management users on page 202
Create policy management users

As administrator, you can create different policy user levels with different permission sets that allow
one user to create and modify policies and an administrator user to approve or decline policy changes.
Before you begin

You must have administrator rights to create Users in User Management.
These steps describe creating two different users:

13
Assigning policies
Policy User (policyUser) The policyUser can create and modify specific product policies, but the
policy changes must be approved by the policy administrator before the policy is saved.
Policy Administrator (policyAdmin) The policyAdmin can create and modify specific product
policies, plus approve or decline the changes created by policy users.
Task
1 Open the User Management page: click Menu | User Management | Users.
2 To create the policy user (policyUser), perform these steps.

a Click New User.
b Type a user name. For example, policyUser.
c Select Enable for the logon status of this account.
d Select whether the new account uses McAfee ePO authentication, Windows authentication, or Certificate
Based Authentication and provide the required credentials or browse and select the certificate.
e Optionally, provide the user's full name, email address, phone number, and a description in the
Notes text box.
f Select the policy user permission set you created in Administrator creates user policy
management permission sets. For example, select policyUserPS.
g Click Save to return to the Users tab.
The new policy user appears in the Users list of the User Management page.
3 To create the policy administrator (policyAdmin), perform these steps.

a Click New User.
b Type a user name. For example, policyAdmin.
c Select Enable for the logon status of this account.
d Select whether the new account uses McAfee ePO authentication, Windows authentication, or Certificate
Based Authentication and provide the required credentials or browse and select the certificate.
e Optionally, provide the user's full name, email address, phone number, and a description in the
Notes text box.
f Select the policy user permission set you created in Create policy management permission sets.
For example, select policyAdminPS.
g Click Save to return to the Users tab.
The new policy administrator appears in the Users list of the User Management page.
Now you have two policy users. One policy user can change policies and a policy administrator user
who can approve or decline those changes.

13
Assigning policies
Submit policy changes for acceptance

Non-administrator policy users can create and change policies, but if configured by the administrator,
they might need to submit the policy for review by the administrator or a policy administrator.
Before you begin

You must have configured the Server Settings and user permission sets to allow users to
submit policies for approval.
Task
1 Create and maintain policies.
Policy users only have access to policies and setting configured by the administrator in their
assigned permission set.
2 When you get to the step in the policy process to save the policy, click Submit for Review.
That sends the policy to the administrator to approve or decline.
3 To check the status of the policy acceptance, select Menu | Policy | Policy History.
4 Use the Product, Category, and Name filters to select Policy History entries to check.
5 In the Status column, one of these entries appears describing the administrator's action:
Pending review Has not been reviewed.
Declined Has been declined and not saved.
Approved has been approved and saved.
See also
Create and manage policies on page 192
Create policy management permission sets on page 201
Accept policy changes

As a policy administrator, you need to periodically approve or decline policy user submitted requests.
Before you begin

You must have configured the Server Settings and user permission sets to allow users to
submit policies for approval.
Task
1 To change the status of the policy submitted for review, select Menu | Policy | Policy History.
2 Use the Product, Category, and Name filters to select Policy History entries to check.
3 In the Policy Status column, select one of these links related to the submitted policy:
Accepted The policy is saved and now ready to use.
Declined The policy has been declined and not saved.

13
Assigning policies

Assign policies to a group or to specific systems in the System Tree. You can assign policies before or
after a product is deployed.
We recommend assigning policies at the highest level possible so that the groups and subgroups below
inherit the policy.
Tasks
Assign a policy to a System Tree group on page 205
Assign a policy to a specific group of the System Tree.
Assign a policy to a managed system on page 205
Assign a policy to a specific managed system.
Assign a policy to systems in a System Tree group on page 206
Assign a policy to multiple managed systems within a group.
Assign a policy to a System Tree group

Assign a policy to a specific group of the System Tree.
Task
1 Select Menu | Systems | System Tree, click Assigned Policies tab, then select a product.
Each assigned policy per category appears in the details pane.
2 Locate the policy category you want, then click Edit Assignment.
3 If the policy is inherited, next to Inherited from, select Break inheritance and assign the policy and settings below.
4 Select the policy from the Assigned policy drop-down list.
From this location, you can also edit the selected policy's settings, or create a policy.

Locking policy inheritance prevents any systems that inherit this policy from having another one
assigned in its place.
6 Click Save.
Assign a policy to a managed system

Assign a policy to a specific managed system.
Task
1 Select Menu | Systems | System Tree, click Systems tab, then select a group under System Tree.
All systems within this group (but not its subgroups) appear in the details pane.
2 Select a system, then click Actions | Agent | Modify Policies on a Single System.
The Policy Assignment page for that system appears.

13
Assigning policies
3 Select a product.
The categories of selected product are listed with the system's assigned policy.
4 Locate the policy category you want, then click Edit Assignments.
5 If the policy is inherited, next to Inherited from, select Break inheritance and assign the policy and settings below.
6 Select the policy from the Assigned policy drop-down list.
From this location, you can also edit settings of the selected policy, or create a policy.

Locking policy inheritance prevents any systems that inherit this policy from having another one
assigned in its place.
8 Click Save.
Assign a policy to systems in a System Tree group

Assign a policy to multiple managed systems within a group.
Task
1 Select Menu | Systems | System Tree, click Systems tab, then select a group in the System Tree.
All systems in this group (but not its subgroups) appear in the details pane.
2 Select the systems you want, then click Actions | Agent | Set Policy & Inheritance.
The Assign Policy page appears.
3 Select the Product, Category, and Policy from the drop-down lists.
4 Select whether to Reset inheritance or Break inheritance, then click Save.

Copy and paste policy assignments to easily share multiple assignments between groups and systems
from different portions of the System Tree.
Tasks
Copy policy assignments from a group on page 206
You can use Copy Assignments to copy policy assignments from a group in the System
Tree.
Copy policy assignments from a system on page 207
You can use Copy Assignments to copy policy assignments from a specific system.
Paste policy assignments to a group on page 207
You can paste policy assignments to a group after you copy them from a group or system.
Paste policy assignments to a specific system on page 207
Paste policy assignments to a specific system after copy the policy assignments from a
group or system.
Copy policy assignments from a group

You can use Copy Assignments to copy policy assignments from a group in the System Tree.

13
Assigning policies
Task
2 Click Actions | Copy Assignments.
3 Select the products or features where you want to copy policy assignments, then click OK.
Copy policy assignments from a system

You can use Copy Assignments to copy policy assignments from a specific system.
Task
The systems belonging to the selected group appear in the details pane.
2 Select a system, then click Actions | Agent | Modify Policies on a Single System.
3 Click Actions | Copy Assignments, select the products or features where you want to copy policy
assignments, then click OK.
Paste policy assignments to a group

You can paste policy assignments to a group after you copy them from a group or system.
Task
1 Select Menu | Systems | System Tree, click Assigned Policies tab, then select the group you want in the
System Tree.
2 In the details pane, click Actions and select Paste Assignments.

If the group already has policies assigned for some categories, the Override Policy Assignments
page appears.
When pasting policy assignments, the Enforce Policies and Tasks policy appears in the list. This
policy controls the enforcement status of other policies.
3 Select the policy categories you want to replace with the copied policies, then click OK.
Paste policy assignments to a specific system

Paste policy assignments to a specific system after copy the policy assignments from a group or
system.
Task
All systems belonging to the selected group appear in the details pane.
2 Select the system where you want to paste policy assignments, then click Actions | Agent | Modify
Policies on a Single System.

13
Assigning policies
3 In the details pane, click Actions | Paste Assignment.

If the system already has policies assigned for some categories, the Override Policy Assignments page
appears.
When pasting policy assignments, the Enforce Policies and Tasks policy appears in the list. This policy
controls the enforcement status of other policies.
4 Confirm the replacement of assignments.

View detailed information about your policies, including policy owners, assignments, and inheritance.
Tasks
View groups and systems where a policy is assigned on page 208
The Policy Catalog page lists only the policy assignments not the group, or system that
inherits the policy.
View policy settings on page 209
View details for a policy assigned to a product category or system.
View policy ownership on page 209
View the owners of a policy.
View assignments where policy enforcement is disabled on page 209
View assignments where policy enforcement, per policy category, is disabled.
View policies assigned to a group on page 209
View the policies assigned to a System Tree group, sorted by product.
View policies assigned to a specific system on page 210
View a list of all policies assigned to a system from one central location, the System Tree.
View policy inheritance for a group on page 210
View the policy inheritance of a specific group.
View and reset broken inheritance on page 210
Identify the groups and systems where policy inheritance is broken.
Create policy management queries on page 210
Retrieve the policies assigned to a managed system, or policies broken in the system
hierarchy.
View groups and systems where a policy is assigned

The Policy Catalog page lists only the policy assignments not the group, or system that inherits the
policy.
Task
1 Select Menu | Policy | Policy Catalog, then select a product and category.
2 Under Assignments on the row of the policy, click the link that indicates the number of groups or
systems the policy is assigned to (for example, 6 assignments).
On the Assignments page, each group or system where the policy is assigned appears with its node
name and node type.

13
Assigning policies
View policy settings

View details for a policy assigned to a product category or system.
Task
2 Click next to a policy.

The policy pages and their settings appear.
You can also view this information when accessing the assigned policies of a specific group. To
access this information, select Menu | Systems | System Tree, click Assigned Policies tab, then click the link
for the selected policy in the Policy column.
View policy ownership

View the owners of a policy.
Task
2 The owners of the policy are displayed under Owner.
View assignments where policy enforcement is disabled

View assignments where policy enforcement, per policy category, is disabled.
Task
2 Click the link next to Product enforcement status, which indicates the number of assignments where
enforcement is disabled, if any.
The Enforcement for <policy name> page appears.
3 Click any item in the list to go to its Assigned Policies page.
View policies assigned to a group

View the policies assigned to a System Tree group, sorted by product.
Task
All assigned policies, organized by product, appear in the details pane.

13
Assigning policies
2 Click any policy to view its settings.
View policies assigned to a specific system

View a list of all policies assigned to a system from one central location, the System Tree.
Task
1 Select Menu | Systems | System Tree, click the Systems tab, then select a group in the System Tree.
All systems belonging to the group appear in the details pane.
2 Click the name of a system to drill into the System Information page, then click the Applied Policies
tab.
View policy inheritance for a group

View the policy inheritance of a specific group.
Task
2 Click Assigned Policies tab.
All assigned policies, organized by product, appear in the details pane.
The policy row, under Inherit from, displays the name of the group from which the policy is inherited.
View and reset broken inheritance

Identify the groups and systems where policy inheritance is broken.
Task
1 Select Menu | Systems | System Tree, then click Assigned Policies tab.
All assigned policies, organized by product, appear in the details pane. The policy row, under Broken
Inheritance, displays the number of groups and systems where this policy's inheritance is broken.
This number is the number of groups or systems where the policy inheritance is broken, not the
number of systems that do not inherit the policy. For example, if only one group does not inherit the
policy, 1 doesn't inherit appears, regardless of the number of systems within the group.
2 Click the link indicating the number of child groups or systems that have broken inheritance.
The View broken inheritance page displays a list of the names of these groups and systems.
3 To reset the inheritance of any of these, select the checkbox next to the name, then click Actions
and select Reset Inheritance.
Create policy management queries

Retrieve the policies assigned to a managed system, or policies broken in the system hierarchy.
You can create either of the following Policy Management queries:

13
Assigning policies
Applied Policies Retrieves policies assigned to a specified managed system.
Broken Inheritance Retrieves information on policies that are broken in the system hierarchy.
Task
1 Select Menu | Reporting | Queries & Reports, then click New Query.
The Query Builder opens.
2 On the Result Type page, select Policy Management from the Feature Group list.
3 Select a Result Type, then click Next to display the Chart page:
Applied Client Tasks
Applied Policies
Client Tasks Assignment Broken Inheritance
Policies Assignment Broken Inheritance
4 Select the type of chart or table to display the primary results of the query, then click Next.
The Columns page appears.
If you select Boolean Pie Chart, configure the criteria that you want to include in the query.

The Filter page appears.
6 Select properties to narrow the search results, then click Run.

The Unsaved Query page displays the results of the query, which is actionable.
Selected properties appear in the content pane with operators that can specify criteria, which
narrows the data that is returned for that property.
7 On the Unsaved Query page, take any available action on items in any table or drill-down table.
If the query didn't return the expected results, click Edit Query to go back to the Query Builder
and edit the details of this query.
If you don't want to save the query, click Close.
To use this query again, click Save and continue to the next step.
8 In the Save Query page, enter a name for the query, add any notes, and select one of the
following:
New Group Enter the new group name and select either:
Private group (My Groups)
Public group (Shared Groups)
Existing Group Select the group from the list of Shared Groups.
9 Click Save.

13
Assigning policies

14 Server and client tasks
Use server and client tasks to automate McAfee ePO and managed system processes.
McAfee ePO includes preconfigured server tasks and actions. Most of the additional software products
you manage with McAfee ePO also add preconfigured server and client tasks.
Contents
Server tasks
Client tasks
Server tasks
Server tasks are configurable actions that run on McAfee ePO at scheduled times or intervals.
Leverage server tasks to automate repetitive tasks.
McAfee ePO includes preconfigured server tasks and actions. Most of the additional software products
you manage with McAfee ePO also add preconfigured server tasks.
View server tasks

The Server Task Log provides the status of your server tasks and displays any errors that might have
occurred.
Task
1 Open the Server Task Log: select Menu | Automation | Server Task Log.

Server task status

The status of each server task appears in the Status column of the Server Task Log.
Status Definition
Waiting The server task is waiting for another task to finish.
In Progress The server task has started, but not finished.
Paused A user paused the server task.

14
Server tasks
Status Definition
Stopped A user stopped the server task.
Failed The server task started, but did not finish successfully.
Completed The server task finished successfully.
Pending Termination A user requested that the server task end.
Ended A user closed the server task manually before it finished.
Create a server task

Create server tasks to schedule various actions to run on a specified schedule.
If you want McAfee ePO to run certain actions without manual intervention, a server task is the best
approach.
Task

b Click New Task.
2 Give the task an appropriate name, and decide whether the task has a Schedule status, then click
Next.
If you want the task to run automatically, set Schedule status to Enabled.
3 Select and configure the action for the task, then click Next.
4 Choose the schedule type (the frequency), start date, end date, and schedule time to run the task,
then click Next.
The schedule information is used only if you enable Schedule status.
The new task appears in the Server Tasks list.
Remove outdated server tasks from the Server Task Log: best
practice
Periodically remove old server task entries from the Server Task Log to improve database
performance.
Items removed from the Server Task Log are deleted permanently.
Task
1 Open the Server Task Log: select Menu | Automation | Server Task Log.
2 Click Purge.
4 Click OK.

14
Server tasks
Remove outdated log items automatically

Use a server task to automatically remove old entries from a table or log, such as closed issues or
outdated user action entries.
Items removed from a log are deleted permanently.
Task

b Click New Task.
2 Type a name and description for the server task.
3 Enable or disable the schedule for the server task, then click Next.
The server task does not run until it is enabled.
4 From the drop-down list, select a purge action, such as Purge Server Task Log.
5 Next to Purge records older than, enter a number, then select a time unit, then click Next.
6 Schedule the server task, then click Next.
7 Review the details of the server task.

To make changes, click Back.
If everything is correct, click Save.
The new server task appears on the Server Tasks page. Outdated items are removed from the
specified table or log when the scheduled task runs.
Accepted Cron syntax when scheduling a server task

If you select the Schedule type | Advanced option when scheduling a server task, you can specify a
schedule using Cron syntax.
Cron syntax is made up of six or seven fields, separated by a space. Accepted Cron syntax, by field in
descending order, is detailed in the following table. Most Cron syntax is acceptable, but a few cases
are not supported. For example, you cannot specify both the Day of Week and Day of Month values.
Field name Allowed values Allowed special characters

Seconds 059 ,-*/
Minutes 059 ,-*/
Hours 023 ,-*/
Day of Month 131 ,-*?/LWC
Month 112, or JAN - DEC ,-*/

14
Client tasks
Field name Allowed values Allowed special characters

Day of Week 17, or SUN - SAT ,-*?/LC#
Year (optional) Empty, or 19702099 ,-*/
Allowed special characters

Commas (,) are allowed to specify more values. For example, "5,10,30" or "MON,WED,FRI".
Asterisks (*) are used for "every." For example, "*" in the minutes field is "every minute".
Question marks (?) are allowed to specify no specific value in the Day of Week or Day of Month
fields.
The question mark must be used in one of these fields, but cannot be used in both.
Forward slashes (/) identify increments. For example, "5/15" in the minutes field means the task
runs at minutes 5, 20, 35 and 50.
The letter "L" means "last" in the Day of Week or Day of Month fields. For example, "0 15 10 ? *
6L" means the last Friday of every month at 10:15 am.
The letter "W" means "weekday". So, if you created a Day of Month as "15W", this means the
weekday closest to the 15th of the month. Also, you can specify "LW", which means the last
weekday of the month.
The pound character "#" identifies the "Nth" day of the month. For example, using "6#3" in the Day
of Week field is the third Friday of every month, "2#1" is the first Monday, and "4#5" is the fifth
Wednesday.
If the month does not have a fifth Wednesday, the task does not run.
Client tasks
Create and schedule client tasks to automate how you manage systems in your network.
Client tasks are commonly used for these activities.
Product deployment
Product functionality
Upgrades and updates
For information about which client tasks are available and what they can help you do, see the
documentation for your managed products.
How the Client Task Catalog works

Use the Client Task Catalog to create client task objects you can reuse to help manage systems in your
network.
The Client Tasks Catalog applies the concept of logical objects to McAfee ePO client tasks. You can
create client task objects for various purposes without the need to assign them immediately. As a
result, you can treat these objects as reusable components when assigning and scheduling client
tasks.

14
Client tasks
Client tasks can be assigned at any level in the System Tree. Groups and systems lower in the tree
inherit client tasks. As with policies and policy assignments, you can break the inheritance for an
assigned client task.
Client task objects can be shared across multiple registered McAfee ePO servers in your environment.
When client task objects are set to be shared, each registered server receives a copy after your Share
Client Task server task runs. Any changes made to the task are updated each time it runs. When a
client task object is shared, only the owner of the object can modify its settings.
Administrators on the target server that receives a shared task is not an owner for that shared task.
None of the users on the target server is owner for any shared task objects the target receives.
Deployment tasks
Deployment tasks are client tasks that are used to deploy managed security products to your
managed systems from the Master Repository.
You can create and manage individual deployment task objects using the Client Task Catalog, then
assign them to run on groups or individual system. Alternatively, you can create Product Deployment
projects to deploy products to your systems. Product Deployment projects automate the process of
creating and scheduling client task objects individually. They also provide additional automated
management functionality.
Important considerations
When deciding how to stage your Product Deployment, consider:
Package size and available bandwidth between the Master Repository and managed systems. In
addition to potentially overwhelming the McAfee ePO server or your network, deploying products to
many systems can make troubleshooting problems more complicated.
A phased rollout to install products to groups of systems at a time. If your network links are fast,
try deploying to several hundred clients at a time. If you have slower or less reliable network
connections, try smaller groups. As you deploy to each group, monitor the deployment, run reports
to confirm successful installations, and troubleshoot any problems with individual systems.
Deploying products on selected systems

If you are deploying McAfee products or components that are installed on a subset of your managed
systems:
1 Use a tag to identify these systems.
2 Move the tagged systems to a group.
3 Configure a Product Deployment client task for the group.
Deployment packages for products and updates

The McAfee ePO software deployment infrastructure supports deploying products and components, as
well as updating both.
Each product that McAfee ePO can deploy provides a product deployment package .zip file. The .zip
file contains product installation files, which are compressed in a secure format. McAfee ePO can
deploy these packages to any of your managed systems.
The software uses these .zip files for both detection definition (DAT) and engine update packages.
You can configure product policy settings before or after deployment. We recommend configuring
policy settings before deploying the product to network systems. Configuring policy settings saves
time and ensures that your systems are protected as soon as possible.

14
Client tasks
These package types can be checked in to the Master Repository with pull tasks, or manually.
Supported package types
Package type Description Origination

SuperDAT files The SuperDAT files contain both DAT and McAfee website. Download and
(SDAT.exe) files engine files in a single update package. If check SuperDAT files into the
bandwidth is a concern, we recommend Master Repository manually.
File type: SDAT.exe updating DAT and engine files separately.
Supplemental The Extra.DAT files address one or more McAfee website. Download and
detection definition specific threats that have appeared since check supplemental DAT files in
(Extra.DAT) files the last DAT file was posted. If the threat to the Master Repository
has a high severity, distribute the manually.
File type: Extra.DAT Extra.DAT files immediately, rather than
wait until the signature is added to the
next DAT file.
Extra.DAT files are from the McAfee
website. You can distribute them through
McAfee ePO. Pull tasks do not retrieve
Extra.DAT files.
Product deployment A product deployment package contains Product CD or downloaded

and update packages installation software. product .zip file. Check product
deployment packages into the
File type: zip Master Repository manually. For
specific locations, see the
documentation for that product.
McAfee Agent A McAfee Agent language package Master Repository Checked in
language packages contains files necessary to display McAfee at installation. For future versions
Agent information in a local language. of the McAfee Agent, you must
File type: zip check McAfee Agent language
packages into the Master
Repository manually.
Package signing and security

All packages created and distributed by McAfee are signed with a key pair using the DSA (Digital
Signature Algorithm) signature verification system. The packages are encrypted using 168-bit 3DES
encryption. A key is used to encrypt or decrypt sensitive data.
You are notified when you check in packages that McAfee has not signed. If you are confident of the
content and validity of the package, continue with the check-in process. These packages are secured
in the same manner previously described, but McAfee ePO signs them when they are checked in.
The McAfee Agent only trusts package files signed by McAfee ePO or McAfee. This feature protects
your network from receiving packages from unsigned or untrusted sources.
Package ordering and dependencies

If one product update depends on another update, check in the update packages to the Master
Repository in the required order. For example, if Patch 2 requires Patch 1, you must check in Patch 1
before Patch 2. Packages cannot be reordered once they are checked in. You must remove them and
check them in again, in the proper order. If you check in a package that supersedes an existing
package, the existing package is removed automatically.

14
Client tasks
Product and update deployment

The McAfee ePO repository infrastructure allows you to deploy product and update packages to your
managed systems from a central location. Although the same repository is used, there are differences.
Product deployment vs. update packages
Product deployment packages Update packages

Must be manually checked in to the Master DAT and Engine update packages can be copied from
Repository. the source site automatically with a pull task. All other
update packages must be checked in to the Master
Repository manually.
Can be replicated to the Master Repository Can be replicated to the Master Repository and
and installed automatically on managed installed automatically on managed systems with global
systems using a deployment task. updating.
If not implementing global updating for If not implementing global updating for product
product deployment, a deployment task updating, an update client task must be configured and
must be configured and scheduled for scheduled for managed systems to retrieve the
managed systems to retrieve the package. package.
Product deployment and updating process

Follow this high-level process for distributing DAT and Engine update packages.
1 Check in the update package to the Master Repository with a pull task, or manually.
2 Do one of the following:

If you are using global updating, create and schedule an update task for laptop systems that
leave the network.
If you are not using global updating, perform the following tasks.
1 Use a replication task to copy the contents of the Master Repository.
2 Create and schedule an update task for agents to retrieve and install the update on managed
systems.
Deployment tags
When a deployment task is created, a tag with the task name is automatically created and applied to
the systems on which the task is enforced. These tags are only created for a fixed deployment. Does
not apply to continuous deployment.
These tags are added to the Deployment Tags group on the Tag Catalog page every time a deployment
task is created and enforced to systems. This group is a read-only group, and tags in this group can't
be manually applied, changed, deleted, or used in a criteria configuration to filter systems.
Use the Product Deployment task to deploy products to

managed systems
Deploy products to managed systems with the Product Deployment client task.
You can create this task for a single system, or for groups of the System Tree.
Tasks
Configure a deployment task for groups of managed systems on page 220
Configure a product deployment task to deploy products to groups of managed systems in
the System Tree.
Configure a deployment task to install products on a managed system on page 221
Deploy products to a single system using a product deployment task.

14
Client tasks
Configure a deployment task for groups of managed systems

Configure a product deployment task to deploy products to groups of managed systems in the System
Tree.
Task
1 Open the New Task dialog box.
a Select Menu | Policy | Client Task Catalog.
b Under Client Task Types, select a product, then click New Task.
2 Select Product Deployment, then click OK.
3 Type a name for the task you are creating and add any notes.
4 Next to Target platforms, select the types of platform to use the deployment.
5 Next to Products and components, set the following:

Select a product from the first drop-down list. The products listed are products that you have
checked in to the Master Repository. If you do not see the product you want to deploy listed
here, check in the product package.
Set the Action to Install, then select the Language of the package, and the Branch.
To specify command-line installation options, type the options in the Command line text field. See
the product documentation for information on command-line options of the product you are
installing.
You can click + or to add or remove products and components from the list displayed.
6 If you want to automatically update your security products, select Auto Update.
This also deploys the hotfixes and patches for your product automatically.
If you set your security product to update automatically, you cannot set the Action to Remove.
7 (Windows only) Next to Options, select whether you want to run this task for every policy process,
then click Save.
8 Select Menu | Systems Section | System Tree | Assigned Client Tasks, then select the required group in the
System Tree.
9 Select the Preset filter as Product Deployment (McAfee Agent).
Each assigned client task per selected category appears in the details pane.
10 Click Actions | New Client Task Assignment.
11 On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select
the task you created to deploy your product.
12 Next to Tags, select the platforms you are deploying the packages to, then click Next:
Send this task to all computers
Send this task to only computers that have the following criteria Click edit next to the criteria to configure,
select the tag group, select the tags to use in the criteria, then click OK.

14
Client tasks
13 On the Schedule page, select whether the schedule is enabled, and specify the schedule details,
then click Next.
At every scheduled run, the deployment task installs the latest sensor package to systems that meet
the specified criteria.
Configure a deployment task to install products on a managed system

Deploy products to a single system using a product deployment task.
Create a product deployment client task for a single system when that system requires:
A product installed that other systems within the same group do not require.
A different schedule than other systems in the group. For example, if a system is located in a
different time zone than its peers.
Task

2 Ensure that Product Deployment is selected, then click OK.
4 Next to Target platforms, select the types of platform to use the deployment.
5 Next to Products and components set the following:

Select a product from the first drop-down list. The products listed are those products for which
you have already checked in a package to the Master Repository. If you do not see the product
you want to deploy listed here, check in that products package.
Set the Action to Install, then select the Language and Branch of the package.
To specify command-line installation options, type the command-line options in the Command line
text field. See the product documentation for information on command-line options of the
product you are installing.
You can click + or to add or remove products and components from the list displayed.
6 If you want to automatically update security products that are already deployed, including hotfixes
and patches, select Auto Update.
If you set your security product to update automatically, you cannot set the Action to Remove.
7 Next to Options, select if you want to run this task for every policy enforcement process (Windows
only), then click Save.
8 Select Menu | Systems | System Tree | Systems, select the system on which you want to deploy a
product, then click Actions | Agent | Modify Tasks on a single system.
10 On the Select Task page, select Product as McAfee Agent and Task Type as Product Deployment, then select the
task you created for deploying product.

14
Client tasks
11 Next to Tags, select the platforms to which you are deploying the packages, then click Next:
Send this task to all computers
Send this task to only computers that have the following criteria Click edit, select the tag group and tags to
use in the criteria, then click OK.
12 On the Schedule page, select whether the schedule is enabled, and specify the schedule details,
then click Next.
Updating tasks
If you do not use global updating, determine when agents on managed systems go for updates.
You can create and update client tasks to control when and how managed systems receive update
packages.
If you use global updating, this task is not needed, although you can create a daily task for
redundancy.
Considerations when creating or updating client tasks

Consider the following when scheduling client update tasks:
Create a daily update client task at the highest level of the System Tree, so that all systems inherit
the task. If your organization is large, you can use randomization intervals to mitigate the
bandwidth impact. For networks with offices in different time zones, balance network load by
running the task at the local system time of the managed system, rather than at the same time for
all systems.
If you are using scheduled replication tasks, schedule the task at least an hour after the scheduled
replication task.
Run update tasks for DAT and Engine files at least once a day. Managed systems might be logged
off from the network and miss the scheduled task. Running the task frequently ensures that these
systems receive the update.
Maximize bandwidth efficiency and create several scheduled client update tasks that update
separate components and run at different times. For example, you can create one task to update
only DAT files, then create another to update both DAT and Engine files weekly or monthly (Engine
packages are released less frequently).
Create and schedule more tasks to update products that do not use the McAfee Agent for Windows.
Create a task to update your main workstation applications, to ensure that they all receive the
update files. Schedule it to run daily or several times a day.
View assigned client task

During the Initial Product Deployment process, McAfee ePO automatically creates a product
deployment client task. You can use this assigned client task as a basis for creating other product
deployment client tasks.
Before you begin

You must run the Initial Product Deployment to create the initial product deployment client
task.

14
Client tasks
Task
1 To see the initial product deployment client task, select Menu | Client Task Catalog.
2 Find the initial product deployment client task: from the Client Task Types list, select McAfee Agent |
Product Deployment.
The initially created product deployment client task uses the name of the System Tree group that you
configured in the Agent Deployment URL as InitialDeployment_<groupName>. For example,
"InitialDeployment_AllWindowsSystems." This task appears in the Name column of the McAfee Agent |
Product Deployment table.
3 To open the client task and view its details, click the name of the task configured in the Agent
Deployment URL.
4 To close the page, click Cancel.
Now you know the location and configuration of the default product deployment client task. You can
duplicate this client task to, for example, deploy the McAfee Agent to platforms using different
operating systems.
Update managed systems regularly with a scheduled update task

Create and configure update tasks. If you use global updating, we recommend using a daily update
client task to ensure systems are current with the latest DAT and engine files.
Task

2 Verify that Product Update is selected, then click OK.
4 Next to the Update in Progress dialog box, select if you want the users to be aware an update is in
process, and if you want to allow them to postpone the process.
5 Select a package type, then click Save.
When configuring individual signatures and engines, if you select Engine and deselect DAT, when the
new engine is updated a new DAT is automatically updated to ensure complete protection.
6 Select Menu | Systems | System Tree, click the Systems tab, then select the system where you want to
deploy the product update, then click Actions | Agent | Modify Tasks on a single system.
8 On the Select Task page, make the following selections:

Product Select McAfee Agent.
Task Type Select Product Update.
Then select the task you created to deploy the product update.

14
Client tasks
9 Next to Tags, select the platforms where you are deploying the packages, then click Next:
Send this task to all computers.
Send this task to only computers that have the following criteria Click edit next to the criteria to configure,
select the tag group, select the tags to use in the criteria, then click OK.
10 On the Schedule page, select whether the schedule is enabled, and specify the schedule details, then
click Next.
The task is added to the list of client tasks for the groups and systems where it is applied. Agents
receive the new update task information the next time they communicate with the server. If the task
is enabled, the update task runs at the next occurrence of the scheduled day and time.
Each system updates from the appropriate repository, depending on how the policies for that client's
agent are configured.
Evaluate new DATs and engines before distribution

You might want to test DAT and engine files on a few systems before deploying them to your entire
organization. You can test update packages using the Evaluation branch of your Master Repository.
The McAfee ePO software provides three repository branches for this purpose.
Task
1 Create a scheduled Repository Pull task that copies update packages in the Evaluation branch of
your Master Repository. Schedule it to run after McAfee releases updated DAT files.
2 Create or select an evaluation group in the System Tree, then create a McAfee Agent policy for the
systems to use only the Evaluation branch.
a Select the Evaluation branch on the Updates tab in theRepository Branch Update Selection section.
The policies take effect the next time the McAfee Agent calls into the server. The next time the
agent updates, it retrieves them from the Evaluation branch.
3 Create a scheduled update client task for the evaluation systems that updates DAT and engine files
from the Evaluation branch of your repository. Schedule it to run one or two hours after your
Repository Pull task is scheduled to begin.
The evaluation update task created at the evaluation group level causes it to run only for that
group.
4 Monitor the systems in your evaluation group until satisfied.
5 Move the packages from the Evaluation branch to the Current branch of your Master Repository.
Select Menu | Software | Master Repository to open the Master Repository page.
Adding them to the Current branch makes them available to your production environment. The
next time any client task retrieves packages from the Current branch, the new DAT and engine files
are distributed to systems that use the task.
Manage client tasks

Create and maintain client tasks.

14
Client tasks
Tasks
Create client tasks on page 225
Use client tasks to automatically perform product updates. The process is similar for all
client tasks.
Edit client tasks on page 225
You can edit any previously configured client task settings or schedule information.
Compare client tasks on page 226
The Client Task Comparison tool determines which client task settings are different and
which are the same.
View client tasks assigned to a specific system on page 226
View a list of all client tasks assigned to a system from one central location, the System
Tree.
Create client tasks

Use client tasks to automatically perform product updates. The process is similar for all client tasks.
In some cases, you must create a new client task assignment to associate a client task to a System
Tree group.
Task

2 Select a task type from the list, then click OK to open the Client Task Builder.
3 Enter a name for the task, add a description, then configure the settings specific to the task type
you are creating.
The configuration options depend on the task type selected.
4 Review the task settings, then click Save.
The task is added to the list of client tasks for the selected client task type.
Edit client tasks

You can edit any previously configured client task settings or schedule information.
Task
1 Select Menu | Policy | Client Task Catalog.
2 Select the Client Task Type from the navigation tree on the left.
The available client tasks appear in the window on the right.
3 Click the client task name to open the Client Task Catalog dialog box.
4 Edit the task settings as needed, then click Save.
The managed systems receive the changes you configured the next time the agents communicate with
the server.

14
Client tasks
Compare client tasks

The Client Task Comparison tool determines which client task settings are different and which are the
same.
Many of the values and variables included on this page are specific to each product. For option
definitions not included in the table, see the documentation for the product that provides the client
task that you want to compare.
Task
1 Select Menu | Client Task Comparison, then select a product, client task type, and show settings from the
lists.
These settings populate the client tasks to compare in the Client Task 1 and Client Task 2 lists.
2 Select the client tasks to compare in the Compare Client Tasks row from the Client Task 1 and the Client Task
2 column lists.
The top two rows of the table display the number of settings that are different and identical. To
reduce the amount of data, change the Show setting from All Client Task Settings to Client Task Differences or
Client Task Matches.
3 Click Print to open a printer-friendly view of this comparison.
View client tasks assigned to a specific system

View a list of all client tasks assigned to a system from one central location, the System Tree.
Task
1 Select Menu | Systems | System Tree, click the Systems tab, then select a group in the System Tree.
All systems belonging to the group appear in the details pane.
2 Click the name of a system to drill into the System Information page, then click the Applied Client
Tasks tab.

15 Setting up automatic responses
Take immediate action against threats and outbreaks by automatically starting McAfee ePO processes
when events occur.
McAfee ePO responds when the conditions of an automatic response rule are met. You specify the
actions that make up the response, and the type and number of events that must meet the condition
to trigger the response.
By default, an automatic response rule can include these actions:

Create an issue. Run system commands.
Execute server tasks. Send an email message.
Run external commands. Send SNMP traps.
You can also configure external tools installed on the McAfee ePO server to run an external command.
Managed products increase the number of actions you can select.
The products that you manage with McAfee ePO determine the types of events you can create an
automatic response rule for.
Here are some typical conditions that might trigger an automatic response:
Detection of threats by your anti-virus software.
Outbreak situations. For example, 1,000 virus-detected events are received in five minutes.
High-level compliance of McAfee ePO server events. For example, a repository update or a
replication task failed.
Contents
Using Automatic Responses
Event thresholds
Default automatic response rules
Response planning
Determine how events are forwarded
Archive events
Configure Automatic Responses
Choose a notification interval
Create and edit Automatic Response rules

15
Setting up automatic responses

You can specify which events trigger a response, and what that response is.
The complete set of event types for which you can configure an automatic response depends on the
software products you are managing with McAfee ePO.
By default, your response can include these actions:

Create issues. Run system commands.
Execute server tasks. Send an email message to multiple

recipients.
Run external commands. Send SNMP traps.
You can also configure external tools installed on the McAfee ePO server to run an external command.
This feature is designed to create user-configured notifications and actions when the conditions of a
rule are met. These conditions include, but are not limited to:
Detection of threats by your anti-virus software product.
Outbreak situations. For example, 1000 virus-detected events are received in five minutes.
High-level compliance of McAfee ePO server events. For example, a repository update or a
replication task failed.
Event thresholds
Setting event thresholds lets you tailor the frequency of automatic responses to fit the needs and
realities of your environment.
Aggregation
Use aggregation to set the number of events that occur before triggering an automatic response. For
example, you can configure an automatic response rule to send an email message when either one of
these thresholds is met:
In one hour, the server receives 1,000 or more virus detection events from different systems.
In one hour, the server receives 100 or more virus detection events from one system.
Throttling
Once you have configured the rule to notify you of a possible outbreak, use throttling to ensure that
you do not receive too many notification messages. If you are securing a large network, you might
receive tens of thousands of events in an hour, generating thousands of email messages. Throttling
allows you to limit the number of notification messages you receive based on one rule. For example,
you can specify in a response rule that you dont want to receive more than one notification message
in an hour.

15
Grouping
Use grouping to combine multiple aggregated events. For example, events with the same severity can
be combined into one group. Grouping provides these benefits:
Respond to all events with the same or higher severity at once.
Prioritize events that are generated.

Enable the default McAfee ePO response rules for immediate use while you learn more about the
feature.
Before enabling any of the default rules, perform these actions:
Specify the email server (select Menu | Configuration | Server Settings) that sends the notification
messages.
Make sure that the recipient email address is correct. This address is configured on the Actions
page of the Automatic Response Builder.
Rule name Associated events Email sent when...

Distributed repository Distributed repository Any update or replication fails.
update or replication update or replication
failed failed
Malware detected Any events from any These criteria are met:
unknown products
The number of events is at least 1,000 in an
hour.
The number of selected distinct values is 500.
At most, once every 2 hours.
The email includes the source system IP
address, threat names, product information,
and other parameters.
Master Repository Master Repository update Any update or replication fails.

update or replication or replication failed
failed
Noncompliant computer Noncompliant Computer Any events are received from the Generate
detected Detected events Compliance Event server task.
Response planning
Before creating automatic response rules, think about the actions you want the McAfee ePO server to
take.
Plan for these items:
The event types that trigger messages in your environment.
Who receives which messages. For example, you might not need to notify all administrators about
a failed product upgrade, but you might want them to know that an infected file was discovered.
The types and levels of thresholds that you want to set for each rule. For example, you might not
want to receive an email message every time an infected file is detected during an outbreak.
Instead, you can choose to send one message for every 1,000 events.

15
The commands or registered executables you want to run when the conditions of a rule are met.
The server task you want to run when the conditions of a rule are met.

Determine when events are forwarded and which events are forwarded immediately.
The server receives event notifications from agents. You can configure McAfee Agent policies to
forward events either immediately to the server or only after agent-server communication intervals.
If you choose to send events immediately (as set by default), the McAfee Agent forwards all events
when they are received.
If you choose not to have all events sent immediately, the McAfee Agent forwards immediately only
events that are designated by the issuing product as high priority. Other events are sent only at the
Tasks
Determine which events are forwarded immediately on page 230
Determine whether events are forwarded immediately or only during agent-server
communication.
Determine which events are forwarded to the server on page 230
You can determine which events are forwarded to the server using server settings and
event filtering.
Determine which events are forwarded immediately

Determine whether events are forwarded immediately or only during agent-server communication.
If the currently applied policy is not set for immediate uploading of events, either edit the currently
applied policy or create a McAfee Agent policy. This setting is configured on the Threat Event Log
page.
Task
1 Select Menu | Policy | Policy Catalog, then select Product as McAfee Agent and Category as General.
2 Click an existing agent policy.
3 On the Events tab, select Enable priority event forwarding.
4 Select the event severity.

Events of the selected severity (and greater) are forwarded immediately to the server.
5 To regulate traffic, type an Interval between uploads (in minutes).
6 To regulate traffic size, type the Maximum number of events per upload.
7 Click Save.
Determine which events are forwarded to the server

You can determine which events are forwarded to the server using server settings and event filtering.
These settings affect the bandwidth used in your environment, as well as the results of event-based
queries.

15
Archive events
Task
1 Select Menu | Configuration | Server Settings, select Event Filtering, then click Edit at the bottom of the page.
2 Select the events you want forwarded, either all or individual events.
To forward all available events, select All events to the server.
Select All and Deselect All are disabled when you select All events to the server.
To forward only the events you specified, select Only selected events to the server.
3 Select where you want the selected events stored.

To store all selected events in the server:
Click Store selected in ePO Store all selected events in the McAfee ePO database.
Click Store selected in SIEM Store all selected events in security information and event
management (SIEM) database.
Click Store selected in both Store all selected events in both the McAfee ePO and the SIEM
databases. This is the default setting.
To store the selected events in individually selected servers:

Click Store in ePO Store event in the McAfee ePO database.
Click Store in SIEM Store event in SIEM database.
Click Store in both Store event in McAfee ePO and SIEM databases.
If a product extension provides an event storage option for an event type during registration, that
event storage option is saved. If a product extension does not provide an event storage option for
an event type during registration, the default is to save the events in both McAfee ePO and SIEM
databases.
4 Select event source.

Events from any sourceAny source includes the McAfee Agent, McAfee ePO, and more.
Events that were generated by the sending agentOnly events generated by the McAfee Agent.
5 Click Save.
Changes to these settings take effect after all agents have communicated with the McAfee ePO server.
Archive events
To improve your McAfee ePO performance, you can periodically archive the events stored on your
McAfee ePO server to a SQL Server.
Before you begin

Before you can configure this archive process, you must configure a SQL Registered Server.

15
Task
1 Select Menu | Automation | Server Tasks, then click New Task.
The Server Tasks Builder opens to the Description page.
2 Give the task an appropriate name, decide whether the task has a Schedule status, then click Next.
If you want the task to run automatically, set Schedule status to Enabled.
3 From the Actions list, select Archive Events.
4 In Select archive criteria, configure these settings, then click Next.

a Archive events older than Set the number and days or weeks to archive.
b Select archive server Select the SQL Server you configured.
5 Choose the schedule type (the frequency), start date, end date, and schedule time to run the task.
Click Next.
The schedule information is only used if you enable Schedule status.
The new task appears in the Server Tasks list and archives the events in the events SQL database.
See also
Register a database server on page 382

Configure the necessary resources to fully leverage Automatic Responses.
Tasks
Assign permissions to notifications on page 232
Notifications permissions enable users to view, create, and edit registered executables.
Assign permissions to Automatic Responses on page 233
Assign permssions to responses when you need to limit the types of responses users can
create.
Manage SNMP servers on page 234
Configure responses to use your SNMP (Simple Network Management Protocol) server.
Manage registered executables and external commands on page 234
The registered executables you configure are run when the conditions of a rule are met.
Automatic Responses trigger the registered executable commands to run.
Assign permissions to notifications

Notifications permissions enable users to view, create, and edit registered executables.

15
Task
1 Select Menu | User Management | Permission Sets, then either create a permission set or select an existing
one.
2 Next to Event Notifications, click Edit.
3 Select the notifications permission you want:

No permissions
View registered executables
Create and edit registered executables
View rules and notifications for entire System Tree (overrides System Tree group access permissions)
4 Click Save.
5 If you created a permission set, select Menu | User Management | Users.
6 Select a user to assign the new permission set to, then click Edit.
7 Next to Permission sets, select the checkbox for the permission set with the notifications permissions
you want, then click Save.
Assign permissions to Automatic Responses

Assign permssions to responses when you need to limit the types of responses users can create.
Before you begin

To create a response rule, users need permissions for the Threat Event Log, System Tree,
Server Tasks, and Detected Systems features.
Task
1 Select Menu | User Management | Permission Sets, then create a permission set or select an existing one.
2 Next to Automatic Response, click Edit.
3 Select an Automatic Response permission:

No permissions
View Responses; view Response results in the Server Task Log
Create, edit, view, and cancel Responses; view Response results in the Server Task Log
4 Click Save.
5 If you created a permission set, select Menu | User Management | Users.
6 Select a user to assign the new permission set to, then click Edit.
7 Next to Permission sets, select the checkbox for the permission set with the Automatic Response
permissions you want, then click Save.

15
Manage SNMP servers

Configure responses to use your SNMP (Simple Network Management Protocol) server.
You can configure responses to send SNMP traps to your SNMP server. You can receive SNMP traps at
the same location where you can use your network management application to view detailed
information about the systems in your environment.
You do not need to make other configurations or start any services to configure this feature.
SNMP server actions

1 Select Menu | Configuration | Registered Servers.
2 From the list of registered servers, select an SNMP server, then click Actions and a change available
from the Registered Servers page.
Action Description
Edit Edit the server information as needed, then click Save.
Delete Deletes the selected SNMP server. When prompted, click Yes.
Import .MIB files

Import .mib files before you set up rules to send notification messages to an SNMP server using an
SNMP trap.
You must import three .mib files from \Program Files\McAfee\ePolicy Orchestrator\MIB. The files
must be imported in the following order:
1 NAI-MIB.mib
2 TVD-MIB.mib
3 EPO-MIB.mib
These files allow your network management program to decode the data in the SNMP traps into
meaningful text. The EPO-MIB.mib file depends on the other two files to define the following traps:
epoThreatEvent This trap is sent when an Automatic Response for an McAfee ePO Threat Event
is triggered. It contains variables that match properties of the Threat event.
epoStatusEvent This trap is sent when an Automatic Response for an McAfee ePO Status Event
is triggered. It contains variables that match the properties of a (Server) Status event.
epoClientStatusEvent This trap is sent when an Automatic Response for an McAfee ePO Client
Status Event is triggered. It contains variables that match the properties of the Client Status event.
epoTestEvent This is a test trap that is sent when you click Send Test Trap in the New SNMP
Server or Edit SNMP Server pages.
For instructions on importing and implementing .mib files, see the product documentation for your
network management program.
Manage registered executables and external commands

The registered executables you configure are run when the conditions of a rule are met. Automatic
Responses trigger the registered executable commands to run.
You can run registered executable commands only on console applications.

15
Task
1 Select Menu | Configuration | Registered Executables.
Action Steps
Add a registered 1 Click Actions | Registered Executable.
executable
2 Type a name for the registered executable.
3 Type the path and select the registered executable that you want a rule to
execute when triggered.
4 Modify the user credentials, if needed.
5 Test the executable and confirm that it worked using the Audit Log.
6 Click Save.
The new registered executable appears in the Registered Executables list.
Edit a registered 1 Find the registered executable to edit in the Registered Executable page, then
executable click Edit.
2 Change the information as needed and click Save.
Duplicate a 1 Find the registered executable to duplicate in the Registered Executable page,
registered then click Duplicate.
executable
2 Type a name for the registered executable, then click OK.
The duplicated registered executable appears in the Registered Executables list.
Delete a 1 Find the registered executable to delete in the Registered Executable page, then
registered click Delete.
executable
2 When prompted, click OK.
The deleted registered executable no longer appears in the Registered Executables
list.

This setting determines how often the automatic response system is notified that an event has
occurred.
These events generate notifications:
Client events Events that occur on managed systems. For example, Product update succeeded.
Threat events Events that indicate possible threats are detected. For example, Virus detected.
Server events Events that occur on the server. For example, Repository pull failed.
An automatic response can be triggered only after the automatic response system receives a
notification. Specify a short interval for sending notifications, and choose an evaluation interval that is
frequent enough to ensure that the automatic response system can respond to an event in a timely
manner, but infrequent enough to avoid excessive bandwidth consumption.

15
Task
1 Select Menu | Configuration | Server Settings, select Event Notifications from the Setting Categories, then
click Edit.
2 Specify a value between 1 and 9,999 minutes for the Evaluation Interval (1 minute by default),
then click Save.

Define when and how to respond to an event. Automatic Response rules do not have a dependency order.
Tasks
Define a rule on page 236
When creating a rule, include information that other users might need to understand the
purpose or effect of the rule.
Set filters for the rule on page 236
To limit the events that can trigger the response, set the filters for the response rule on the
Filters page of the Response Builder.
Set Aggregation and grouping criteria for the rule on page 237
Define when events trigger a rule on the Aggregation page of the Response Builder.
Configure the actions for an automatic response rule on page 237
Configure the responses triggered by the rule on the Actions page of the Response Builder.
Define a rule
When creating a rule, include information that other users might need to understand the purpose or
effect of the rule.
Task
1 Select Menu | Automation | Automatic Responses, then click New Response, or click Edit next to an existing
rule.
2 On the Description page, type a unique name and any notes for the rule. A good name gives users a
general idea of what the rule does. Use notes to provide a more detailed description.
3 From the Language menu, select the language that the rule uses.
4 Select the Event group and Event type that trigger this response.
5 Next to Status, select Enabled or Disabled.
6 Click Next.
Set filters for the rule

To limit the events that can trigger the response, set the filters for the response rule on the Filters
page of the Response Builder.

15
Task
1 From the Available Properties list, select a property and specify the value to filter the response result.
Available Properties depend on the event type and event group selected on the Description page.
2 Click Next.
Set Aggregation and grouping criteria for the rule

Define when events trigger a rule on the Aggregation page of the Response Builder.
A rules thresholds are a combination of aggregation, throttling, and grouping.
Task
1 Next to Aggregation, select an aggregation level.

To trigger the response for every event, select Trigger this response for every event.
To trigger the event after multiple events occur, perform these steps.
1 Select Trigger this response if multiple events occur within, then define the amount of time in seconds,
minutes, hours, or days.
2 Select the aggregations conditions.

When the number of distinct values for an event property is at least a certain value This condition is used
when a distinct value of occurrence of event property is selected.
When the number of events is at least Type a defined number of events.
For example, you can set the response to occur when an instance of the selected event
property exceeds 300, or when the number of events exceeds 3,000, whichever threshold is
crossed first.
2 Next to Grouping, select whether to group the aggregated events. If you do, specify the property of
the event on which they are grouped.
3 As needed, next to Throttling, select At most, trigger this response once every and define an amount of time
that must pass before this rule can send another notification message.
The amount of time can be defined in minutes, hours, or days.
4 Click Next.
Configure the actions for an automatic response rule

Configure the responses triggered by the rule on the Actions page of the Response Builder.
Configure multiple actions by using the + and - buttons next to the drop-down list for the type of
notification.
Task
1 Configure each action that occurs as part of the response.

15
After configuring the options for an action, click Next if finished, or click + to add another action.
To send an email as part of the response, select Send Email from the drop-down list.
1 Next to Recipients, click ... and select the recipients for the message. This list of available
recipients is taken from Contacts (Menu | User Management | Contacts). Or, you can manually type
email addresses, separated by a comma.
2 Select the importance of the email.
3 Type the Subject of the message or insert any of the available variables directly into the
subject.
4 Type any text that you want to appear in the body of the message or insert any of the
available variables directly into the body.
To send an SNMP trap, select Send SNMP Trap from the drop-down list.
1 Select an SNMP server from the drop-down list.
2 Select the value types that you want to send in the SNMP trap. Some events do not include
all information specified. If a selection you made is not represented, the information was not
available in the event file.
To run an external command, select Run External Command from the drop-down list.
1 Select the Registered Executables and type any arguments for the command.
To create an issue, select Create issue from the drop-down list.

1 Select the type of issue that you want to create.
2 Type a unique name and any notes for the issue or insert any of the available variables
directly into the name and description.
3 Select the State, Priority, Severity, and Resolution for the issue from the respective drop-down list.
4 Type the name of the assignee in the text box.
5 Click Next if finished, or click + to add another notification.
To run a scheduled task, select Execute Server Task from the drop-down list.
1 Select the task that you want to run from the Task to execute drop-down list.
2 Click Next if finished, or click + to add another notification.
2 On the Summary page, verify the information, then click Save.
The new rule appears in the Responses list.
Automatic response rules do not have a dependency order.

16 Agent-server communication
Client systems use the McAfee Agent and agent-server communications to communicate with your
McAfee ePO server.
For version-specific information about your agents, see the McAfee Agent Product Guide.
Contents
How agent-server communication works
Best practices: Estimating and adjusting the ASCI
Managing agent-server communication
Update Now page

McAfee Agent communicates with the McAfee ePO server periodically using agent-server
communication to send events and ensure that all settings are up to date.
During each agent-server communication, the McAfee Agent collects its current system properties, and
events that have not yet been sent, and sends them to the server. The server sends new or changed
policies and tasks to the McAfee Agent, and the repository list if it has changed since the last
See the McAfee Agent Product Guide for details about:

How SuperAgents work to use bandwidth and McAfee ePO performance
Collect McAfee Agent statistics
Queries provided by the McAfee Agent

16
Agent-server communication

You might need to estimate and adjust the agent-server communication interval (ASCI) on your
network, depending on the number of systems in your managed environment.
Estimating the best ASCI: best practice

To improve the McAfee ePO server performance, you might need to adjust the ASCI setting for your
managed network.
To determine whether to change your ASCI, ask how often changes occur to endpoint policies on your
McAfee ePO server. For most organizations, once your policies are in place, they don't often change.
Some organizations change an endpoint policy less frequently than once every few months. That
means a system calling in every 60 minutes looking for a policy change, about eight times in a typical
work day, might be excessive. If the agent does not find any new policies to download, it waits until
the next agent-server communication, then checks again at its next scheduled check-in time.
To estimate the ASCI, your concern is not wasting bandwidth because agent-server communications
are only a few kilobytes per communication. The concern is the strain put on the McAfee ePO server
with every communication from every agent in larger environments. All your agents need at least two
communications a day with the McAfee ePO server. This requires a 180240 minute ASCI in most
organizations.
For organizations with fewer than 10,000 nodes, the default ASCI setting is not a concern at 60
minutes. But for organizations with more than 10,000 nodes, change the default setting of 60 minutes
setting to about 34 hours.
For organizations with more than 60,000 nodes, the ASCI setting is much more important. If your
McAfee ePO server is not having performance issues, you can use the 4-hour ASCI interval. If there
are any performance issues, consider increasing your ASCI to 6 hours; possibly even longer. This
change significantly reduces the number of agents that are simultaneously connecting to the McAfee
ePO server and improves the server performance.
You can determine how many connections are being made to your McAfee ePO server by using the
McAfee ePO Performance Counters.
This table lists basic ASCI guidelines.
Node count Recommended ASCI

10010,000 60120 minutes
10,00050,000 120240 minutes
50,000 or more 240360 minutes
Configure the ASCI setting: best practice

After you estimate the best ASCI setting, reconfigure the setting in the McAfee ePO server.
The ASCI is set to 60 minutes by default. If that interval is too frequent for your organization, change
it.

16
Task
1 Select Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from the
Category list.
2 Click the name of the policy you want to change and the General tab.
3 Next to Agent-to-server communication interval, type the number of minutes between updates.
This example shows the interval set to 60 minutes.
4 Click Save.
If you send a policy change or add a client task immediately, you can execute an agent wake-up
call.

Modify McAfee ePO settings to adapt agent-server communication to the needs of your environment.
Allow agent deployment credentials to be cached

Administrators must provide credentials to successfully deploy agents from your McAfee ePO server to
systems in your network. You can choose whether to allow agent deployment credentials to be cached
for each user.
Once a user's credentials are cached, that user can deploy agents without having to authenticate
again. Credentials are cached per user, so a user who has not previously provided credentials can't
deploy agents without providing their own credentials first.
Task
1 Select Menu | Configuration | Server Settings, select Agent Deployment Credentials from the Setting Categories,
then click Edit.
2 Select the checkbox to allow agent deployment credentials to be cached.
Change agent communication ports

You can change some of the ports used for agent communication on your McAfee ePO server.
You can modify the settings for these agent communication ports:
Agent-to-server communication secure port
Agent wake-up communication port
Agent broadcast communication port
Task
1 Select Menu | Configuration | Server Settings, select Ports from the Setting Categories, then click Edit.
2 Select whether to enable port 443 for agent-server communications, enter the ports to be used for
agent wake-up calls and broadcasts, then click Save.

16
Update Now page
Update Now page

Use this page to select which package types are updated to this system.
Table 16-1 Option definitions
Option Definition
Update the systems Displays the name of the system(s) being updated.
Package types All packages Select to update all package types listed on the page from the
master repository.
Selected packages Allows you to select the specific package types that you want
updated from the master repository, including:
Signatures and engines Select the signatures and engines you want to update.
Patches and service packs Select the items you want to update.

17 Automating and optimizing McAfee ePO
workflow
You can create queries and tasks to automatically run for improved server performance, easier
maintenance, and to monitor threats.
When you change a policy, configuration, client or server task, automatic response, or report, export
the settings before and after the change.
Contents
Best practice: Find systems with the same GUID
Best practices: Purging events automatically
Best practice: Creating an automatic content pull and replication
Best practices: Filtering 1051 and 1059 events
Best practice: Finding systems that need a new agent
Finding inactive systems: best practice
Measuring malware events best practice
Finding malware events per subnet: best practice
Create an automatic compliance query and report best practice
Best practice: Find systems with the same GUID

You can use preconfigured server tasks that runs queries and targets systems that might have the
same GUIDs.
This task tells the agent to regenerate the GUID and fix the problem.
Task
1 Select Menu | Automation | Server Tasks to open the Server Tasks Builder.
2 Click Edit in the Actions column for one of the following preconfigured server tasks.
Duplicate Agent GUID - Clear error count
Duplicate Agent GUID - Remove systems that potentially use the same GUID
3 On the Description page, select Enabled, then click:

Save Enable the server task and run it from the Server Task page.
Next Schedule the server task to run at a specific time and perform the task.
This clears the error count and removes any systems with the same GUID, and assigns the systems a
new GUID.

17
Automating and optimizing McAfee ePO workflow

Periodically purge the events that are sent daily to your McAfee ePO server. These events can
eventually reduce performance of the McAfee ePO server and SQL Servers.
Events can be anything from a threat being detected, to an update completing successfully. In
environments with a few hundred nodes, you can purge these events on a nightly basis. But in
environments with thousands of nodes reporting to your McAfee ePO server, it is critical to delete
these events as they become old. In these large environments, your database size directly impacts the
performance of your McAfee ePO server, and you must have a clean database.
You must determine your event data retention rate. The retention rate can be from one month to an
entire year. The retention rate for most organizations is about six months. For example, six months
after your events occur, on schedule, they are deleted from your database.
McAfee ePO does not come with a preconfigured server task to purge task events. This means that
many users never create a task to purge these events and, over time, the McAfee ePO server SQL
database starts growing exponentially and is never cleaned.
See also
Reporting features on page 349
Create a purge events server task best practice

Create an automated server task that deletes all events in the database that are older and no longer
needed.
Some organizations have specific event retention policies or reporting requirements. Make sure that
your purge event settings conform to those policies.
Task
1 To open the Server Task Builder dialog box, select Menu | Automation | Server Tasks, then click Actions |
New Task.
2 Type a name for the task, for example Delete client events, add a description, then click Next.
3 On the Actions tab, configure these actions from the list:
Purge Audit Log Purge after 6 months.
Purge Client Events Purge after 6 months.
Purge Server Task Log Purge after 6 months.
Purge Threat Event Log Purge every day.
Purge SiteAdvisor Enterprise Events Purge after 10 days.
You can chain the actions all in one task so that you don't have to create multiple tasks.
This example purges SiteAdvisor Enterprise events because they are not included in the normal
events table and require their own purge task. The SiteAdvisor Enterprise events are retained
for only 10 days because they collect all URLs visited by managed systems. These events can
save a large amount of data in environments with more than 10,000 systems. Therefore, this
data is saved for a much shorter time compared to other event types.

17
Best practice: Creating an automatic content pull and replication
4 Click Next and schedule the task to run every day during non-business hours.
5 Click the Summary tab, confirm that the server task settings are correct, then click Save.
Purge events by query

You can use a custom configured query as a base to delete client events.
Before you begin

You must have created a query to find the events you want purged before you start this
task.
There are reasons why you might need to purge data or events based on a query. For example, there
can be many specific events overwhelming your database. In this example, you might not want to wait
for the event to age out if you are keeping your events for six months. Instead you want that specific
event deleted immediately or nightly.
Purging these events can significantly improve the performance of your McAfee ePO server and
database.
Configure purging data based on the results of a query.
Task
1 Select Menu | Automation | Server Tasks, then click Action | New Task to open the Server Task Builder.
2 Type a name for the task, for example Delete 1059 client events, then on the Actions tab, click
Purge Client Events from the Actions list.
3 Click Purge by Query, then select the custom query that you created.
This menu is automatically populated when table queries are created for client events.
4 Schedule the task to run every day during non-business hours, then click Save.
See also
Create custom table queries: best practice on page 357
Best practice: Creating an automatic content pull and

replication
Pulling content daily from the public McAfee servers is a primary functions of your McAfee ePO server.
Regularly pulling content keeps your protection signatures up to date for McAfee products.
Pulling the latest DAT and content files keeps your protection signatures up to date for McAfee
products like VirusScan Enterprise and Host Intrusion Prevention.
The primary steps are:

1 Pull content from McAfee into your Master Repository, which is always the McAfee ePO server.
2 Replicate that content to your distributed repositories. This ensures that multiple copies of the
content are available and remain synchronized. This also allows clients to update their content from
their nearest repository.
The most important content are the DAT files for VirusScan Enterprise, released daily at approximately
3 p.m. Eastern Time (19:00 UTC or GMT).

17
Optionally, many users with larger environments choose to test their DAT files in their environment
before deployment to all their systems.
Pull content automatically: best practice

Pull the McAfee content from the public McAfee servers. This pull task keeps your protection
signatures up to date.
You must schedule your pull tasks to run at least once a day after 3 p.m. Eastern Time (19:00 UTC or
GMT). In the following example, the pull is scheduled for twice daily, and if there is a network problem
at 5 p.m., the task occurs again at 6 p.m.. Some users like to pull their updates more frequently, as
often as every 15 minutes. Pulling DATs frequently is aggressive and unnecessary because DAT files
are typically released only once a day. Pulling two or three times a day is adequate.
Testing your DAT files before deployment requires a predictable pull schedule.
Task
1 Select Menu | Automation | Server Tasks, then click Actions | New task.
2 In the Server Task Builder dialog box, type a task name and click Next.
3 Specify which signatures to include in the pull task.

a In the Actions dialog box, from the Actions list, select Repository Pull, then click Selected packages.
b Select the signatures that apply to your environment.
Best practice: When you create a pull task for content, select only the packages that apply to your
environment instead of selecting All packages. This keeps the size of your Master Repository
manageable. It also reduces the bandwidth used during the pull from the McAfee website and during
replication to your distributed repositories.
4 Click Next.
5 Schedule your pull task to run at least once a day after 3 p.m. Eastern Time, then click Next.
6 Click the Summary tab, confirm that the server task settings are correct, then click Save.
Now you have created a server task that automatically pulls the McAfee DAT files and content from the
public McAfee servers.

1051 and 1059 events can make up 80 percent of the events stored in your database. If enabled,
make sure that you periodically purge these events.
If you have not looked at Event Filtering on your McAfee ePO server in a long time, run the custom
Event Summary Query and check the output.
The two most common events seen in customer environments are:

17
1051 Unable to scan password-protected file
1059 Scan timed out
These two events can be enabled on the McAfee ePO server. If you never disabled them, you might
find a significant number of these events when you run the Event Summary Query. These two events can,
for some users, make up 80 percent of the events in the database, use a tremendous amount of
space, and impact the performance of the database.
The 1059 events indicate that a file was not scanned, but the user was given access. Disabling the 1059
event means that you lose visibility of a security risk.
So why are these events in there? These events have historic significance and go back several years
and are meant to tell you that a file was not scanned by VirusScan Enterprise. This failure to scan the
file might be due to one of two reasons:
The scan timed out due to the size of the file, which is a 1059 event.
It was inaccessible due to password protection or encryption on the file, which is a 1051 event.
Disable these two events under event filtering, to prevent a flood of these events into your database.
By disabling these events, you are effectively telling the agent to stop sending these events to McAfee
ePO.
VirusScan Enterprise still logs these events in the On-access scanner log file for reference on the local
client.
Optionally, you can disable additional events, but this is not typically needed because most of the
other events are important and are generated in manageable numbers. You can also enable additional
events, as long as you monitor your event summary query to make sure that the new event you
enabled does not overwhelm your database.
Best practice: Filter 1051 and 1059 events

Disable 1051 and 1059 events if you find a significant number of them when you run the Event
Summary Query.

17
Task
1 Select Menu | Configuration | Server Settings, in the Setting Categories list select Event Filtering, then click
Edit.
2 In The agents forwards list on the Edit Event Filtering page, scroll down until you see these events, then
deselect them:
1051: Unable to scan password protected (Medium)
1059: Scan Timed Out (Medium)

This figure shows the 1051 and 1059 events deselected on the Server Settings page.
Figure 17-1 1051 and 1059 events deselected
3 Click Save.
Now these two events are no longer saved to the McAfee ePO server database when they are
forwarded from the agents.

If you suspect some of your managed systems might not have the same McAfee Agent installed,
perform these tasks to find the systems with the older agent versions, then select those systems for a
McAfee Agent upgrade.
Create an Agent Version Summary query best practice

Find systems with old McAfee Agent versions using a query to generate a list of all agent versions that
are older than the current version.

17
Task
1 To duplicate the Agent Versions Summary query, select Menu | Reporting | Queries & Reports, then find
the Agent Versions Summary query in the list.
2 In the Actions column of the Agent Versions Summary query, click Duplicate. In the Duplicate dialog
box, change the name, select a group to receive the copy of the query, then click OK.
3 Navigate to the duplicate query that you created, then click Edit in the Actions column to display the
preconfigured Query Builder.
4 In the Chart tab, in the Display Results As list, expand List and select Table.
5 To configure the Sort by fields, in the Configure Chart: Table page, select Product Version (Agent) under
Agent Properties in the list, click Value (Descending), then click Next.
6 In the Columns tab, remove all preconfigured columns except System Name, then click Next.
7 In the Filter tab, configure these columns, then click Run:

a For the Property column, select Product Version (Agent) from the Available Properties list.
b For the Comparison column, select Less than.
c For the Value column, type the current McAfee Agent version number.
Typing the current agent number means that the query finds only versions "earlier than" that
version number.
Now your new query can run from a product deployment to update the old McAfee Agent versions.
Update the McAfee Agents with a product deployment project

best practice
Update the old McAfee Agent versions found using an Agent Version Summary query and a Product
Deployment task.
Task
1 Select Menu | Software | Product Deployment, then click New Deployment.
2 From the New Deployment page, configure these settings:

a Type a name and description for this deployment. This name appears on the Product Deployment
page after the deployment is saved.
b Next to Type, select Fixed.
c Next to Package, select the McAfee Agent that you want installed on the systems. Select the
language and repository branch (Evaluation, Current, or Previous) that you want to deploy from.
d Next to Command line, specify any command-line installation options. See the McAfee Agent
Product Guide for information on command-line options.

17
e In the Select the systems group, click Select Systems, and from the dialog box, click the Queries tab and
configure these options, then click OK:
Select the Agent Version Summary table query that you created.
Select the system names displayed in the Systems list.
The Total field displays the number of systems selected.
f Next to Select a start time, select Run Immediately from the list.
3 Click Save.
The Product Deployment project starts running and allows you to monitor the deployment process and
status.
See also
Monitor and edit deployment projects on page 182

Most environments are changing constantly, new systems are added and old systems removed. These
changes create inactive McAfee Agent systems that, if not deleted, can ultimately skew your
compliance reports.
As systems are decommissioned, or disappear because of extended travel, users on leave, or other
reasons, remove them from the System Tree. An example of a skewed report might be your DAT
report on compliance. If you have systems in your System Tree that have not reported into the McAfee
ePO server for 20 days, they appear as out of date by 20 days and ultimately skew your compliance
reports.
Initial troubleshooting
Initially, when a system is not communicating with the McAfee ePO server, try these steps:
1 From the System Tree, select the system and click Actions | Agents | Wake Up Agents.
Configure a Retry interval of, for example, 3 minutes.
2 To delete the device from McAfee ePO, but not remove the agent in the System Tree, select the
system and click Actions | Directory Management | Delete. Do not select Remove agent on next agent-server
communication.
3 Wait for the system to communicate with McAfee ePO again.
The system appears in the System Tree Lost and Found group.
Dealing with inactive systems

You can create a query and report to filter out systems that have not communicated with the McAfee
ePO server in X number of days. Or your query and report can delete or automatically move these
systems.
It's more efficient to either delete or automatically move these inactive systems. Most organizations
choose a deadline of between 1430 days of no communication to delete or move systems. For
example, if a system has not communicated with the McAfee ePO server after that deadline you can:

17
Delete that system.
Move that system to a group in your tree that you can designate as, for example, Inactive Agents.
A preconfigured Inactive Agent Cleanup Task exists, disabled by default, that you can edit and enable
on your server.
Change the Inactive Agents query: best practice

If the default Inactive Agents query is not configured to match your needs, you can duplicate the query
and use it as a base to create your custom query.
Deleting the inactive agents that have not communicated in last month is the default setting for the
preconfigured Inactive Agents query. If you want to change the default timer setting, make a copy of
the Inactive Agents query.
The instructions in this task describe how to create a copy of the existing Inactive Agents query to
change the deadline to 2 weeks.
Task
1 To duplicate the Inactive Agents query, select Menu | Reporting | Queries & Reports, then find the Inactive
Agents query in the list.
2 In the Actions column of the Inactive Agents query, click Duplicate.
3 In the Duplicate dialog box change the name, select a group to receive the copy of the query, then
click OK.
4 Navigate to the duplicate query that you created and, in the Actions column, click Edit to display the
preconfigured Query Builder.
5 To change the Filter tab settings from once a month to every two weeks, set the Last Communications
property, Is not within the last comparison, to 2 Weeks value.
Don't change the and Managed State property, Equals comparison, or the Managed value.
6 Click Save.
Now your new Inactive Agents query is ready to run from a server task to delete systems with an
inactive agent.
Delete inactive systems: best practice

Use the Inactive Agent Cleanup server task with the preconfigured query named Inactive Agents to
automatically delete inactive systems.
Before you begin

You must have enabled or duplicated the Inactive Agents query.
Deleting a system from the System Tree deletes only the record for that system from the McAfee ePO
database. If the system physically exists, it continues to perform normally with the last policies it
received from the McAfee ePO server for its applicable products.

17
Task
1 To create a duplicate of the Inactive Agent Cleanup Task, select Menu | Automation | Server Tasks, then
find the Inactive Agent Cleanup Task in the server tasks list.
2 Click the preconfigured Inactive Agent Cleanup Task, click Actions | Duplicate.
3 In the Duplicate dialog box, change the server task name, then click OK.
4 In the server task row you created, click Edit to display the Server Task Builder page.
5 From the Descriptions tab, type any needed notes, click Enabled in Schedule status, then click Next.
6 From the Actions tab, configure these settings:

a From the Actions list, select Run Query,
b For Query, click ... to open the Select a query from the list dialog box.
c Click the group tab where you saved your copy of the Inactive Agents query, select your query,
then click OK.
d Select your language.
e In Sub-Actions, select Delete Systems from the list.
Do not click Remove agent. This setting causes McAfee ePO to delete the McAfee Agent from the
inactive systems when they are removed from the System Tree. Without the agent installed,
when the removed system reconnects to the network it cannot automatically start
communicating with the McAfee ePO server and reinsert itself back into the System Tree.
(Optional) Instead of using the default subaction Delete Systems, you can select Move Systems to
another Group. This moves the systems found by the query to a designated group, for example,
Inactive Systems in your System Tree.
7 Click Next, schedule when you want this server task to run, then save the server task.
Now any inactive systems are automatically removed from the McAfee ePO server, and your system
compliance reports provide more accurate information.

Counting malware events provides an overall view of attacks and threats being detected and stopped.
With this information, you can gauge the health of your network over time and change it as needed.
Creating a query that counts total infected systems cleaned per week is the first step in creating a
benchmark to test your network malware status. This query counts each system as a malware event
occurs. It counts the system only once even if it generated thousands of events.
Once this query is created, you can:
Add it as a dashboard to quickly monitor your network malware attacks.
Create a report to provide history of your network status.
Create an Automatic Response to notify you if a threshold of systems is affected by malware.

17
Create a query that counts systems cleaned per week best

practice
Creating a query to count the number of systems cleaned per week is a good way to benchmark the
overall status of your network.
Task
1 Select Menu | Reporting | Queries & Reports, then click Actions | New.
2 On the Query Wizard Result Types tab for the Feature Group, select Events, then in the Result Types
pane, click Threat Events, then click Next.
3 On the Chart tab, in the Display Results As list, select Single Line Chart.
4 In the Configure Chart: Single Line Chart pane, configure these settings, then click Next:
In Time base is, select Event Generated Time.
In Time unit, select Week.
In Time Sequence is, select Oldest First.
In Line values are, select Number of.
Select Threat Target Host Name.
Click Show Total.
5 In the Columns tab, in the Available Columns list select these columns to display, then click Next:
Event Generated time Event Category
Threat Target Host Name Threat Severity
Threat Target IPv4 Address Threat Name
6 In the Filter tab, Available Properties list, configure this Required Criteria:
For Event Generated Time, select these settings from the Is within the last list, 3 and Months.
For Event Category, select these settings from the Belongs to list, Malware.
For Action Taken, select these settings from the lists Equals and Deleted.
7 Click Save to display the Save Query page, then configure these settings:
For Query Name, type a query name, for example, Total Infected Systems Cleaned Per
Week.
For Query Description, type a description of what this query does.
For Query Group, click New Group, type the query group name, then click Public.
8 Click Save.
When you run this query, it returns the number of infected systems cleaned per week. This
information provides a benchmark of the overall status of your network.

17

Finding threats by subnet IP address shows you whether a certain group of users needs process
changes or additional protection on your managed network.
For example, if you have four subnets, and only one subnet is continuously generating threat events,
you can narrow down the cause of those threats. Perhaps users on that subnet have been sharing
infected USB drives.
Create a query to find malware events per subnet best practice

Create a query to find malware events and sort them by subnet. This query helps you find networks in
your environment that are under attack.
Task
1 To duplicate the existing Threat Event Descriptions in the Last 24 Hours query, select Menu | Reports | Queries &
Reports, then find and select the Threat Target IP Address query in the list.
2 Click Actions | Duplicate and in the Duplicate dialog box, edit the name, select the group to receive
the copy, then click OK.
3 In the Queries list, find the new query that you created and click Edit.
The duplicated query is displayed in the Query Builder with the Chart tab selected.
4 In the Display Results As list, select Table under List.
5 In the Configure Chart: Table dialog box, select Threat Target IPv4 Address from the sort by list and Value
(Descending), then click Next.
6 In the Columns tab, you can use the preselected columns.
It might help to move the Threat Target IPv4 Address closer to the left of the table, then click Next.
Don't change the default Filter tab settings.
7 Click the Summary tab, confirm that the query settings are correct, then click Save.
8 In the Queries list, find the query that you created, then click Run.
Now you have a query to find malware events and sort them by IP subnet address.

You can create a compliance query and report to find which of your managed systems meet specific
criteria.
For example, you can find systems that don't have the latest DATs or have not contacted the McAfee
ePO server in over 30 days.
To find this important information automatically, use these tasks.

17
Tasks
Create a server task to run compliance queries best practice on page 255
You must create a server task to run your compliance queries weekly to automate
generating your managed systems' compliance report.
Create a report to include query output best practice on page 256
Once you have the query data saved, you must create a report to contain the information
from the queries you ran before you can send it to the administrator team.
Create a server task to run and deliver a report: best practice on page 257
You must create a server task to automatically run the report and send the compliance
report to your administrators.
Create a server task to run compliance queries best practice

You must create a server task to run your compliance queries weekly to automate generating your
managed systems' compliance report.
Follow these steps to create a server task that runs your compliance queries every Sunday morning at
2:00 a.m.. Running the queries on Sunday morning allows you to run the report on Monday morning
at 5:00 a.m. and deliver it by email to the administrators.
Task
2 In the Server Task Builder:

a In the, Descriptions tab, type a name and notes.
b In the Schedule status, click Enabled.
c Click Next.
3 In the Actions tab, configure these settings.

a In the Actions list, select Run Query and configure these settings:
For Query, select VSE: Compliance Over the Last 30 Days.
Select your language.
For Sub-Actions, select Export to File then click OK.
For C:\reports\, type a valid file name.
For If file exists, select Overwrite.
For Export, select Chart data only.
For Format, select CSV.
b Click + to create another action, and in the second Actions list, select Run Query and configure
these settings, then Next.
For Query, select Inactive Agents.
Select your language.
For Sub-Actions, select Export to File.
For C:\reports\, type a valid file name.

17
For If file exists, select Overwrite.
For Export, select Chart data only.
For Format, select CSV.
4 In the Schedule tab, change these settings, then click Next.

a For Schedule type, click Weekly.
b For Start date, select today's date.
c For End date, click No end date.
d Change the Schedule settings to configure the task to run on Monday at 2:00 AM.
You can set the schedule to run when and as often as you want.
e Confirm that all settings are correct in the Summary tab, then click Save.
That completes creating the server task to automatically run the two compliance queries, then save
the output of the queries to CSV files.
Create a report to include query output best practice

Once you have the query data saved, you must create a report to contain the information from the
queries you ran before you can send it to the administrator team.
Before you begin

You must know the format of the queries you are adding to the report.
In this example the queries have these formats:
VSE: Compliance Over the Last 30 Days Chart
Inactive Agents Table
Create a report that contains the data captured from your compliance queries, which is run
automatically using a server task, then emailed to the administrators every Monday morning.
Task
2 Click Actions | New.
A blank Report Layout page appears.
3 Click Name and type a name for the report, click Description and, optionally, type a description, click
Group, and select an appropriate group to receive the report, then click OK.
4 In the Report Layout pane, drag and drop these query input formats from the Toolbox list:
For the VSE: Compliance Over the Last 30 Days chart query, drag the Query Chart tool into the
Report Layout pane, then from the Query Chart list select VSE: Compliance Over the Last 30 Days, then click
OK.
For the Inactive Agents table query, drag the Query Table tool into the Report Layout pane, then from
Query table list, select Inactive Agents, then click OK.
5 Click Save, and the new compliance report is listed in the Reports tab.

17
6 To confirm that your report is configured correctly, click Run in the Actions column for your report,
then verify that the Last Run Status displays Successful.
7 To see the report, click the link in the Last Run Result column, then open or save the report.
That completes creating the report to display the two compliance queries and save their output to a
PDF file.
Create a server task to run and deliver a report: best practice

You must create a server task to automatically run the report and send the compliance report to your
administrators.
Before you begin

You must have already:
Created and scheduled a server task that runs the compliance queries.
Created the report that includes the output of these queries.
Follow these steps to:

Automatically run a report that contains the data captured from your compliance queries.
Use a server task to email the report to the administrators every Monday morning at 5:00 a.m.
Task
2 In the Server Task Builder, configure these settings, then click Next.
a In the Descriptions tab, type a name and notes.
b In the Schedule status, click Enabled.
3 In the Actions tab, select Run Report, configure these settings, then click Next.
a For Select a report to run, select the compliance report you configured.
b Select your language.
c For Sub-Actions, select Email file.
d For Recipients, type the email addresses of your administrators.
Separate multiple email addresses with commas.
e For Subject, type the information you want to appear in the subject line of the email.
4 In the Schedule tab, change these settings, then click Next.

a For Schedule type, click Weekly.
b For Start date, select today's date.
c For End date, click No end date.

17
d Change the Schedule settings to configure the task to run on Monday at 5:00 AM.
You can set the schedule to run when and as often as you want.
e Confirm that all settings are correct in the Summary tab, then click Save.
That completes the final task to create a compliance report that runs automatically and is delivered to
your administrators every Monday morning at 5 a.m.
See also
Create a report to include query output best practice on page 256

18 Repositories
Repositories house your security software packages and their updates for distribution to your managed
systems.
Security software is only as effective as the latest installed updates. For example, if your DAT files are
out of date, even the best anti-virus software cannot detect new threats. It is critical that you develop
a strong updating strategy to keep your security software as current as possible.
The McAfee ePO repository architecture offers flexibility to ensure that deploying and updating
software is as easy and automated as your environment allows. Once your repository infrastructure is
in place, create update tasks that determine how, where, and when your software is updated.
Contents
What repositories do
Repository types and what they do
Repository branches and their purposes
Using repositories
Setting up repositories for the first time
Manage source and fallback sites best practice
Verify access to the source site best practice
Configure settings for global updates best practice
Configure agent policies to use a distributed repository best practice
Use SuperAgents as distributed repositories
Create and configure repositories on FTP or HTTP servers and UNC shares
Using UNC shares as distributed repositories
Use local distributed repositories that are not managed
Work with the repository list files
Change credentials on multiple distributed repositories
Pulling tasks
Replication tasks
Repository selection
What repositories do
The agents on your managed systems obtain their security content from repositories on the McAfee
ePO server. This content keeps your environment up to date.
Repository content can include the following:
Managed software to deploy to your clients
Security content such as DATs and signatures
Patches and any other software needed for client tasks that you create using McAfee ePO

18
Repositories
One common misconception is that a repository is created by installing a McAfee ePO server on a
system. Unlike your server, repositories do not manage policies, collect events, or have code installed
on them. A repository is nothing more than a file share located in your environment that your clients
can access.

To deliver products and updates throughout your network, McAfee ePO software offers several types of
repositories that create a strong infrastructure for updating.
How repository components work together

The repositories work together in your environment to deliver updates and software to managed
systems. Depending on the size and geographic distribution of your network, you might need
Figure 18-1 Source sites and repositories delivering packages to systems
Source site The source site is updated daily by McAfee.
Master Repository The Master Repository regularly pulls DAT and engine update files from
the source site.
Distributed repositories The Master Repository replicates the packages to distributed
repositories in the network.
Managed systems The managed systems in the network retrieve updates from a distributed
repository.
Fallback site If managed systems cant access the distributed repositories or the Master
Repository, they retrieve updates from the fallback site.

18
Repositories
These components give you the flexibility to develop an updating strategy so that your systems are
always current.
Source site
The source site provides all updates for your Master Repository. The default source site is the McAfee
http update site, but you can change the source site or create multiple source sites.
We recommend using the McAfee http or McAfee ftp update sites as your source site.
Source sites are not required. You can download updates manually and check them into your Master
Repository. But, using a source site automates this process.
McAfee posts software updates to these sites regularly. For example, DAT files are posted daily.
Update your Master Repository with updates as they are available.
Use pull tasks to copy source site contents to the Master Repository.
McAfee update sites provide updates to detection definition (DAT) and scanning engine files, and some
language packs. Manually check in all other packages and updates, including service packs and
patches, to the Master Repository.
Master Repository
The Master Repository maintains the latest versions of security software and updates for your
environment. This repository is the source for the rest of your environment.
By default, McAfee ePO uses Microsoft Internet Explorer proxy settings.
Distributed repositories
Distributed repositories host copies of your Master Repository. Consider using distributed repositories
and placing them throughout your network. This configuration ensures that managed systems are
updated while network traffic is minimized, especially across slow connections.
As you update your Master Repository, McAfee ePO replicates the contents to the distributed
repositories.
Replication can occur:
Automatically when specified package types are checked in to the Master Repository, as long as
global updating is enabled.
On a recurring schedule with Replication tasks.
Manually, by running a Replicate Now task.
Do not configure distributed repositories to reference the same directory as your Master Repository. This
locks the files on the Master Repository. This can cause failure for pulls and package check-ins, and can
leave the Master Repository in an unusable state.
A large organization can have multiple locations with limited bandwidth connections between them.
Distributed repositories help reduce updating traffic across low-bandwidth connections, or at remote
sites with many endpoints. If you create a distributed repository in the remote location and configure
the systems in that location to update from this distributed repository, the updates are copied across
the slow connection only once to the distributed repository instead of once to each system in the
remote location.

18
Repositories
If global updating is enabled, distributed repositories update managed systems automatically, when
selected updates and packages are checked in to the Master Repository. Update tasks are not needed.
But, if you want automatic updating, create SuperAgents in your environment. Create and configure
repositories and the update tasks.
If distributed repositories are set up to replicate only selected packages, your newly checked-in package
is replicated by default. To avoid replicating a newly checked-in package, deselect it from each
distributed repository or disable the replication task before checking in the package.
Fallback site
The fallback site is a source site enabled as the backup site. Managed systems can retrieve updates
when their usual repositories are inaccessible. For example, when network outages or virus outbreaks
occur, accessing the established location might be hard. Managed systems can remain up-to-date
using a fallback site. The default fallback site is the McAfee http update site. You can enable only one
fallback site.
If managed systems use a proxy server to access the Internet, configure agent policy settings to use
proxy servers when accessing the fallback site.
See also
Avoid replication of selected packages on page 285
Disable replication of selected packages on page 286

You can use the three McAfee ePO repository branches to maintain up to three versions of the
packages in your master and distributed repositories.
The repository branches are Current, Previous, and Evaluation. By default, McAfee ePO uses only the
Current branch. You can specify branches when adding packages to your Master Repository. You can
also specify branches when running or scheduling update and deployment tasks, to distribute different
versions to different parts of your network.
Update tasks can retrieve updates from any branch of the repository, but you must select a branch
other than the Current branch when checking in packages to the Master Repository. If a non-Current
branch is not configured, the option to select a branch other than Current does not appear.
To use the Evaluation and Previous branches for packages other than updates, you must configure this
in the Repository Packages server settings.
Current branch
The Current branch is the main repository branch for the latest packages and updates. Product
deployment packages can be added only to the Current branch, unless support for the other branches
has been enabled.
Evaluation branch
You might want to test new DAT and engine updates with a few network segments or systems before
deploying them to your entire organization. Specify the Evaluation branch when checking in new DATs
and engines to the Master Repository, then deploy them to a few test systems. After monitoring the
test systems for several hours, you can add the new DATs to your Current branch and deploy them to
your entire organization.

18
Repositories
Previous branch
Use the Previous branch to save and store prior DAT and engine files before adding the new ones to
the Current branch. If you experience an issue with new DAT or engine files in your environment, you
have a copy of a previous version that you can redeploy to your systems if necessary. McAfee ePO
saves only the most immediate previous version of each file type.
You can populate the Previous branch by selecting Move existing packages to Previous branch when you add
new packages to your Master Repository. The option is available when you pull updates from a source
site and, when you manually check in packages to the Current branch.
This flowchart describes when to use these three different branches of the Master Repository.

18
Repositories

18
Repositories
Using repositories
Using repositories
Distributed repositories work as file shares that store and distribute security content for your managed
endpoints.
Repositories play an important role in your McAfee ePO infrastructure. How you configure repositories
and deploy them depends on your environment.
Distributed repository types

Before you create distributed repositories, it is important to understand which type of repository to
use in your managed environment.
The McAfee ePO server always acts as the Master Repository. It keeps the master copy of all content
needed by your agents. The server replicates content to each of the repositories distributed
throughout your environment. As a result, your agents can retrieve updated content from an alternate
and closer source.
Your McAfee ePO server does not require configuration to make it the Master Repository. It is the Master
Repository by default.
Distributed repository types include:

FTP repositories
HTTP repositories
UNC share repositories
SuperAgents
Consider the following when planning your distributed repositories:

The McAfee ePO server requires that you use certain protocols for the repositories, but any server
vendor can provide those protocols. For example, if you use an HTTP repository, you can use either
Microsoft Internet Information Services (IIS) or Apache server (Apache is the faster option).
There is no operating system requirement for the systems that host your repository. As long as
your McAfee ePO server can access the folders you specify to copy its content to, and as long as
the agents can connect to the folder to download their updates, everything works as expected.
Your agent updates and McAfee ePO replication tasks are only as good as your repositories. If you
are already using one of these repositories and your environment works well, do not change the
configuration.
If you are starting with a new installation with no repositories, use a SuperAgent because they are
easy to configure and are reliable.
Unmanaged repositories
If you are unable to use managed systems as distributed repositories, you can create and maintain
unmanaged distributed repositories but a local administrator must keep the distributed files up-to-date
manually.
Once the distributed repository is created, use McAfee ePO to configure managed systems of a specific
System Tree group to update from it.
Manage all distributed repositories through McAfee ePO. This ensures your managed environment is up
to date. Use unmanaged distributed repositories only if your network or organization's policy doesn't
allow managed distributed repositories.

18
Repositories
Using repositories
FTP repositories
FTP servers can host a distributed McAfee ePO server repository. You might already have FTP servers
in your environment, and you can store McAfee content there as well.
FTP repositories are:
Fast
Able to manage extensive loads from the clients pulling data
Helpful in a DMZ where HTTP might not be optimal and UNC shares can't be used
Using FTP servers, your clients do not need authentication and can use an anonymous log on pull their
content. No authentication reduces the chance that a client fails to pull its content.
You can use an FTP server to host a distributed repository. Use FTP server software, such as Microsoft
Internet Information Services (IIS), to create a folder and site location for the distributed repository.
See your web server documentation for details.
HTTP repositories
HTTP servers can host a distributed McAfee ePO server repository. You might already have HTTP
servers in your environment.
HTTP servers can be fast serving out files to large environments. Your HTTP servers allow clients to
pull their content without authentication, which reduces the chance that a client might fail to pull its
content.
You can use an HTTP server to host a distributed repository. Use HTTP server software, such as
Microsoft IIS, to create a folder and site location for the distributed repository. See your web server
documentation for details.
UNC share repositories best practice

Universal Naming Convention (UNC) shares can host your McAfee ePO server repository.
You can create a UNC shared folder to host a distributed repository on an existing server. Make sure to
enable sharing across the network for the folder, so that the McAfee ePO server can copy files to it and
agents can access it for updates.
The correct permissions must be set to access the folder.
Because most administrators are familiar with the concept of UNC shares, UNC shares might seem like
the easiest method to choose, but that's not always the case.
If you use UNC shares to host your McAfee ePO server repository, you must correctly configure the
account and shares. See the Recommendations for download credentials when using UNC shares as
software repositories in ePolicy Orchestrator, KB70999, for details.
If you choose to use UNC shares, you must:

1 Create the folder.
2 Adjust share permissions.

18
Repositories
Using repositories
3 Change the NTFS permissions.
4 Create two accounts, one with read access and one with write access.
If your IT group has password rules, such as changing a password every 30 days even for service
accounts, changing those passwords in McAfee ePO can be cumbersome. You must change the
password for access to each of the distributed repository shares in the Windows operating system and
in the configuration settings for each of the UNC Distributed Repositories in McAfee ePO. Access the
McAfee ePO UNC Distributed Repositories settings using Menu | Software | Distributed Repositories.
Figure 18-2 UNC repository credentials page
All these tasks increase the chance of failure because these processes must be completed manually.
Your agents might not properly update if your agents cannot authenticate to your UNC share because
they are not part of the domain or the credentials are incorrect.
Best practice: SuperAgent repositories

You can create a SuperAgent repository to act as an intermediary between the McAfee ePO server and
other agents.
The SuperAgent caches information received from a McAfee ePO server, the Master Repository, or a
mirrored Distributed Repository, and distributes it to the nearest agents. The Lazy Caching feature
allows SuperAgents to retrieve data from McAfee ePO servers only when requested by a local agent
node. Creating a hierarchy of SuperAgents along with lazy caching further saves bandwidth and
minimizes the wide-area network traffic.
A SuperAgent also broadcasts wake-up calls to other agents using that SuperAgent repository. When
the SuperAgent receives a wake-up call from the McAfee ePO server, it wakes up the agents using its
repository connection.
This is an alternative to sending ordinary wake-up calls to each agent in the network or sending an
agent wake-up task to each computer.
For detailed information about SuperAgents and how to configure them, see the McAfee Agent Product
Guide.

18
Repositories
Using repositories
SuperAgent repositories
Use systems hosting SuperAgents as distributed repositories. SuperAgent repositories have several
advantages over other types of distributed repositories:
Folder locations are created automatically on the host system before adding the repository to the
repository list.
SuperAgent repositories dont require additional replication or updating credentials account

permissions are created when the agent is converted to a SuperAgent.
Although functionality of SuperAgent broadcast wake-up calls requires a SuperAgent in each

broadcast segment, broadcast wake-up calls are not a requirement for the SuperAgent repository.
But, managed systems must have access to the system hosting the repository.
SuperAgent considerations
When you configure systems as SuperAgents, follow these guidelines.
Use existing file repositories in your environment, for example Microsoft System Center
Configuration Manager (SCCM).
You don't need a SuperAgent on every subnet.
Turn off Global Updating to prevent unwanted updates of new engines or patches from the Master
Repository.
SuperAgent and its hierarchy

A hierarchy of SuperAgents can serve agents in the same network with minimum network traffic
utilization. A SuperAgent caches the content updates for the McAfee ePO server or distributed
repository and distributes content updates to the agents in the network, reducing the wide area
network traffic. It is always ideal to have more than one SuperAgent to balance the network load.
You use the Repository policy to create the SuperAgent hierarchy. We recommend that you have a
three-level hierarchy of SuperAgents in your network.
See McAfee Agent Product Guide for details about creating a hierarchy of SuperAgents, SuperAgent
caching (lazy caching), and communication interruptions.
Create a SuperAgent
Creating a SuperAgent requires these tasks.
1 Create a new SuperAgents policy.
2 Create a new group in the System Tree, for example named SuperAgents
3 Assign the new SuperAgent policy to the new SuperAgents group.
4 Drag a system into the new SuperAgents group.
Once you have created the new SuperAgents group, you can drag any system into that group and it
becomes a SuperAgent the next time it communicates with the McAfee ePO server.
See also
Best practice: Global Updating restrictions on page 275
Create SuperAgent policy

To convert endpoints to SuperAgents, you must assign a SuperAgent policy to those systems.

18
Repositories
Using repositories
Task
1 Select Menu | Policy | Policy Catalog to open the Policy Catalog page.
2 To duplicate the My Default policy from the Product drop-down list, select McAfee Agent, and from the
Category drop-down list, select General.
3 In the My Default policy row, in the Actions column, click Duplicate.
The McAfee Default policy cannot be changed.
4 In the Duplicate Existing Policy dialog box, change the policy name, add any notes for reference, and
click OK.
5 From the Policy Catalog page, click SuperAgents tab, select Convert agents to SuperAgents to convert the
agent to a SuperAgent and update its repository with the latest content.
6 Select Use systems running SuperAgents as distributed repositories to use the systems that host SuperAgents
as update repositories for the systems in its broadcast segment, then provide the Repository path.
7 Select Enable Lazy caching to allow the SuperAgents to cache content when it is received from the
McAfee ePO server.
8 Click Save.
Best practice: Create a group in the System Tree

Adding a SuperAgent group to your System Tree allows you to assign a SuperAgent policy to the
group.
Task
1 Select Menu | Systems Section | System Tree, click System Tree Actions | New Subgroups, and give it a distinctive
name, for example SuperAgents.
2 Click OK. The new group appears in the System Tree list.
Best practice: Assign the new SuperAgents policy to the new SuperAgent group
Assigning the SuperAgent policy to the new group completes the configuration of the SuperAgent
group.
Task
1 In the System Tree, select the SuperAgent group that you created, select the Assigned Policies tab, then
select McAfee Agent from the Product list.
2 From the Actions column for the General category, click Edit Assignment.
3 From the McAfee Agent: General page, click Break inheritance and assign the policy and settings below. Select the
SuperAgent policy that you created from the Assigned Policy list, then click Save.
Best practice: Assign a system to the new SuperAgent group

After the SuperAgent group is configured, you can assign the SuperAgent policies to individual
endpoints by dragging them into that group. These policies convert the endpoints into SuperAgents.

18
Repositories
Using repositories
Task
1 In the System Tree, click the Systems tab and find the system that you want to change to a SuperAgent
repository.
2 Drag that row with the system name and drop it into the new SuperAgent group you created in the
System Tree.
Once the system communicates with the McAfee ePO server, it changes to a SuperAgent repository.
3 To confirm that the system is now a SuperAgent repository, select Menu | Software | Distributed
Repositories and select SuperAgent from the Filter list. The new SuperAgent repository appears in the
list.
Before the system appears as a SuperAgent in the group, two agent-server communications must
occur. First, the system must receive the policy change and second, the agent must respond back to
the McAfee ePO server that is now a SuperAgent. This conversion might take some time depending
on your ASCI settings.
Repository list files

The repository list files ((SiteList.xml and SiteMgr.xml) contain the names of all repositories you
are managing.
The repository list include the location and encrypted network credentials that managed systems use
to select the repository and retrieve updates. The server sends the repository list to the McAfee Agent
during agent-server communication.
If needed, you can export the repository list to external files (SiteList.xml or SiteMgr.xml). The
two files have different uses:
SiteList.xml file
Import to a McAfee Agent during installation.
SiteMgr.xml file
Back up and restore your distributed repositories and source sites if you have to reinstall the
server.
Import the distributed repositories and source sites from a previous installation of the McAfee ePO
software.
Best practice: Where to place repositories

You must determine how many repositories are needed in your environment and where to locate
them.
To answer these questions, you must look at your McAfee ePO server managed systems and your
network geography.
Consider the following factors:

18
Repositories
Using repositories
How many nodes do you manage with the McAfee ePO server?
Are these nodes located in different geographic locations?
What connectivity do you have to your repositories?
Remember, the purpose of a repository is to allow clients to download the large amount of data in
software updates locally instead of connecting to the McAfee ePO server and downloading the updates
across the slower WAN links. At a minimum, your repository is used to update your signature, or DAT
files for VirusScan Enterprise daily. In addition, your repository is used by your agents to download
new software, product patches, and other content, for example Host Intrusion Prevention content.
Typically you can create a repository for each large geographic location, but there are several caveats.
Plus, you must avoid the most common mistakes of having too many or too few repositories and
overloading your network bandwidth.
How many repositories do you need?

How many repositories you need depends on the server hardware, node count, network topology, and
where the repositories are installed.
Repositories have no hard technical limit to how many nodes they can handle. With a properly crafted
update task for your clients, repositories can update a significant number of nodes.
The following table is an estimate of the updates a repository can handle and the hardware needed.
Many factors can influence these specifications, for example how you update content, products, and
patches.
Server hardware Nodes updated Dedicated or shared client

hardware
Single 3-GHz processor with 4 GB of memory 3,000 Shared with other
applications
Single 3-GHz processor with 4 GB of memory 3,0007,000 Dedicated
Server class hardware, dual-quad processor, and 8 5,0007,000 Dedicated
GB of memory
Disk space needed for a repository is rarely a concern with todays storage standards. Even if you
checked in several McAfee endpoint products, for example McAfee Endpoint Encryption, SiteAdvisor
Enterprise, and Policy Auditor, your repository disk space is in the 1-GB range.
To find the exact size of the product installation files in Windows Explorer, right-click the Install folder
and click Properties. The product files are at this default path:
C:\Program Files(X86)\McAfee\ePolicy Orchestrator\DB\Software\Current\<ProductName>

\Install\
These examples provide three common organization sizes and their repository size.
Example 13,000 node organization with one office

This example describes the repository specifics for an organization with 3,000 nodes in one office. The
organization has these characteristics:
Approximately 3,000 nodes of workstations and servers.
Uses VirusScan Enterprise, Host Intrusion Prevention, McAfee Endpoint Encryption, and Host Data
Loss Prevention.
Has a small data center in the same building where the devices reside, so there are no WAN links
and all clients are on a 100 MB LAN.

18
Repositories
Using repositories
In this example, you can use the primary McAfee ePO server to act as the only repository. The McAfee
ePO server is always the Master Repository by default. For 3,000 clients, the McAfee ePO server can
handle:
Policy deployment
Event collection
Distributing all updates and software
Example 215,00020,000 node organization with four offices

This example describes the repository specifics for an organization with 15,00020,000 nodes and four
offices. The organization has these characteristics:
Approximately 15,00020,000 nodes of workstations and servers.
Has one data center in New York where all traffic destined for the Internet is routed.
Four offices in the U.S. located in New York, San Francisco, Dallas, and Orlando.
Each office has approximately 3,0004,000 nodes and a T1 connection (1.544 Mb/s) back to the
New York office.
The McAfee ePO server, located in New York, manages all 20,000 nodes for policies and events for
McAfee Endpoint Encryption, VirusScan Enterprise, Host Intrusion Prevention, and Application Control.
A dedicated SuperAgent repository is placed in each of the three major offices that connect to the data
center. These repositories are dedicated SuperAgent repositories that connect to the New York data
center with medium hardware class servers, for example a single processor 3 GHz CPU and 4 GB of
RAM. The SuperAgents only job is to serve out files to the McAfee Agent at each office. When you
have multiple repositories, you can specify the order in which agents access repositories. In this
example, you would order the repositories so that the dedicated SuperAgent repositories that connect
to the New York data center are accessed first. You can even disable access to other repositories you
don't want the agents to use.
Example 3 40,00060,000 node organization with multiple global offices

This example describes the repository specifics for an organization with 40,00060,000 node
organization with multiple global offices. The organization has these characteristics:
Approximately 40,00060,000 nodes of workstations and servers.
Three major regions of the U.S. offices, with one data center in New York and three additional
offices across the country.
Each office has approximately 5,0007,000 nodes.
The one McAfee ePO server in the New York data center runs VirusScan Enterprise, Host Intrusion
Prevention, and SiteAdvisor Enterprise.
The largest office in the U.S., other than the New York Data Center, has an Agent Handler installed.
The Europe, Middle East, and Africa (EMEA) offices have another data center in the UK with several
other offices across EMEA. These other offices range from 200 nodes 3,000 nodes.
The Asia-Pacific (APAC) offices include two smaller offices.
Region Office Number of nodes Servers

U.S. New York, Data Center 7,000 McAfee ePO server
U.S. Office 1 5,000 Repository

18
Repositories
Using repositories
Region Office Number of nodes Servers

U.S. Office 2 6,000 Repository and Agent Handler
U.S. Office 3 5,000 Repository
EMEA U.K., Data Center 3,000 Repository
EMEA Office 1 200
EMEA Office 2 1,000 Repository
EMEA Office 3 3,000 Repository
APAC Office 1 500
APAC Office 2 300
U.S. region servers
Put one server class client, for example dual processor 3 GHz and 8 GB of RAM, at each site in the
U.S.
EMEA region servers
Use the Systems Management Server (SMS) and install the SuperAgents at each office in the EMEA
because they are smaller sites. Your repository does not have to be dedicated to McAfee as long as it's
not serving files to several thousand agents.
APAC region servers
The small offices in the APAC region use slow WAN links back to the McAfee ePO server in the New
York. Plus these WAN links are already saturated with traffic. These links mean replication from the
McAfee ePO server to an APAC repository is not feasible unless it is done during off hours. This option
is reasonable if you want to put SuperAgents in APAC.
Fortunately, the APAC offices each have their own fast dedicated connections out to the Internet and
do not have to route Internet traffic back to the data center in New York. That provides two potential
solutions:
You can adjust the client tasks in APAC to have them go to the next nearest repository, which
might be in California.
You must completely randomize the agents updating schedule so you spread their updates
throughout the day.
You can put a SuperAgent in the DMZ (publicly accessible on the Internet) at one of the data
centers. Then adjust the APAC client tasks forcing them to only update from this SuperAgent in the
DMZ. Because the SuperAgent is local to the data center, replication from McAfee ePO is fast.
Because the agents dont have to use a WAN link and can go straight to the Internet and your slow
WAN bandwidth concerns are solved.
Disable server Master Repository

In large environments, you can improve performance of your McAfee ePO server by excluding the
Master Repository from providing agent updates.
Before you begin

You must have another repository configured before you can disable the Master Repository
on the McAfee ePO server.
In large environments, the McAfee ePO server is already busy distributing policies and collecting
events. You can improve performance by changing your McAfee Agent policy so that agents do not pull
content from the McAfee ePO server directly. Instead of pulling content from the Master Repository,

18
Repositories
Using repositories
agents access dedicated repositories that are created for local access. This change forces the agents
to use only the repositories you created manually. You can specify which repositories agents access
when selecting a repository within a policy.
In smaller environments, where fewer nodes are managed, there is no need for this change. The server
can handle all these tasks without impacting performance.
Task
1 To open the Policy Catalog, select Menu | Policy | Policy Catalog.
2 From the Product list, select McAfee Agent, then from the Category list, select Repository, and click the
policy name to modify.
3 Click the Repositories tab.
4 In the Repository list, click Disable in the Actions column for the McAfee ePO server.
This diagram shows the McAfee ePO server disabled.
Figure 18-3 Repositories with McAfee ePO server disabled
5 Click Save.
Now you have improved the McAfee ePO server performance because the agents are no longer
accessing it for updates.

18
Repositories
Using repositories
Best practice: Global Updating restrictions

Global Updating is a powerful feature, but if used incorrectly it can have a negative impact in your
environment.
Global Updating is used to update your repositories as quickly as possible when the Master Repository
changes. Global Updating is great if you have a smaller environment (fewer than 1,000 nodes) with no
WAN links. Global Updating generates a huge amount of traffic that could impact your network
bandwidth. If your environment is on a LAN, and bandwidth is not a concern, then use Global
Updating. If you are managing a larger environment and bandwidth is critical, disable Global Updating.
Global Updating is disabled by default when you install McAfee ePO software.
To confirm the Global Updating setting, select Menu | Configuration | Server Settings and select Global Updating
from the Setting Categories list. Confirm that the status is disabled. If not, click Edit and change the
status.
If you are a user with a large environment and where bandwidth is critical, you can saturate your WAN
links if you have Global Updating enabled. You might think having Global Updating enabled makes you
receive their DATs quickly. But eventually, McAfee, for example releases an update to its McAfee
Endpoint Security engine that can be several megabytes, compared to the 400-KB DAT files. This
engine update typically occurs twice a year. When that release occurs the McAfee ePO server pulls the
engine from McAfee, starts replicating it to the distributed repositories, and starts waking up agents to
receive the new engine immediately. This engine update can saturate your WAN links and roll out an
engine that you might prefer to upgrade in a staged release.
If you have a large environment, you can still use Global Updating, but you must disable it when a new
engine or product patch is released or the updates could saturate your WAN links.
For additional information see these KnowledgeBase articles:

How to prevent McAfee ePO 5.X from automatically updating to the latest posted Engine, KB77901
ePolicy Orchestrator prematurely deploys McAfee product software patch, KB77063
How Global Updating works

If your McAfee ePO server is scheduled to pull the latest DATs from the McAfee website at 2 p.m.
Eastern time (and the scheduled pull changes the contents of your Master Repository), your server
automatically initiates the Global Update process to replicate the new content to all your distributed
repositories.
The Global Updating process follows this sequence of events:

1 Content or packages are checked in to the Master Repository.
2 The McAfee ePO server performs an incremental replication to all distributed repositories.
3 The McAfee ePO server issues a wake-up call to all SuperAgents in the environment.
4 The SuperAgent broadcasts a global update message to all agents in the SuperAgent subnet.
5 Upon receipt of the broadcast, the agent is supplied with a minimum catalog version needed.

18
Repositories
6 The agent searches the distributed repositories for a site that has this minimum catalog version.
7 Once a suitable repository is found, the agent runs the update task.

Follow these high-level steps when creating repositories for the first time.
1 Decide which types of repositories to use and their locations.
2 Create and populate your repositories.

You can change the default source and fallback sites from the Server Settings. For example, you can
edit settings, delete existing source and fallback sites, or switch between them.
You must be an administrator or have appropriate permissions to define, change, or delete source or
fallback sites.
Use the default source and fallback sites. If you require different sites for this purpose, you can create
new ones.
Tasks
Create source sites on page 276
Create a source site from Server Settings.
Switch source and fallback sites best practice on page 277
Use Server Settings to change source and fallback sites.
Edit source and fallback sites best practice on page 278
Use Server Settings to edit the settings of source or fallback sites, such as URL address,
port number, and download authentication credentials.
Delete source sites or disabling fallback sites best practice on page 278
If a source or fallback site is no longer in use, delete or disable the site.
Create source sites

Create a source site from Server Settings.
Task
1 Select Menu | Configuration | Server Settings, then select Source Sites.
2 Click Add Source Site. The Source Site Builder wizard appears.
3 On the Description page, type a unique repository name and select HTTP, UNC, or FTP, then click
Next.
4 On the Server page, provide the web address and port information of the site, then click Next.

18
Repositories
HTTP or FTP server type:
From the URL drop-down list, select DNS Name, IPv4, or IPv6 as the type of server address, then
enter the address.
Option Definition
DNS Name Specifies the DNS name of the server.
IPv4 Specifies the IPv4 address of the server.
Enter the port number of the server: FTP default is 21; HTTP default is 80.
UNC server type:

Enter the network directory path where the repository resides. Use this format: \\<COMPUTER>
\<FOLDER>.
5 On the Credentials page, provide the Download Credentials used by managed systems to connect to
this repository.
Use credentials with read-only permissions to the HTTP server, FTP server, or UNC share that hosts
the repository.
HTTP or FTP server type:
Select Anonymous to use an unknown user account.
Select FTP or HTTP authentication (if the server requires authentication), then enter the user account
information.
UNC server type:

Enter domain and user account information.
6 Click Test Credentials. After a few seconds, a confirmation message appears that the site is accessible
to systems using the authentication information. If credentials are incorrect, check the:
User name and password.
URL or path on the previous panel of the wizard.
The HTTP, FTP or UNC site on the system.
7 Click Next.
8 Review the Summary page, then click Save to add the site to the list.
Switch source and fallback sites best practice

Use Server Settings to change source and fallback sites.
Depending on your network configuration, you might want to switch the source and fallback sites if
you find that HTTP or FTP updating works better.
Task
2 Select Source Sites, then click Edit. The Edit Source Sites page appears.
3 From the list, locate the site that you want to set as fallback, then click Enable Fallback.

18
Repositories
Edit source and fallback sites best practice

Use Server Settings to edit the settings of source or fallback sites, such as URL address, port number,
and download authentication credentials.
Task
2 Select Source Sites, then click Edit.
3 Locate the site in the list, then click the name of the site.
4 From the Source Site Builder, edit the settings on the builder pages as needed, then click Save.
Delete source sites or disabling fallback sites best practice

If a source or fallback site is no longer in use, delete or disable the site.
Task
2 Select Source Sites, then click Edit. The Edit Source Sites page appears.
3 Click Delete next to the required source site. The Delete Source Site dialog box appears.
4 Click OK.
The site is removed from the Source Sites page.

You must make sure that the McAfee ePO Master Repository and managed systems can access the
Internet when using the McAfeeHttp and McAfeeFtp sites as source and fallback sites.
This section describes the tasks for configuring the connection the McAfee ePO Master Repository and the
McAfee Agent use to connect to the download site directly or via a proxy. The default selection is Do not
use proxy.
Tasks
Configure proxy settings on page 278
To update your repositories, configure proxy settings to pull DATs.
Configure proxy settings for the McAfee Agent on page 279
Configure the proxy settings the McAfee Agent uses to connect to the download site.
Configure proxy settings

To update your repositories, configure proxy settings to pull DATs.

18
Repositories
Task
2 From the list of setting categories, select Proxy Settings, then click Edit.
3 Select Configure the proxy settings manually.

a Next to Proxy server settings, select whether to use one proxy server for all communication, or
different proxy servers for HTTP and FTP proxy servers. Type the IP address or fully-qualified
domain name and the port number of the proxy server.
If you are using the default source and fallback sites, or if you configure another HTTP source
site and FTP fallback site, configure both HTTP and FTP proxy authentication information here.
b Next to Proxy authentication, configure the settings according to whether you pull updates from
HTTP repositories, FTP repositories, or both.
c Next to Exclusions, select Bypass Local Addresses, then specify distributed repositories that the
server can connect to directly by typing the IP addresses or the fully-qualified domain name of
those systems, separated by semicolons.
d Next to Exclusions, select Bypass Local Addresses, then specify distributed repositories that the
server can connect to directly by typing the IP addresses or the fully-qualified domain name of
those systems, separated by semicolons.
4 Click Save.
Configure proxy settings for the McAfee Agent

Configure the proxy settings the McAfee Agent uses to connect to the download site.
Task
1 Select Menu | Policy | Policy Catalog, then from the Product list click McAfee Agent, and from the Category
list, select Repository.
A list of agents configured for the McAfee ePO server appears.
2 On the My Default agent, click Edit Settings.

The edit settings page for the My Default agent appears.
3 Click the Proxy tab.

The Proxy Settings page appears.
4 Select Use Internet Explorer settings (Windows only) for Windows systems, and select Allow user to configure proxy
settings, if appropriate.
There are multiple methods to configuring Internet Explorer for use with proxies. McAfee provides
instructions for configuring and using McAfee products, but does not provide instructions for
non-McAfee products. For information on configuring proxy settings, see Internet Explorer Help and
http://support.microsoft.com/kb/226473.
5 Select Configure the proxy settings manually to configure the proxy settings for the agent manually.
6 Type the IP address or fully-qualified domain name and the port number of the HTTP or FTP source
where the agent pulls updates. Select Use these settings for all proxy types to make these settings the
default settings for all proxy types.

18
Repositories
7 Select Specify exceptions to designate systems that do not require access to the proxy. Use a
semicolon to separate the exceptions.
8 Select Use HTTP proxy authentication or Use FTP proxy authentication, then provide a user name and
credentials.
9 Click Save.

Global updates automate repository replication in your network. You can use the Global Updating
server setting to configure the content that is distributed to repositories during a global update.
Global updates are disabled by default. We recommend that you enable and use them as part of your
updating strategy. You can specify a randomization interval and package types to be distributed during
the update. The randomization interval specifies the time period in which all systems are updated.
Systems are updated randomly in the specified interval.
Task
1 Select Menu | Configuration | Server Settings, select Global Updating from the Setting Categories, then click
Edit.
2 Set the status to Enabled and specify a Randomization interval between 0 and 32,767 minutes.
3 Specify which Package types to include in the global updates:

All packages Select this option to include all signatures and engines, and all patches and Service
Packs.
Selected packages Select this option to limit the signatures and engines, and patches and Service
Packs included in the global update.
When using global updating, schedule a regular pull task (to update the Master Repository) at a time
when network traffic is minimal. Although global updating is much faster than other methods, it
increases network traffic during the update.
See also
Product and update deployment on page 219
Configure agent policies to use a distributed repository best

practice
Customize how agents select distributed repositories to minimize bandwidth use.
Task
1 Select Menu | Policy | Policy Catalog, then select the Product as McAfee Agent and Category as Repository.
2 Click an existing agent policy, then select the Repositories tab.
3 From Repository list selection, select either Use this repository list or Use other repository list.

18
Repositories
4 Under Select repository by, specify the method to sort repositories:

Ping time Sends an ICMP ping to the closest five repositories (based on subnet value) and sorts
them by response time.
Subnet distance Compares the IP addresses of endpoints and all repositories and sorts
repositories based on how closely the bits match. The more closely the IP addresses resemble
each other, the higher in the list the repository is placed.
You can set the Maximum number of hops.
User order in repository list Selects repositories based on their order in the list.
5 Modify settings in the Repository list as needed:

Disable repositories by clicking Disable in the Actions field.
Click Move to Top or Move to Bottom to specify the order in which you want endpoints to select
6 Click Save when finished.

Create and configure distributed repositories on systems that host SuperAgents. SuperAgents can
minimize network traffic.
To convert an agent to a SuperAgent, the agent must be part of a Windows domain.
Tasks
Create SuperAgent distributed repositories on page 281
To create a SuperAgent repository, the SuperAgent system must have a McAfee Agent
installed and running. We recommend using SuperAgent repositories with global updating.
Replicate packages to SuperAgent repositories on page 282
Select which repository-specific packages are replicated to distributed repositories.
Delete SuperAgent distributed repositories on page 282
Remove SuperAgent distributed repositories from the host system and the repository list
(SiteList.xml). New configurations take effect during the next agent-server communication.
Create SuperAgent distributed repositories

To create a SuperAgent repository, the SuperAgent system must have a McAfee Agent installed and
running. We recommend using SuperAgent repositories with global updating.
This task assumes that you know where the SuperAgent systems are located in the System Tree. We
recommend creating a SuperAgent tag so that you can easily locate the SuperAgent systems with the
Tag Catalog page, or by running a query.
Task
1 From the McAfee ePO console, select Menu | Policy | Policy Catalog, then from the Product list click McAfee
Agent, and from the Category list, select General.
A list of available general category policies available for use on your McAfee ePO server appears.
2 Create a policy, duplicate an existing one, or open one thats already applied to systems that hosts
a SuperAgent where you want to host SuperAgent repositories.

18
Repositories
3 Select the General tab, then ensure Convert agents to SuperAgents (Windows only) is selected.
4 Select Use systems running SuperAgents as distributed repositories, then type a folder path location for the
repository. This location is where the Master Repository copies updates during replication. You can
use a standard Windows path, such as C:\SuperAgent\Repo.
All requested files from the agent system are served from this location using the agent's built-in
HTTP webserver.
5 Click Save.
6 Assign this policy to each system that you want to host a SuperAgent repository.
The next time the agent calls into the server, the new policy is retrieved. If you do not want to wait for
the next agent-server communication interval, you can send an agent wake-up call to the systems.
When the distributed repository is created, the folder you specified is created on the system if it did
not exist.
In addition, the network location is added to the repository list of the SiteList.xml file. This network
location makes the site available for updating by systems throughout your managed environment.
Replicate packages to SuperAgent repositories

Select which repository-specific packages are replicated to distributed repositories.
Task
1 Select Menu | Software | Distributed Repositories.

A list of all distributed repositories appears.
2 Locate and click the SuperAgent repository.

The Distributed Repository Builder opens.
3 On the Package Types page, select the required package types.
Ensure that all packages required by any managed system using this repository are selected.
Managed systems go to one repository for all packages the task fails for systems that are
expecting to find a package type that is not present. This feature ensures packages that are used
only by a few systems are not replicated throughout your entire environment.
4 Click Save.
Delete SuperAgent distributed repositories

Remove SuperAgent distributed repositories from the host system and the repository list
(SiteList.xml). New configurations take effect during the next agent-server communication.

18
Repositories
Task
1 From the McAfee ePO console, click Menu | Policy | Policy Catalog, then click the name of the
SuperAgent policy you want to modify.
2 On the General tab, deselect Use systems running SuperAgents as distributed repositories, then click Save.
To delete a limited number of your existing SuperAgent distributed repositories, duplicate the
McAfee policy assigned to these systems and deselect Use systems running SuperAgents as distributed
repositories before saving it. Assign this new policy as-needed.
The SuperAgent repository is deleted and removed from the repository list. However, the agent still
functions as a SuperAgent as long as you leave the Convert agents to SuperAgents option selected.
Agents that have not received a new site list after the policy change continue to update from the
SuperAgent that was removed.
Create and configure repositories on FTP or HTTP servers and

UNC shares
You can host distributed repositories on existing FTP or HTTP servers, or UNC shares. Although a
dedicated server is not required, the system must be robust enough to handle the load when your
managed systems connect for updates.
Tasks
Create a folder location on page 284
Create the folder that hosts repository contents on the distributed repository system.
Different processes are used for UNC share repositories and FTP or HTTP repositories.
Add the distributed repository to McAfee ePO on page 284
Add an entry to the repository list and specify the folder the new distributed repository
uses.
Avoid replication of selected packages on page 285
If distributed repositories are set up to replicate only selected packages, your newly
checked-in package is replicated by default. Depending on your requirements for testing
and validating, you might want to avoid replicating some packages to your distributed
repositories.
Disable replication of selected packages on page 286
If distributed repositories are set up to replicate only selected packages, your newly
checked-in package is replicated by default. To disable the impending replication of a
package, disable the replication task before checking in the package.
Enable folder sharing for UNC and HTTP repositories on page 286
On an HTTP or UNC distributed repository, you must enable the folder for sharing across
the network, so that your McAfee ePO server can copy files to the repository.
Edit distributed repositories on page 286
Edit a distributed repository configuration, authentication, and package selection options as
needed.
Delete distributed repositories on page 287
Delete HTTP, FTP, or UNC distributed repositories. Doing so also deletes the contents of the

18
Repositories
Create a folder location

Create the folder that hosts repository contents on the distributed repository system. Different
processes are used for UNC share repositories and FTP or HTTP repositories.
For UNC share repositories, create the folder on the system and enable sharing.
For FTP or HTTP repositories, use your existing FTP or HTTP server software, such as Microsoft
Internet Information Services (IIS), to create a folder and site location. See your web server
documentation for details.
Add the distributed repository to McAfee ePO

Add an entry to the repository list and specify the folder the new distributed repository uses.
Do not configure distributed repositories to reference the same directory as your Master Repository.
Doing so locks files on the Master Repository, causing pulls and package check-ins to fail and leaving
the Master Repository in an unusable state.
Task
1 Select Menu | Software | Distributed Repositories, then click Actions | New Repository. The Distributed
Repository Builder opens.
2 On the Description page, type a unique name and select HTTP, UNC, or FTP, then click Next. The name
of the repository does not need to be the name of the system hosting the repository.
3 On the Server page, configure one of the following server types.

HTTP server type or FTP server type
From the URL drop-down list, select DNS Name, IPv4, or IPv6 as the type of server address, then
enter the address.
Option Definition
DNS Name Specifies the DNS name of the server.
Enter the port number of the server: HTTP default is 80. FTP default is 21.
For HTTP server types, specify the Replication UNC path for your HTTP folder.
UNC server type

Enter the network directory path where the repository resides. Use this format: \\<COMPUTER>
\<FOLDER>.
4 Click Next.
5 On the Credentials page:

a Enter Download credentials. Use credentials with read-only permissions to the HTTP server, FTP
server, or UNC share that hosts the repository.
HTTP or FTP server type
Select Anonymous to use an unknown user account.
Select FTP or HTTP authentication (if the server requires authentication), then enter the user
account information.

18
Repositories
UNC server type

Select Use credentials of logged-on account to use the credentials of the currently logged-on user.
Select Enter the download credentials, then enter domain and user account information.
b Click Test Credentials. After a few seconds, a confirmation message appears, stating that the site is
accessible to systems using the authentication information. If credentials are incorrect, check
the following:
User name and password
URL or path on the previous panel of the Builder
HTTP, FTP, or UNC site on the system
6 Enter Replication credentials.

The server uses these credentials when it replicates DAT files, engine files, or other product
updates from the Master Repository to the distributed repository. These credentials must have both
read and write permissions for the distributed repository:
For FTP, enter the user account information.
For HTTP or UNC, enter domain and user account information.
Click Test Credentials. After a few seconds, a confirmation message appears that the site is
accessible to systems using the authentication information. If credentials are incorrect, check
the following:
User name and password
URL or path on the previous panel of the Builder
HTTP, FTP, or UNC site on the system
7 Click Next. The Package Types page appears.
8 Select whether to replicate all packages or selected packages to this distributed repository, then
click Next.
If you choose the Selected packages option, manually select the Signatures and engines and Products,
patches, service packs, etc. you want to replicate.
Optionally select to Replicate legacy DATs.
Ensure all packages required by managed systems using this repository are not deselected.
Managed systems go to one repository for all packages if a needed package type is not present in
the repository, the task fails. This feature ensures packages that only a few systems use are not
replicated throughout your whole environment.
9 Review the Summary page, then click Save to add the repository. The McAfee ePO software adds the
new distributed repository to its database.
Avoid replication of selected packages

If distributed repositories are set up to replicate only selected packages, your newly checked-in
package is replicated by default. Depending on your requirements for testing and validating, you
might want to avoid replicating some packages to your distributed repositories.

18
Repositories
Task
1 Select Menu | Software | Distributed Repositories, then click a repository. The Distributed Repository
Builder wizard opens.
2 On the Package Types page, deselect the package that you want to avoid being replicated.
3 Click Save.
Disable replication of selected packages

If distributed repositories are set up to replicate only selected packages, your newly checked-in
package is replicated by default. To disable the impending replication of a package, disable the
replication task before checking in the package.
Task
1 Click Menu | Automation | Server Tasks, then select Edit next to a replication server task.
The Server Task Builder opens.
2 On the Description page, select the Schedule status as Disabled, then click Save.
Enable folder sharing for UNC and HTTP repositories

On an HTTP or UNC distributed repository, you must enable the folder for sharing across the network,
so that your McAfee ePO server can copy files to the repository.
You enable the folder sharing for replication purposes only. Managed systems configured to use the
distributed repository use the appropriate protocol (HTTP, FTP, or Windows file sharing) and do not
require folder sharing.
Task
1 On the managed system, locate the folder you created using Windows Explorer.
2 Right-click the folder, then select Sharing.
3 On the Sharing tab, select Share this folder.
4 Configure share permissions as needed.

Systems updating from the repository require only read access, but administrator accounts,
including the account used by the McAfee ePO server service, require write access. See your
Microsoft Windows documentation to configure appropriate security settings for shared folders.
5 Click OK.
Edit distributed repositories

Edit a distributed repository configuration, authentication, and package selection options as needed.
Task
1 Select Menu | Software | Distributed Repositories, then click a repository.

The Distributed Repository Builder wizard opens, displaying the details of the distributed repository.

18
Repositories
2 Change configuration, authentication, and package selection options as needed.
3 Click Save.
Delete distributed repositories

Delete HTTP, FTP, or UNC distributed repositories. Doing so also deletes the contents of the distributed
repositories.
Task
1 Click Menu | Software | Distributed Repositories, then click Delete next to a repository.
2 On the Delete Repository dialog box, click OK.
Deleting the repository does not delete the packages on the system hosting the repository.
Deleted repositories are removed from the repository list.

Follow these guidelines when using UNC shares as distributed repositories.
UNC shares use the Microsoft Server Message Block (SMB) protocol to create a shared drive. Create a
user name and password to access this share.
Correctly configure the share

Make sure that the UNC share is correctly configured.
Use an alternate method to write to your repository Log on to the server using other
methods (another share, RDP, locally) to write to your repository. Do not mix the repository you
read from with the repository you write to. Read credentials are shared with endpoints, and write
credentials are used exclusively by the McAfee ePO server to update your distributed repository
content.
Do not use a share on your Domain Controller Create a share off your domain controller. A
local user on a domain controller is a domain user.
Secure the account you use to read from the UNC share
Follow these guidelines to make sure the account used to access the UNC share is secure.
Grant your UNC share account read-only rights for everyone except the McAfee ePO
server master repository When you set up your share, make sure that the account you
created has read-only rights to the directory and to the share permissions. Do not grant remote
writing to the share (even for administrators or other accounts). The only account allowed access is
the account you recently created.
The McAfee ePO server Master Repository must be able to write files to the UNC share account.
Create the account locally Create the account on the file share, not on the domain. Accounts
created locally do not grant rights to systems in the domain.
Use a specific account Create an account specifically for sharing repository data. Do not share
this account with multiple functions.

18
Repositories
Make the account low privilege Do not add this account to any groups it does not need,
which includes "Administrators" and "Users" groups.
Disable extraneous privileges This account does not need to log on to a server. It is a
placeholder to get to the files. Examine this account's permissions and disable any unnecessary
privileges.
Use a strong password Use a password with 812 characters, using multiple character
attributes (lowercase and uppercase letters, symbols, and numbers). We recommend using a
random password generator so that your password is complex.
Protect and maintain your UNC share

Firewall your share Always block unnecessary traffic. We recommend blocking outgoing and
incoming traffic. You can use a software firewall on the server or a hardware firewall on the
network.
Enable File Auditing Always enable security audit logs to track access to your network shares.
These logs display who accesses the share, and when and what they did.
Change your passwords Change your password often. Make sure that the new password is
strong, and remember to update your McAfee ePO configuration with the new password.
Disable the account and share if it's no longer used If you switch to a different repository
type other than UNC, remember to disable or delete the account, and close and remove the share.

Copy contents from the Master Repository into an unmanaged distributed repository.
Once an unmanaged repository is created, you must manually configure managed systems to go to
the unmanaged repository for files.
Task
1 Copy all files and subdirectories in the Master Repository folder from the server.
For example, using a Windows 2008 R2 Server, this path is the default path on your server: C:
\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
2 Paste the copied files and subfolders in your repository folder on the distributed repository system.
3 Configure an agent policy for managed systems to use the new unmanaged distributed repository:
a Select Menu | Policy | Policy Catalog, then select the Product as McAfee Agent and Category as Repository.
b Click an existing agent policy or create an agent policy.
Policy inheritance cannot be broken at the level of option tabs that constitute a policy. Therefore,
when you apply this policy to systems, ensure that only the correct systems receive and inherit
the policy to use the unmanaged distributed repository.
c On the Repositories tab, click Add.
d Type a name in the Repository Name text field.

The name does not have to be the name of the system hosting the repository.
e Under Retrieve Files From, select the type of repository.

18
Repositories
f Under Configuration, type the location of the repository using appropriate syntax for the repository
type.
g Type a port number or keep the default port.
h Configure authentication credentials as needed.
i Click OK to add the new distributed repository to the list.
j Select the new repository in the list.

The type Local indicates it is not managed by the McAfee ePO software. When an unmanaged
repository is selected in the Repository list, the Edit and Delete buttons are enabled.
k Click Save.
Any system where this policy is applied receives the new policy at the next agent-server
communication.

You can export the repository list files.
SiteList.xml Used by the agent and supported products.
SiteMgr.xml Used when reinstalling the McAfee ePO server, or for importing into other McAfee
ePO servers that use the same distributed repositories or source sites.
Tasks
Export the repository list SiteList.xml file on page 289
Export the repository list (SiteList.xml) file for manual delivery to systems, or for import
during the installation of supported products.
Export the repository list for backup or use by other servers on page 290
Use the exported SiteMgr.xml file to restore distributed repositories and source sites.
Restore when you reinstall the McAfee ePO server, or when you want to share distributed
repositories or source sites with another McAfee ePO server.
Import distributed repositories from the repository list on page 290
Import distributed repositories from the SiteMgr.xml file after reinstalling a server, or
when you want one server to use the same distributed repositories as another server.
Import source sites from the SiteMgr.xml file on page 290
After reinstalling a server, and when you want two servers to use the same distributed
repositories, import source sites from a repository list file.
Export the repository list SiteList.xml file

Export the repository list (SiteList.xml) file for manual delivery to systems, or for import during the
installation of supported products.
Task
1 Select Menu | Software | Master Repository, then click Actions | Export Sitelist.
The File Download dialog box appears.
2 Click Save, browse to the location to save the SiteList.xml file, then click Save.

18
Repositories
Once you have exported this file, you can import it during the installation of supported products. For
instructions, see the installation guide for that product.
You can also distribute the repository list to managed systems, then apply the repository list to the
agent.
Export the repository list for backup or use by other servers

Use the exported SiteMgr.xml file to restore distributed repositories and source sites. Restore when
you reinstall the McAfee ePO server, or when you want to share distributed repositories or source sites
with another McAfee ePO server.
You can export this file from either the Distributed Repositories or Source Sites pages. However, when you
import this file to either page, it imports only the items from the file that are listed on that page. For
example, when this file is imported to the Distributed Repositories page, only the distributed repositories in
the file are imported. Therefore, if you want to import both distributed repositories and source sites,
you must import the file twice, once from each page.
Task
1 Select Menu | Software | Distributed Repositories (or Source Sites), then click Actions | Export Repositories (or
Export Source Sites).
The File Download dialog box appears.
2 Click Save, browse to the location to save the file, then click Save.
Import distributed repositories from the repository list

Import distributed repositories from the SiteMgr.xml file after reinstalling a server, or when you want
one server to use the same distributed repositories as another server.
Task
1 Select Menu | Software | Distributed Repositories, then click Actions | Import Repositories.
The Import Repositories page appears.
2 Browse to select the exported SiteMgr.xml file, then click OK. The distributed repository is
imported into the server.
3 Click OK.
The selected repositories are added to the list of repositories on this server.
Import source sites from the SiteMgr.xml file

After reinstalling a server, and when you want two servers to use the same distributed repositories,
import source sites from a repository list file.
Task
1 Select Menu | Configuration | Server Settings, then from the Setting Categories list select Source Sites and click
Edit.
2 Click Import.

18
Repositories
3 Browse to and select the exported SiteMgr.xml file, then click OK.
4 Select the source sites to import into this server, then click OK.
The selected source sites are added to the list of repositories on this server.

Change credentials on multiple distributed repositories of the same type. Doing so is valuable in
environments where there are many distributed repositories.
Task
1 Select Menu | Distributed Repositories.
2 Click Actions and select Change Credentials.

The Change Credentials wizard opens to the Repository Type page.
3 Select the type of distributed repository for which you want to change credentials, then click Next.
4 Select the distributed repositories you want, then click Next.
5 Edit the credentials as needed, then click Next.
6 Review the information, then click Save.
Pulling tasks
Use pull tasks to update your Master Repository with DAT and Engine update packages from the
source site.
DAT and Engine files must be updated often. McAfee releases new DAT files daily, and Engine files less
frequently. Deploy these packages to managed systems as soon as possible to protect them against
the latest threats.
You can specify which packages are copied from the source site to the Master Repository.
Extra.DAT files must be checked in to the Master Repository manually. They are available from the
McAfee website.
A scheduled repository pull server task runs automatically and regularly at the times and days you
specify. For example, you can schedule a weekly repository pull task at 5:00 a.m. every Thursday.
You can also use the Pull Now task to check updates into the Master Repository immediately. For
example, when McAfee alerts you to a fast-spreading virus and releases a new DAT file to protect
against it.
If a pull task fails, you must check the packages into the Master Repository manually.
Once you have updated your Master Repository, you can distribute these updates to your systems
automatically with global updating or with replication tasks.

18
Repositories
Replication tasks
Considerations when scheduling a pull task

Consider these variables when scheduling pull tasks:
Bandwidth and network usage If you are using global updating, as recommended, schedule a
pull task to run when bandwidth usage by other resources is low. With global updating, the update
files are distributed automatically after the pull task finishes.
Frequency of the task DAT files are released daily, but you might not want to use your
resources daily for updating.
Replication and update tasks Schedule replication tasks and client update tasks to ensure
that the update files are distributed throughout your environment.
Replication tasks
Use replication tasks to copy the contents of the Master Repository to distributed repositories.
Unless you have replicated Master Repository contents to all your distributed repositories, some
systems do not receive them. Make sure that all your distributed repositories are up-to-date.
If you are using global updating for all your updates, replication tasks might not be necessary for your
environment, although they are recommended for redundancy. However, if you are not using global
updating for any of your updates, you must schedule a Repository Replication server task or run a
Replicate Now task.
Scheduling regular Repository Replication server tasks is the best way to ensure that your distributed
repositories are up-to-date. Scheduling daily replication tasks ensures that managed systems stay
up-to-date. Using Repository Replication tasks automates replication to your distributed repositories.
Occasionally, you might check in files to your Master Repository that you want to replicate to
distributed repositories immediately, rather than wait for the next scheduled replication. Run a
Replicate Now task to update your distributed repositories manually.
Full vs. incremental replication

When creating a replication task, select Incremental replication or Full replication. Incremental replication uses
less bandwidth and copies only the new updates in the Master Repository that are not yet in the
distributed repository. Full replication copies the entire contents of the Master Repository.
Schedule a daily incremental replication task. Schedule a weekly full replication task if it is possible for
files to be deleted from the distributed repository outside of the replication functionality of the McAfee
ePO software.
New distributed repositories are added to the repository list file containing all available distributed
repositories. The agent of a managed system updates this file each time it communicates with the

18
Repositories
McAfee ePO server. The agent performs repository selection each time the agent (McAfee Framework
Service) service starts, and when the repository list changes.
Selective replication provides more control over the updating of individual repositories. When
scheduling replication tasks, you can choose:
Specific distributed repositories to which the task applies. Replicating to different distributed
repositories at different times lessens the impact on bandwidth resources. These repositories can
be specified when you create or edit the replication task.
Specific files and signatures that are replicated to the distributed repositories. Selecting only those
types of files that are necessary to each system that checks in to the distributed repository lessens
the impact on bandwidth resources. When you define or edit your distributed repositories, you can
choose which packages you want to replicate to the distributed repository.
This functionality is intended for updating only products that are installed on several systems in your
environment, like VirusScan Enterprise. The functionality allows you to distribute these updates only to
the distributed repositories these systems use.
How agents select repositories

By default, agents can attempt to update from any repository in the repository list file. The agent can
use a network ICMP ping or subnet address compare algorithms to find the distributed repository with
the quickest response time. Usually, this is the distributed repository closest to the system on the
network.
You can also tightly control which distributed repositories agents use for updating by enabling or
disabling distributed repositories in the agent policy settings. Do not disable repositories in the policy
settings. Allowing agents to update from any distributed repository ensures that they receive the
updates.

18
Repositories

19 Agent Handlers
Agent Handlers route communication between agents and your McAfee ePO server.
Each McAfee ePO server contains a master Agent Handler. Additional Agent Handlers can be installed
on systems throughout your network.
Setting up more Agent Handlers provides the following benefits.
Helps manage an increased number of products and systems managed by a single, logical McAfee
ePO server in situations where the CPU on the database server is not overloaded.
Provides fault tolerant and load-balanced communication with many agents, including
geographically distributed agents.
Contents
How Agent Handlers work
Agent Handler details
Agent Handler functionality
Best Practices: Agent Handler installation and configuration
Best Practices: Adding an Agent Handler in the DMZ
Connect an Agent Handler in the DMZ to a McAfee ePO server in a domain
Handler groups and priority
Assign McAfee agents to Agent Handlers
Manage Agent Handler assignments
Create Agent Handler groups
Manage Agent Handler groups
Move agents between handlers
Frequently asked questions

Agent Handlers distribute network traffic generated by agent-server communication by directing
managed systems or groups of systems to report to a specific Agent Handler. Once assigned, a
managed system communicates with the assigned Agent Handler instead of with the main McAfee ePO
server.
The handler provides updated sitelists, policies, and policy assignment rules, just as the McAfee ePO
server does. The handler also caches the contents of the Master Repository, so that agents can pull
product update packages, DATs, and other needed information.
If the handler doesn't have the updates needed when an agent checks in, the handler retrieves them
from the assigned repository and caches them, while passing the update through to the agent.

19
Agent Handlers
This diagram shows some of the typical connections between Agent Handlers, the McAfee ePO server,
and the McAfee ePO SQL Server.
Figure 19-1 Agent Handlers in an enterprise network
In this diagram, all Agent Handlers:

Are connected to the McAfee ePO SQL Server using low-latency high-speed links
Are located close to the database they write to
Have failover configured between Agent Handlers
Are managed from the McAfee ePO server
The Agent Handlers in these cities have specific configurations.
A low-latency high-speed link's round-trip latency must be less than about 10 ms. Use the Windows
tracert command to confirm the round-trip time (RTT) from the Agent Handler to the McAfee ePO SQL
Server.
Boston The Agent Handler for Boston is configured with failover support to the Agent Handler
for Philadelphia.
Philadelphia The two Agent Handlers have load balancing configured.
Washington DC The Agent Handler uses specific ports to connect to the McAfee ePO server
from behind a firewall.

19
Agent Handlers
The Agent Handler must be able to authenticate domain credentials. Or the Agent Handler uses SQL
authentication to authenticate to the database. For more information about Windows and SQL
authentication, see the Microsoft SQL Server documentation.
For more information about changing authentication modes, see the Microsoft SQL Server
documentation. If you do, you must also update the SQL Server connection information.
Run the query Systems per Agent Handler to display all Agent Handlers installed and the number of
agents managed by each Agent Handler.
When an Agent Handler is uninstalled, it is not displayed in this chart. If an Agent Handler assignment
rule exclusively assigns agents to an Agent Handler and if that Agent Handler is uninstalled, it is
displayed in the chart with Uninstalled Agent Handler and the number of agents still trying to contact
this Agent Handler.
If the Agent Handlers are not installed correctly, then the Uninstalled Agent Handler message is
displayed which indicates that the handler cannot communicate with particular agents. Click the list to
view the agents that cannot communicate with the handler.
Multiple Agent Handlers

You can have more than one Agent Handler in your network. You might have many managed systems
spread across multiple geographic areas or political boundaries. Whatever the case, you can add an
organization to your managed systems by assigning distinct groups to different handlers.

Agent Handlers provide specific features that can help grow your network to include many more
managed systems.
When to use Agent Handlers

There are many reasons to use Agent Handlers in your network.
Hardware is cheaper The mid-range server hardware used for Agent Handlers is less
expensive than the high-end servers used for McAfee ePO servers.
Scalability As your network grows, Agent Handlers can be added to reduce the load on your
McAfee ePO server.
Connect no more than five Agent Handlers to one McAfee ePO server with a maximum of 50,000
nodes connected to each Agent Handler.
Network topology Agent Handlers can manage your agent requests behind a firewall or in an
external network.
Failover Agents can failover between Agent Handlers using a configured fallback priority list.
Load Balancing Multiple Agent Handlers can load balance the McAfee Agent requests in a large
remote network.
When not to use Agent Handlers

There are some instances not to use Agent Handlers.

19
Agent Handlers
As distributed repositories Repositories, for example SuperAgents, distribute large files

throughout an organization. Repositories do not contain any logic. Agent Handlers use logic to
communicate events back to the database. These events tell the McAfee Agent when to download
new products from the distributed repositories. Agent Handlers can cache files from the distributed
repositories, but don't use them to replace distributed repositories. Agent Handlers are used to
reduce the event management load on the McAfee ePO server.
Through a slow or irregular connection Agent Handlers require a relatively high speed, low
latency connection to the database to deliver events sent by the agents.
To save bandwidth Agent Handlers do not save bandwidth. They actually increase bandwidth
use over the WAN connection that connects the clients to the Agent Handler. Use distributed
repositories to save bandwidth.

Agent Handlers use a work queue in the McAfee ePO database as their primary communication
mechanism.
Agent Handlers check the server work queue every 10 seconds and perform the requested action.
Typical actions include wake-up calls, requests for product deployment, and data channel messages.
These frequent communications to the database require relatively high speed, low latency connection
between the Agent Handler and the McAfee ePO database.
An Agent Handler installation includes only the Apache Server and Event Parser services. You can
deploy Agent Handlers on separate hardware, or virtual machines, that coexist in one logical McAfee
ePO infrastructure.
Figure 19-2 Agent Handler functional diagram

19
Agent Handlers
This diagram shows two different network configurations and their Agent Handlers.
Simple network The primary Agent Handler is installed as a part of the McAfee ePO server. This
is sufficient for many small McAfee ePO installations; typically additional Agent Handlers are not
required.
Complex network Multiple remote Agent Handlers are installed on separate servers connected
to the McAfee ePO server. Once installed, the additional Agent Handlers are automatically
configured to work with the McAfee ePO server to distribute the incoming agent requests. The
McAfee ePO console is also used to configure Agent Handler Assignment rules to support more
complex scenarios. For example, an Agent Handler behind the DMZ, firewall, or using network
address translation (NAT).
Administrators can override the Agent Handler default behavior by creating rules specific to their
environment.
See also
Configure Agent Handlers priority on page 309
Best practice: Agent Handlers eliminate multiple McAfee ePO

servers
Use Agent Handlers in different geographic regions instead of multiple McAfee ePO servers.
Multiple McAfee ePO servers cause management, database duplication, and maintenance problems.
Use Agent Handlers to:

Expand the existing McAfee ePO infrastructure to handle more agents, more products, or a higher
load due to more frequent agent-server communication.
Ensure that agents continue to connect and receive policy, task, and product updates even if the
McAfee ePO server is unavailable.
Expand McAfee ePO management into disconnected network segments with high-bandwidth links to
the McAfee ePO database.
Usually, it is more efficient and less expensive to add an Agent Handler rather than a McAfee ePO
server.
Use a separate McAfee ePO server for separate IT infrastructures, separate administrative groups, or
test environments.

Agent Handlers provide horizontal network scalability, failover protection, load balancing, and allow
you to manage clients behind a DMZ, firewall, or using network address translation (NAT).
Providing scalability
Agent Handlers can provide scalability for McAfee ePO managed networks as the number of clients and
managed products grow.
One McAfee ePO server can easily manage up to 200,000 systems with only the VirusScan Enterprise
product installed. But, as the systems managed and the number of products integrated with your
McAfee ePO server increase the attempts to receive policies or send events to your server increase.
This load increase also decreases the maximum number of systems manageable with the same McAfee
ePO server hardware. The McAfee Security Innovation Alliance (SIA) program (http://

19
Agent Handlers
www.mcafee.com/us/partners/security-innovation-alliance/index.aspx) and the integration of

SDKs to third-party partners also increases the number of products your McAfee ePO server can
manage.
Agent Handlers allow you to scale your McAfee ePO infrastructure to manage more clients and
products. You do this by adding Agent Handlers to manage an equivalent or larger number of agents
with one logical McAfee ePO deployment. By default, when you install the Agent Handlers software on
a server, all Agent Handlers are used at the same order level unless custom assignment rules are
created.
Failover protection with Agent Handlers best practice

Agent Handlers allow any McAfee Agent to receive policy and task updates and report events and
property changes if the McAfee ePO server is unavailable. For example, an upgrade or network
problem.
Once multiple Agent Handler are deployed, they are available to agents as failover candidates. As long
as the Agent Handler is connected to the database, it can continue serving agents. This includes any
policy or task changes resulting from agent properties or from administrator changes before the
McAfee ePO server goes offline.
The configuration file shared with the McAfee Agent contains a configurable fallback list of Agent
Handlers. If needed, the McAfee Agent tries to connect through the list of Agent Handlers until the list
ends or it can contact a valid, enabled Agent Handler.
Failover between Agent Handlers is configured in one of two ways.

19
Agent Handlers
Simple deployment failover

In the simple deployment failover, two Agent Handlers can be deployed as primary and secondary. All
agents initiate communications with the primary Agent Handler, and only use the secondaryAgent
Handler if the primary is unavailable. This deployment makes sense if the primary Agent Handler has
better hardware, and can handle the whole load of the infrastructure.
Figure 19-3 Simple Agent Handler failover

19
Agent Handlers
Failover with load balancing

The second deployment combines failover with load balancing. Multiple Agent Handlers are configured
into the same Agent Handler group. The McAfee ePO server inserts each Agent Handler in the group
into the list of Agent Handlers at the same order level. The McAfee Agent randomizes Agent Handlers
at the same order level, which results in an equal load across all Agent Handlers in a particular group.
Figure 19-4 Failover with Agent Handler load balancing
Agents failover between all Agent Handlers in a group before failing through to the next Agent Handler
in the assignment list. Using Agent Handler groups results in both load balancing and failover benefits.

19
Agent Handlers
Best practices: Network topology and deployment

considerations
Agent Handlers allow flexibility in your network configuration, but additional planning can improve
your network performance.
Using Agent Handlers behind a DMZ, firewall, or in NAT networks: best

practices
Without Agent Handlers, any McAfee Agent behind a DMZ, firewall, or in a NAT network can be viewed
with the McAfee ePO server. But you can't manage or directly manipulate those systems in the NAT
network.
With an Agent Handler behind the DMZ, you can address systems within the NAT region for wake-up
calls, data channel access, and more.
This Agent Handler connection requires access to both the SQL database and the McAfee ePO server.
Some firewall rules are necessary for this configuration.
This diagram shows an Agent Handler with managed systems behind the DMZ and these connections:
Data Channel connection to the McAfee ePO server
Low-latency high-speed connection to the SQL database
Failover connection between the Agent Handlers
Figure 19-5 Agent Handler behind the DMZ

19
Agent Handlers
This table lists all ports used by the McAfee ePO server and the other network components.
The ports connecting the Agent Handler to the McAfee ePO server and SQL database must be open to
connect to the Agent Handler through a firewall.
Table 19-1 Default ports used

Server Direction Connection Port
McAfee ePO To Web browser HTTPS 8443
McAfee ePO To SQL database JDBC/SSL 1433
Agent Handler From McAfee ePO HTTPS 8443 (install), HTTPS 8444
Agent Handler Both McAfee ePO HTTP 80
Agent Handler To SQL database ADO/SSL 1433
Agent Handler To Clients HTTP 8081
Agent Handler From Clients HTTP 80, HTTPS 443
Roaming with Agent Handlers

Agent Handlers allow users who roam between enterprise network sites to connect to the nearest
Agent Handler.
Roaming is possible only if the Agent Handlers from all locations are configured in the McAfee Agent
failover list. You can modify policy and system sorting so that roaming systems can receive a different
policy in each location.
Repository cache and how it works

Agent Handlers automatically cache content and product updates if a McAfee Agent can't access the
content directly from the Master Repository on the McAfee ePO server.
The McAfee Agent, by default, uses the primary McAfee ePO server (same server as Tomcat) as the
Master Repository. Agents fail back to the Agent Handler if they are unable to communicate with their
configured remote repository to pull content and product updates. Since the Agent Handler might not
be running on the same server as the true Master Repository (on the McAfee ePO server), the Agent
Handler manages these requests. Agent Handlers transparently handle requests for software and
cache the required files after downloading them from the Master Repository. No configuration is
necessary.

19
Agent Handlers
This diagram shows how Agent Handlers cache product update content if the configured remote
repository is unavailable to remote systems.
Figure 19-6 Agent Handler repository caching
Systems 1 and 2 attempt to pull content or product updates from their configured remote
repository and the attempt fails.
For System 1, the McAfee Agent is configured, by default, to use Primary Agent Handler 1 that is
part of the McAfee ePO server. If the connection to the remote repository fails, System 1
requests the content or product updates directly from the Master Repository on the McAfee ePO
server.
For System 2, the McAfee Agent is configured to use Secondary Agent Handler 2, if the
connection to the remote repository fails.
Secondary Agent Handler 2 requests the content or product updates from the Master Repository.
Secondary Agent Handler 2 caches those updates, for any subsequent requests, and delivers
them to System 2.

19
Agent Handlers

You can configure mid-range servers, located within your network, as Agent Handlers by simply
installing the Agent Handler software and assigning systems for management.
You can also group Agent Handlers, set their failover priority, and create virtual Agent Handlers behind
a DMZ, firewall, or in NAT networks.
Whenever you change a policy, configuration, client or server task, automatic response, or report,
export the settings before and after the change.
Deployment considerations
Before you deploy Agent Handlers in your extended network, consider the health of your existing
McAfee ePO server and database hardware. If this hardware is already overloaded, adding Agent
Handlers actually decreases McAfee ePO performance.
A fully configured Agent Handler has about the same hardware and database requirements as a
McAfee ePO server. When determining how many Agent Handlers you need, first examine the
database usage. If the database serving your McAfee ePO server is under a heavy load, adding Agent
Handlers does not improve your performance. Upgrade your SQL Server hardware to take advantage
of multiple Agent Handlers. If the database is currently running at a moderate to low load, then
additional Agent Handlers can help you expand your logical McAfee ePO infrastructure.
McAfee testing shows that adding Agent Handlers improves performance until your McAfee ePO
database CPU load exceeds 70 percent. Since each Agent Handler adds some overhead, for example
database connections and management queries to the database, adding Agent Handlers beyond 70
percent database CPU load does not help performance.
Agent Handler configuration overview

Agent Handlers can be configured to load balance in groups and as virtual Agent Handlers.
Virtual Agent Handlers allow clients to find them using different IP addresses on more than one
network segment using priority assignment rules.
The McAfee ePolicy Orchestrator Installation Guide provides instructions for installing remote Agent
Handler software

19
Agent Handlers
Agent Handlers configuration page

To configure all Agent Handler management tasks, select Menu | Configuration | Agent Handlers.
Figure 19-7 Agent Handlers configuration page
Handler Status Provides the number of installed Agent Handlers and if they are active.
New Assignment Opens the Agent Handler Assignment page to create an Agent Handler assignment.
Edit Priority Opens the Edit Priority page to change priority of the Agent Handler assignments.
Systems per Agent Handler Specifies the number of agents assigned to each Agent Handler.
To see a detailed list of the agents assigned to an Agent Handler, click the Agent Handler name in
the list or the color associated with the Agent Handler segment in the pie chart.

19
Agent Handlers
Handler Groups Specifies the number of Agent Handler groups that the McAfee ePO server
manages.
Handler Assignment Rules Displays the list of Agent Handler assignments in your environment, their
priority, and details about rule settings.
Configure Agent Handlers list

To see a list of your Agent Handlers and their detailed information, use the Handlers List accessed
through the dashboard.
Task
1 Select Menu | Configuration | Agent Handlers, to configure an Agent Handler.
2 Click the Agent Handlers number in the Handler Status of the dashboard, to see a list of your Agent
Handlers and their detailed information.
3 Click the setting in the Actions column, to disable, enable, and delete Agent Handlers.
4 Click the Agent Handler name in the Handler DNS Name column to configure Agent Handler Settings.
5 From the Agent Handler Settings page, configure these properties.
Published DNS Name
Published IP Address
6 Click Save
Configure Agent Handlers groups and virtual groups

You can configure your Agent Handlers into groups and create virtual handlers to use behind a DMZ,
firewall, or in NAT networks.

19
Agent Handlers
Task
1 Select Menu | Configuration | Agent Handlers and, in the Handler Group dashboard, click New Group to create
Agent Handler groups.
2 From the Agent Handlers Add/Edit Group page, configure these group settings:
Group Name Type a name for the Agent Handler group.
Included Handlers Allows you to:

Click Use load balancer to use a third-party load balancer, then type the Virtual DNS Name and Virtual
IP address in the fields (both are required).
Click Use custom handler list and use + and to add and remove additional Agent Handlers. Use
the drag-and-drop handle to change the priority of Agent Handlers.
3 Click Save
Configure Agent Handlers priority

You can configure the failover priority of your Agent Handlers by setting their failover priorities.
When you have multiple Agent Handlers, configure the primary Agent Handler in the McAfee ePO
Server as the lowest priority Agent Handler. This priority:
Forces systems to connect to all other Agent Handlers before connecting to the primary McAfee
ePO Server Agent Handler
Reduces the McAfee ePO Server load so that it can perform other tasks like displaying the McAfee
ePO console user interface and running reports and server tasks
Task
1 Select Menu | Configuration | Agent Handlers, then click Edit Priority to create Agent Handler groups.
2 Click and drag the Agent Handlers to create the priority list you need for your network.
This screenshot shows the McAfee ePO Server, shown as "ePO 1," configured as priority 2 and
"Agent Handler 1" configured as priority 1.
3 Click Save.

19
Agent Handlers
Configure assignments for Agent Handlers

You can assign agents to use Agent Handlers individually or as groups.
When assigning systems to Agent Handlers, consider geographic proximity to reduce unnecessary
network traffic.
Task
1 Select Menu | Configuration | Agent Handlers, then click New Assignment to change the assignments for
Agent Handlers.
2 From the Agent Handler Assignment page, configure these settings:

Assignment Name Type a name for the assignment.
Agent Criteria Choose one of these methods to assign agents to Agent Handlers:
System Tree location Click System Tree, select the System Tree Group from the dialog box, then
click OK.
Agent Subnet Type the IPv4/IPv6 address, IPv4/IPv6 address ranges, subnet masks, or
subnet masks range.
Handler Priority To configure the priority used by the McAfee Agent, select:
Use all agent handlers Agents randomly select which handler to communicate with.
Use custom handler list Use + and to add more or remove Agent Handlers. Use the
drag-and-drop handle to change the priority of handlers.
3 Click Save.

Agent Handlers in the DMZ allow you to directly manage systems with a McAfee Agent installed.
Without an Agent Handler installed in the DMZ, you can only view those systems with your McAfee
ePO server.
The Agent Handler you install in the DMZ has specific hardware and software requirements. These
requirements are similar to the McAfee ePO server requirements. See this information before you
begin:
See the Best Practices Guide for server hardware requirements for Agent Handler hardware and
operating system requirements.
These are the major steps to configure an Agent Handlers in the DMZ.
1 Install the Windows Server hardware and software in the DMZ between your networks that are
internal and external to McAfee ePO.
2 Configure all ports on your firewall between your McAfee ePO server and SQL database and the
Agent Handler.
3 Install the McAfee ePO remote Agent Handler software using the information in the McAfee ePolicy
Orchestrator Installation Guide.
4 If needed, create a subgroup of systems to communicate with the McAfee ePO server through the
Agent Handler.

19
Agent Handlers
5 Create an Agent Handlers assignment.
6 Configure the Agent Handlers priority list and enable the Agent Handler in the DMZ.
See also
Using Agent Handlers behind a DMZ, firewall, or in NAT networks: best practices on page 303
Configure hardware, operating system, and ports

Installing the Agent Handler server hardware and software, and configuring the firewall ports are the
first steps before using McAfee ePO to manage systems behind a DMZ.
Before you begin

Make sure that your Agent Handler server meets all hardware and software requirements.
Task
1 Build the Agent Handler server hardware with the Microsoft Windows Server operating system.
2 Install the server in the DMZ behind the firewall in the protected network.
3 Configure your Domain Name System (DNS) server to add the Agent Handler server behind the
firewall in the protected network.
4 Configure these ports on the internal-facing firewall to communicate between the McAfee ePO
server and the Agent Handler in DMZ:
Port 80 Bidirectional
5 Optional If your SQL database is installed on a different server than your McAfee ePO server,
configure these two ports on the internal-facing firewall for that connection to the Agent Handler:
Port 1433 TCP Bidirectional
Port 1434 UDP Bidirectional
6 Configure these ports on the public-facing firewall to communicate between the McAfee ePO server
and the Agent Handler in the DMZ:
Port 80 TCP Inbound
Port 443 TCP Inbound
Port 8081 TCP Inbound
Port 8082 UDP Inbound

19
Agent Handlers
Install software and configure the Agent Handler

When you complete the McAfee ePO Agent Handler software installation and configuration, your Agent
Handler allows you to directly manage systems behind the DMZ.
Before you begin

You must have installed the Agent Handler hardware and operating system in the DMZ
of your external network.
You must have access to the McAfee ePO executable files located in the downloaded
McAfee ePO installation files.
Task
1 Install the McAfee ePO remote Agent Handler software. See the McAfee ePolicy Orchestrator
Installation Guide.
2 Use one of these methods to communicate through the Agent Handler to the McAfee ePO server:
Create a subgroup of systems. This task uses a subgroup, NAT Systems, in the System Tree behind
the DMZ.
In Agent Subnet, type IP addresses, IP address ranges, or subnet masks, separated by commas,
spaces, or new lines.
3 To start the Agent Handler configuration on the McAfee ePO server, select Menu | Configuration | Agent
Handlers.
4 To open the Agent Handler Assignmentpage, select New Assignment.
Figure 19-8 Agent Handler Assignment page

19
Agent Handlers
5 Configure these settings:

a Type an Assignment Name. For example, NAT Systems Assignment.
b Next to Agent Criteria, click Add Tree Locations and the "..." to select a System Tree group (for
example, NAT Systems) and click OK.
For example, select the NAT Systems group.
c Next to Handler Priority, click Use custom handler list and Add Handlers.
d From the list, select the Agent Handler to handle these selected systems.
Disregard the warning that appears.
e Click Save.
6 To configure the Agent Handler as the highest priority for the systems behind the DMZ, click Edit
Priority and configure these settings, from the Agent Handler Configuration page:
a Move the Agent Handler to the top of the priority list by moving the Agent Handler names.
b Click Save.
7 From the Agent Handler configuration page, in the Handler Status dashboard, click the number of the
Agent Handler to open the Agent Handlers List page.
Figure 19-9 Agent Handler Settings page
8 From the Agent Handler Settings page, configure these settings and click Save:
Option Description
Published DNS Name Type the configured name for the Agent Handler.
Published IP Address Type the configured IP address for the Agent Handler.
9 From the Handlers List page, in the row for the Agent Handler in the DMZ, click Enable in the Actions
column.
The systems designated to use the Agent Handler begin getting their changes during the next few
agent-server communications.

19
Agent Handlers
Connect an Agent Handler in the DMZ to a McAfee ePO server in a domain
10 Confirm that the Agent Handler in the DMZ is managing the systems behind the DMZ:
a From the Agent Handlers Configuration page, in the Systems per Agent Handler dashboard, click the
Agent Handler name in the list or its corresponding color in the pie chart.
b From the Agents for Agent Handler page, confirm that the correct systems appear in the list.
It might take multiple instances of the agent-server communication before all systems appear in
the list.
Figure 19-10 Agent Handlers systems page
With the Agent Handlers in the DMZ and configured with the McAfee ePO server, you can now directly
manage systems with a McAfee Agent installed behind the DMZ.
Connect an Agent Handler in the DMZ to a McAfee ePO server in

a domain
When your McAfee ePO server is in a domain, an Agent Handler installed in the DMZ cannot connect to
the McAfee ePO SQL database because the Agent Handler cannot use domain credentials.
To bypass this limitation, configure the Agent Handler to use the SQL database system administrator
(sa) account credentials.
Task
1 Enable the system administrator account.

a Open SQL Management Studio, expand Security | Logins, then double-click the sa account.
b On the General tab, enter and confirm your password.

19
Agent Handlers
c On the Status tab, set Login to Enabled, then click OK.
d Right-click the database instance name and click Properties.
The system administrator account is enabled.
2 Change the system administrator account to connect to the McAfee ePO database.
a Open a web browser and go to https://localhost:8443/core/config-auth.
8443 is the console communication port. If you use a different port to access the McAfee ePO
console, include that port number in the address instead.
b Log on with your McAfee ePO credentials.
c Delete the entry in the User Domain field, then type sa.
d Provide a password for the system administrator account, then click Test Connection.
e If the test is successful, click Apply.
If the test is unsuccessful, re-enter your password, then click Test Connection again.
The Agent Handler uses the system administrator credentials to communicate with the McAfee ePO
database.

When using multiple Agent Handlers in your network, group and prioritize them to help ensure
network connectivity.
Handler groups
With multiple Agent Handlers in your network, you can create handler groups. You can also apply
priority to handlers in a group. Handler priority tells the agents which handler to communicate with
first. If the handler with the highest priority is unavailable, the agent falls back to the next handler in
the list. This priority information is contained in the repository list (sitelist.xml file) in each agent.
When you change handler assignments, this file is updated as part of the agent-server communication
process. Once the assignments are received, the agent waits until the next regularly scheduled
communication to implement them. You can perform an immediate agent wake-up call to update the
agent immediately.
Grouping handlers and assigning priority is customizable, so you can meet the needs of your specific
environment. Two common scenarios for grouping handlers are:

19
Agent Handlers
Using multiple handlers for load balancing

You might have many managed systems in your network, for which you want to distribute the
workload of agent-server communications and policy enforcement. You can configure the handler
list so that agents randomly pick the handler communicate with.
Setting up a fallback plan to ensure agent-server communication

You might have systems distributed over a wide geographic area. By assigning a priority to each
handler dispersed throughout this area, you can specify which handler the agents communicate
with, and in what order. This can help ensure that managed systems on your network stay
up-to-date by creating a fallback agent communication, much the same as fallback repositories
ensure that new updates are available to your agents. If the handler with the highest priority is
unavailable, the agent uses the handler with the next highest priority.
In addition to assigning handler priority within a group of handlers, you can also set handler
assignment priority across several groups of handlers. This adds redundancy to your environment to
further ensure that your agents can always receive the information they need.
Sitelist files
The agent uses the sitelist.xml and sitelist.info files to decide which handler to communicate with.
Each time handler assignments and priorities are updated, these files are updated on the managed
system. Once these files are updated, the agent implements the new assignment or priority on the
next scheduled agent-server communication.

Assign agents to specific handlers. You can assign systems individually, by group, and by subnet.
Handler assignments can specify an individual handler or a list of handlers to use. The list that you
specify can be made up of individual handlers or groups of handlers.
Task
1 Select Menu | Configuration | Agent Handlers, then click Actions | New Assignment.
2 Specify a unique name for this assignment.
3 Specify the agents for this assignment using one or both of the following Agent Criteria options:
Browse to a System Tree location.
Type the IP address, IP range, or subnet mask of managed systems in the Agent Subnet field.
4 Specify Handler Priority by deciding whether to:

Use all Agent Handlers Agents randomly select which handler to communicate with.
Use custom handler list When using a custom handler list, select the handler or handler group
from the drop-down menu.
When using a custom handler list, use + and - to add or remove more Agent Handlers (an Agent
Handler can be included in more than one group). Use the drag-and-drop handle to change the
priority of handlers. Priority determines which handler the agents try to communicate with first.

19
Agent Handlers

Complete common management tasks for Agent Handler assignments.
To perform these actions, select Menu | Configuration | Agent Handlers, then in Handler Assignment Rules, click
Actions.
To do this... Do this...
Delete a handler Click Delete in the selected assignment row.
assignment
Edit a handler Click Edit for the selected assignment. The Agent Handler Assignment page
assignment opens, where you can specify:
Assignment name The unique name that identifies this handler assignment.
Agent criteria The systems that are included in this assignment. You can add
and remove System Tree groups, or modify the list of systems in the text
box.
Handler priority Choose whether to use all Agent Handlers or a custom
handler list. Agents randomly select which handler to communicate with
when Use all Agent Handlers is selected.
Use the drag-and-drop handle to quickly change the priority of handlers in

your custom handler list.
Export handler Click Export. The Download Agent Handler Assignments page opens, where you
assignments can view or download the AgentHandlerAssignments.xml file.
Import handler Click Import. The Import Agent Handler Assignments dialog box opens, where
assignments you can browse to a previously downloaded AgentHandlerAssignments.xml
file.
Edit the priority of Click Edit Priority. The Agent Handler Assignment | Edit Priority page opens,
handler assignments where you change the priority of handler assignments using the drag-and-drop
handle.
View the summary Click > in the selected assignment row.
of handler
assignments details
Create Agent Handler groups

Handler groups make it easier to manage multiple handlers throughout your network, and can play a
role in your fallback strategy.
Task
1 Select Menu | Configuration | Agent Handlers, then in Handler Groups, click New Group.
The Add/Edit Group page appears.

19
Agent Handlers
2 Specify the group name and the Included Handlers details:

Click Use load balancer to use a third-party load balancer, then enter the Virtual DNS Name and Virtual IP
address (both are required).
Click Use custom handler list to specify which Agent Handlers are included in this group.
When using a custom handler list, select the handlers from the Included Handlers drop-down list.
Use + and - to add and remove additional Agent Handlers to the list (an Agent Handler can be
included in more than one group). Use the drag-and-drop handle to change the priority of
handlers. Priority determines which handler the agents try to communicate with first.
3 Click Save.

Complete common management tasks for Agent Handler groups.
To perform these actions, select Menu | Configuration | Agent Handlers, then click the Handler Groups monitor.
Action Steps
Delete a handler Click Delete in the selected group row.
group
Edit a handler Click the handler group. The Agent Handler Group Settings page opens, where
group you can specify:
Virtual DNS Name The unique name that identifies this handler group.
Virtual IP address The IP address associated with this group.
Included handlers Choose whether to use a third-party load balancer or a
custom handler list.
Use a custom handler list to specify which handlers, and in what order, agents
assigned to this group communicate with.
Enable or disable Click Enable or Disable in the selected group row.

a handler group

Assign agents to specific handlers. You can assign systems using Agent Handler assignment rules,
Agent Handler assignment priority, or individually using the System Tree.
Tasks
Group agents using Agent Handler assignments on page 319
Create Agent Handler assignments to group McAfee Agents together.
Group agents by assignment priority on page 319
Group agents together and assign them to an Agent Handler that is using assignment
priority.
Group agents using the System Tree on page 320
Group agents together and assign them to an Agent Handler using the System Tree.

19
Agent Handlers
Group agents using Agent Handler assignments

Create Agent Handler assignments to group McAfee Agents together.
When assigning agents to Agent Handlers, consider geographic proximity to reduce unnecessary
network traffic.
Task
1 Select Menu | Configuration | Agent Handlers, then click the required Handler Assignment Rule.
The Agent Handler Assignment page appears.
If the Default Assignment Rules is the only assignment in the list, you must create an assignment.
2 Type a name for the Assignment Name.
3 You can configure Agent Criteria by System Tree locations, by agent subnet, or individually using the
following:
System Tree Locations Select the group from the System Tree location.
You can browse to select other groups from the Select System Tree Group dialog box and use +
and - to add and remove System Tree groups that are displayed.
Agent Subnet In the text field, type IP addresses, IP address ranges, or subnet masks in the
text box.
Individually In the text field, type the IPv4/IPv6 address for a specific system.
4 You can configure Handler Priority to Use all Agent Handlers or Use custom handler list. Click Use custom handler
list, then change the handler in one of these ways:
Change the associated handler by adding another handler to the list and deleting the previously
associated handler.
Add additional handlers to the list and set the priority that the agent uses to communicate with
the handlers.
When using a custom handler list, use + and - to add and remove additional Agent Handlers
from the list (an Agent Handler can be included in more than one group). Use the drag and drop
handle to change the priority of handlers. Priority determines which handler the agents try to
communicate with first.
5 Click Save.
Group agents by assignment priority

Group agents together and assign them to an Agent Handler that is using assignment priority.
specify can be made up of individual handlers or groups of handlers. This list defines the order in
which agents attempt to communicate using a particular Agent Handler.
network traffic.

19
Agent Handlers
Task
1 Select Menu | Configuration | Agent Handlers.
If Default Assignment Rules is the only assignment in the list, you must create a new assignment.
2 Edit assignments using the steps in the task Grouping agents by assignment rules.
3 As needed, modify the priority or hierarchy of the assignments by clicking Actions | Edit Priority.
Moving one assignment to a priority lower than another assignment creates a hierarchy where the
lower assignment is actually part of the higher assignment.
4 To change the priority of an assignment, which is shown in the Priority column on the left, do one of
the following:
Use drag and drop Use the drag-and-drop handle to drag the assignment row up or down to
another position in the Priority column.
Click Move to Top In Quick Actions, click Move to Top to automatically move the selected assignment
to the top priority.
5 When assignment priority is configured correctly, click Save.
Group agents using the System Tree

Group agents together and assign them to an Agent Handler using the System Tree.
network traffic.
Task
1 Select Menu | Systems | System Tree | Systems.
2 In the System Tree column, navigate to the system or group you want to move.
3 Use the drag-and-drop handle to move systems from the currently configured system group to the
target system group.
4 Click OK.

Here are answers to frequently asked questions.
What data is sent to the McAfee ePO server and what is sent to the database?
A data channel is a mechanism for McAfee products to exchange messages between their
endpoint plug-ins and their management extensions. The data channel provides most data sent
from the Agent Handler to the application server. It is used internally by the McAfee ePO server
for agent deployment and wake-up progress messaging. Other functions such as agent
properties, tagging, and policy comparisons are performed directly against the McAfee ePO
database.

19
Agent Handlers
If the McAfee ePO server is not defined in my repository list, does replication still occur?
Yes, if the agent contacts the Agent Handler for software packages, the Agent Handler retrieves
them from the McAfee ePO server Master Repository.
How much bandwidth is used for communication between the database and the Agent
Handler?
Bandwidth between the Agent Handler and the database varies based on the number of agents
connecting to that Agent Handler. But, each Agent Handler places a fixed load on the database
server for:
Heartbeat (updated every minute)
Work queue (checked every 10 seconds)
Database connections held open to the database (two connections per CPU for EventParser
plus four connections per CPU for Apache)
How many agents can one Agent Handler support?

Agent Handlers for scalability are not required until a deployment reaches 100,000 nodes. Agent
Handlers for topology or failover might be required at any stage. A good rule is one Agent
Handler per 50,000 nodes.
What hardware and operating system should I use for an Agent Handler?
Use the Microsoft Server Operating System (2008 SP2+ server or 2012 64-bit server).
Non-server Operating System versions have severe (~10) limits set on the number of incoming
network connections.
See also
Using Agent Handlers behind a DMZ, firewall, or in NAT networks: best practices on page 303
Repository cache and how it works on page 304

19
Agent Handlers

20 Maintaining your McAfee ePO server, SQL
databases, and bandwidth
Once your McAfee ePO server is configured and protecting your systems there are some tasks to
perform to keep your server running at peak efficiency.
Contents
Maintaining your McAfee ePO server
Managing SQL databases
Bandwidth usage

Generally your McAfee ePO server does not require periodic maintenance, but if your server
performance changes, take these steps before calling technical support.
The SQL database used by the McAfee ePO server requires regular maintenance and back ups to ensure
that McAfee ePO functions correctly.
Best practices: Monitoring server performance

Periodically check how hard your McAfee ePO server is working so that you can create benchmarks
and avoid performance problems.
If you suspect your McAfee ePO server is having performance problems, use Windows Task Manager
and Windows Server Reliability and Performance Monitor to check the performance.
Using Windows Task Manager

The first steps to take if your McAfee ePO server is having performance problems are to start Windows
Task Manager on the server and check McAfee ePO server performance.
Is there excessive paging?
Is the physical memory over-utilized?
Is the CPU over-utilized?
See How to use and troubleshoot issues with Windows Task Manager (http://
support.microsoft.com/kb/323527), for details.

20
Maintaining your McAfee ePO server, SQL databases, and bandwidth
Using the Windows Reliability and Performance Monitor

When you install McAfee ePO server, custom counters are added to the built-in Windows Reliability and
Performance Monitor. Those counters are informative and can give you an idea of how hard the McAfee
ePO server is working.
You must use the 32-bit version of the Reliability and Performance Monitor found at C:\Windows
\SysWOW64\perfmon.exe. The default 64-bit version of Reliability and Performance Monitor does not
have the custom McAfee ePO counters added.
See these links for Microsoft Windows Performance Monitor information:

Configure the Performance Monitor Display (http://technet.microsoft.com/en-us/library/
cc722300.aspx)
Working with Performance Logs (http://technet.microsoft.com/en-us/library/

cc721865.aspx)
Finding and using Performance Monitor

To use the custom McAfee ePO counters with the Windows Performance Monitor, you must use the
32-bit version of the tool.
This diagram shows how to find and use Windows Performance Monitor.
Figure 20-1 Windows Performance Monitor showing the ePolicy Orchestrator Server counters
To find the 32-bit version of the Windows Performance Monitor, use Windows Explorer and
navigate to C:\Windows\SysWOW64, then find and double-click perfmon.exe.
To confirm that you opened the 32-bit version of Performance Monitor, click Monitoring Tools |
Performance Monitor, Add Counters, then click the + sign to open the Add Counters dialog box.
To find the McAfee ePO server counters, scroll down the list of counters, find ePolicy Orchestrator
Server, and expand the list.

20
Now you can start using the counters to test and create benchmarks for your McAfee ePO server
performance.
Use perfmon with McAfee ePO: best practice

The 32-bit Windows Reliability and Performance Monitor (perfmon) is a tool to develop server
benchmarks, which can help you manage your server performance.
Task
1 Start the Windows Performance Monitor.
2 In the Add Counters list, browse or scroll down to the ePolicy Orchestrator Server counters selection, then
click + to expand the list of counters.
3 To view the output as a report, click the Change Graph Type icon and select Report from the list.
For example, the Open ePO Agent Connections counter tells you how many agents are communicating
with the McAfee ePO server simultaneously. A healthy McAfee ePO server keeps this number fairly
low, usually under 20. For a McAfee ePO server that is struggling, this number is over 200 (the
maximum is 250) and stays high, and rarely drops below 20.
4 Click Add to move the selected counter into the Added counters list, then click OK.
5 To determine the stress on your McAfee ePO server and how quickly it can process events from all
your agents, add the following counters, then click OK.
Completed Agent Requests/sec
Currently Running Event Parser Threads
Data Channel saturation
Data channel threads
Event Queue Length
Max Event Parser Threads
Open ePO Agent Connections
Processor Events/sec
Static event queue length
The tests listed here are just a few that you can perform with the McAfee ePO server using the
Windows Performance Monitor. For additional Windows Performance Monitor information, see these
Microsoft websites:
Configure the Performance Monitor Display (http://technet.microsoft.com/en-us/library/
cc722300.aspx)
Working with Performance Logs (http://technet.microsoft.com/en-us/library/

cc721865.aspx)

20
Check event processing: best practice

The number of events appearing in the McAfee ePO database events folder can indicate the
performance of your McAfee ePO server.
Task
1 Using Windows Explorer, navigate to this folder:
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events
At any time, this folder might display a few dozen or a few hundred events.
In larger environments, this folder is constantly processing thousands of events per minute.
2 Click the Refresh icon multiple times, then look at the status bar to see the number of files in this
folder changing quickly.
If there are thousands of files in this folder and McAfee ePO is unable to process them, the server is
probably struggling to process the events at a reasonable rate.
It is normal for this Events folder to fluctuate depending on the time of day. But, if there are
thousands of files in this folder and it is constantly increasing then that probably indicates a
performance issue.
3 Confirm that the events are not occurring faster than the event parser can process them. This
causes this folder to grow quickly. Use these steps to confirm the event parser is running.
a To open the Windows Services Manager and confirm that the event parser is running, click Start,
Run, type services.msc and click OK.
b In the Services Manager list, find McAfee ePolicy Orchestrator 5.9.0 Event Parser and confirm it is Started.
4 Check the event parser log file for any errors, using these steps.
a Go to the log file folder at this path:
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Logs
b Open this log file and check for errors:

eventparser_<serverName>.log
5 Use these steps if the events are still occurring faster than the event parser can process them.
a Open the Services Managers list again and temporarily stop all three of these McAfee ePO
services:
McAfee ePolicy Orchestrator 5.9.0 Application Server
McAfee ePolicy Orchestrator 5.9.0 Event Parser
McAfee ePolicy Orchestrator 5.9.0 Server
b Move the contents of the C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB

\Events\ folder to another location, or delete the events, if you're not worried about losing the
data.

20
Maintaining your SQL database

To help the McAfee ePO server function correctly, you must have a well performing SQL database. The
database is the central storage place for all data your McAfee ePO server uses, and it requires
maintenance.
Maintaining the McAfee ePO SQL database best practice

The SQL database requires regular maintenance and back ups to ensure that McAfee ePO functions
correctly.
The McAfee ePO SQL database houses everything that McAfee ePO uses to function; your System Tree
structure, policies, administrators, client tasks, and configuration settings.
Perform these tasks regularly to maintain your SQL Server:

Regularly back up the McAfee ePO SQL database and its transaction log.
Reindex your database regularly.
Rebuild your database regularly.
Purge older events using server tasks.
Back up your SQL database regularly, in case your SQL database or your McAfee ePO server
environment fails. If the McAfee ePO server must be rebuilt or restored, current back ups ensure that
a safe copy is available. In addition, if you are using the information in the Microsoft website, Full
Database Backups (SQL Server) (https://msdn.microsoft.com/en-us/library/ms186289.aspx),
your transaction log can continue to grow indefinitely until a full backup is performed.
Table data fragmentation

One of the most significant performance problems found in databases is table data fragmentation. For
example, table fragmentation can be compared to an index at the end of a large book. One index
entry in this book might select several pages scattered throughout the book. You must then scan each
page for the specific information you are looking for.
This fragmented index is different from the index of the telephone book that stores its data in sorted
order. A typical query for the name "Jones" might span multiple consecutive pages, but they are
always in a sorted order.
For of a database, you start with the data looking like a telephone book and, over time, end up with
the data looking more like a large book index. You must occasionally resort the data to re-create the
phone book order. This is where reindexing and rebuilding your McAfee ePO SQL database is critical.
Over time your database becomes more fragmented, especially if it manages a larger environment
where thousands of events are written to it daily.
Setting up a maintenance task to automatically reindex and rebuild your McAfee ePO SQL database
takes only a few minutes and is essential to maintain proper performance on the McAfee ePO server.
You can include the reindexing as part of your regular backup schedule to combine everything in one
task.
Do not shrink your database. Data file shrink causes serious index fragmentation. Shrinking the
database is a common mistake that many administrators make when building their maintenance task.
Learn more
For details about creating your maintenance task, see KnowledgeBase article Recommended
maintenance plan for McAfee ePO database using SQL Server Management Studio, KB67184.

20
To learn more about database fragmentation and how to determine the fragmentation of your
database, use the DBCC command found in the Understanding SQL Server's DBCC SHOWCONTIG
(http://www.sql-server-performance.com/2002/dt-dbcc-showcontig/).
To learn more about maintaining and optimizing your SQL database, see these documents:
Improving McAfee ePO Performance by Optimizing SQL (https://community.mcafee.com/docs/
DOC-2926)
McAfee ePO Maintenance Utility (https://community.mcafee.com/docs/DOC-4021)
Best practice: Test SQL database connectivity with test.udl file

For database connection issues, you can use the test.udl file to confirm the database credentials used
to access the SQL database from the McAfee ePO server.
Before you begin

You must know the SQL database server name and database name on the server. Use the
https://<localhost>:8443/core/config-auth URL to learn this information.
If you are troubleshooting McAfee ePO database connection problems, you might see this error in the
orion.log file:
Login failed for user ''. The user is not associated with a trusted SQL Server connection
Task
1 On the McAfee ePO server, create a file named test.udl.
2 Double-click the file you created to display the Data Link Properties user interface.
3 Click the Provider tab, select Microsoft OLE DB Provider for SQL Server from the OLE DB Provider(s) list, then
click Next.
4 On the Connection tab, configure this information:

Select or enter a server name Type the server name, instance, and port using this format:
<servername>\<instancename>,<port>.
If no named database instance is used, use this format: <servername>,<port>
Enter information to log on to the server Type the SQL database credentials.
Select the database on the server Type the database name.
5 Click Test Connection.
The Microsoft Data Link dialog box should display Test connection succeeded.
Best practices: Recommended tasks

McAfee recommends that you perform certain tasks daily, weekly, and monthly to ensure that your
managed systems are protected and your McAfee ePO server is working efficiently.
Because all networks are different, your environment might require more detailed steps, or only some
of the steps, described in this section.
These are suggested best practices and do not guarantee 100-percent protection against security risks.

20
The processes outlined share these features:
Once you learn the processes, they don't take too long to perform.
They are repeatable, manageable, and effective practices.
They are based on input from McAfee experts and IT managers.
Recommended daily tasks: best practice

Perform these McAfee recommended tasks at least once a day to ensure that your McAfee ePO
server-managed systems are safe from threats and your McAfee ePO server is functioning normally.
Before you make any major changes to policies or tasks, McAfee recommends that you back up the
database or create a snapshot of the records in the McAfee ePO database.
Figure 20-2 Suggested McAfee ePO daily tasks

20
Each of the recommended daily tasks is described in more detail in the following table.
Where indicated, some of these tasks can be automated. Those instructions are included in this guide.
Table 20-1 Recommended McAfee ePO daily tasks details

Task Description
Daily threat tasks
Periodically check McAfee Throughout the day, review your dashboards for threats, detections, and
ePO Dashboards for trends.
threat events.
Set up automated responses to send emails to administrators when threat
activity thresholds are met.
Examine product specific Examine reports for any events that might indicate a new vulnerability in
reports, such as the environment. Create a server task to schedule queries and send the
VirusScan Enterprise, results to you. Using this data, you might create policies or edit existing
Endpoint Security, policies.
Access Protection, or
McAfee Host IPS, for
threat events
React to alerts. If new alerts are found, follow your companys internal procedure for
handling malware. Collect and send samples to McAfee and work toward
cleaning up the environment. Ensure that signature files are updated and
run on-demand scans as needed. See Troubleshooting procedure for
finding possible infected files, KB53094.
Run queries or review dashboards periodically to check for alerts collected
from your managed devices. Also watch for these threat signs:
High CPU usage on undetermined processes
Unusually high increases in network traffic
Services added or deleted by someone other than you
Inability to access network or administrative shares
Applications or files that stop functioning
Unknown registry keys added to start an application
Any browser home page that changed outside your control
Examine the VSE: Trending Data Dashboard and look at the VSE: DAT
Deployment information to determine whether your signature files are
up to date.
Files being created or changed on an endpoint (review Access Protection
Rules).
Review the McAfee To access the McAfee Labs Threat site, select Menu | Reporting | Dashboards.
Global Threat Select the ePO Summary dashboard and in McAfee Links, click Global Threat
Intelligence (GTI) at Intelligence.
McAfee Labs Threat site
at least once a day.
Examine Top 10 reports McAfee ePO provides preconfigured Top 10 reports that display statistics
for infections at the site, on infections in your environment. Determine which users, systems, and
group, system, and user parts of the network have the most infections or vulnerability. These
level. reports might reveal weakness in the network, where policies must be
adjusted.
Daily security maintenance tasks

20
Table 20-1 Recommended McAfee ePO daily tasks details (continued)

Task Description
Examine the DAT It is important to have 100 percent deployment of the most recent DAT
deployment reports. file to all managed systems. Make sure that clients have an update task
configured to run multiple times a day to keep the DAT file current.
Run the VSE: DAT Adoption, VSE: DAT Adoption Over the Last 24 Hours,
queries or the VSE: DAT Deployment query frequently throughout the day
to ensure that systems are running the latest DATs.
Check compliance In Queries & Reports, find the compliance queries that identify systems
queries and reports. that have not updated a managed product version with an engine, hotfix,
or patch.
Create a process to make sure that systems are up to date. For example,
run an update or deployment task to ensure compliance.
Out-of-compliance system numbers drop until all systems have checked in

and updated their software.
Review the inactive In Server Tasks, run the Inactive Agent Cleanup Task. This task identifies
agents log to determine systems that have not connected to the McAfee ePO server for a specific
which systems are not number of days, weeks, or months. You can use this task to move inactive
reporting to McAfee ePO. systems to a new group in the System Tree, tag the systems, delete the
systems, or email a report.
If the systems are on the network but having difficulty checking into the
McAfee ePO server, you might perform one of these actions:
Use a Ping Agent or Agent Wake-Up Call to check if a system is online and able
to perform an agent-server communication with the McAfee ePO server.
Reinstall the McAfee Agent to ensure that the system is communicating
with the McAfee ePO server.
Ensure that Active Active Directory or NT Domain synchronization pulls in a list of new
Directory or NT systems and containers that must be managed by McAfee ePO. If they are
Synchronization is used, confirm that the Sync task can be configured to run at least once a
working. day and is working.
If the synchronization fails, systems are vulnerable on the network and

pose a major risk for infection.
Confirm that a Memory Using the Threats Dashboard, confirm that the results of these scans don't
Process Scan occurs at indicate an increase in threats.
least daily.
Run memory process scans frequently, because they are quick and
unobtrusive.
Check Rogue System Rogue System Detection tells you which devices are attached to the
Detection network. It reports unmanaged systems, so they can be quickly found and
removed from the network.

20
Table 20-1 Recommended McAfee ePO daily tasks details (continued)

Task Description
Daily SQL database tasks
Perform an incremental Use the Microsoft SQL Enterprise Manager to back up the McAfee ePO
backup of the McAfee database. Verify that the back up was successful after it has completed.
ePO database.
You can use the McAfee ePO Disaster Recovery feature to create a
snapshot of the records in the McAfee ePO database to quickly recover or
reinstall your software, if needed.
See these documents for additional information:

This guide for Disaster Recovery details.
How to back up and restore the ePO database using SQL Server
Management Studio, KB52126
McAfee ePO server backup and disaster recovery procedure, KB66616
See also
Disaster Recovery components on page 102

20
Recommended weekly tasks: best practice

Perform the McAfee suggested tasks at least once a week to ensure that your McAfee ePO
server-managed systems are safe from threats and your McAfee ePO server is functioning normally.
Figure 20-3 Suggested McAfee ePO weekly tasks
Each of the recommended weekly tasks is described in more detail in the following table.

20
Table 20-2 Recommended McAfee ePO weekly tasks details

Task Description
Weekly McAfee ePO tasks
Check for McAfee McAfee periodically releases patches and hotfixes, as well as DATs and
product hotfixes, Engine updates. Check the McAfee website and McAfee ePO Software
extensions, and patch Manager frequently for new updates to check in to the McAfee ePO console
updates on the McAfee for local environment testing. You can also use the Software Manager to
website or from the download and check in these updates.
Software Manager.
DAT and Engine files are not updated with the Software Manager.
Run a full replication to Distributed repositories can become corrupt because of an incomplete
all distributed replication task. Remove corrupt files in the repositories by running a full
repositories. replication to all distributed repositories once a week. Full replication tasks
delete the existing repository contents and replace them with new files.
Incremental replication tasks only copy new or non-existent files and can't
fix any corrupt files.
Run Distributed Select Menu | Reports | Queries and Reports. Locate and Run the Distributed
Repository Status. Repository Status report to determine whether there have been any failures to
update distributed repositories. If there are failures, run the replication
again and ensure that it does not fail again.
Schedule an Schedule an on-demand scan of all systems in your environment that runs
On-Demand Scan of all during off-hours.
systems in your See these documents for additional information:
environment.
Best Practices for On-Demand Scans in VirusScan Enterprise 8.8,
KB74059
Best Practices for On-Demand Scans in VirusScan Enterprise 8.8,
TU30280 Tutorial.
VirusScan Enterprise 8.8 Product Guide for details about configuring
on-demand scans
How to create a McAfee ePO validation report for the event '1203,
KB69428.
Weekly SQL database tasks

Back up the McAfee ePO Use the Microsoft SQL Enterprise Manager to back up the McAfee ePO
SQL database. database. Verify that the back-up was successful after it has completed.
You can use the McAfee ePO Disaster Recovery feature to create a
snapshot of the records in the McAfee ePO database to quickly recover, or
reinstall your software, if needed.
See these documents for additional information:

How to back up and restore the ePO database using SQL Server
Management Studio, KB52126
McAfee ePO server backup and disaster recovery procedure, KB66616

20
Table 20-2 Recommended McAfee ePO weekly tasks details (continued)

Task Description
Weekly Windows Server operating system tasks
Remove inactive Active Directory pulls in a list of new systems and containers that must be
systems from Active managed by McAfee ePO. Confirm that the synchronization task is
Directory. configured to run at least once a day and is working.
If the synchronization fails, systems are vulnerable on the network and

pose a major risk for infection.
See also
Replication tasks on page 292
Disaster Recovery components on page 102
Recommended monthly tasks: best practice

Perform the McAfee suggested tasks at least once a month to ensure that your McAfee ePO server
managed systems are safe from threats and your McAfee ePO server is functioning normally.
Figure 20-4 Suggested McAfee ePO monthly tasks
Each of the recommended monthly tasks is described in more detail in the following table.

20
Table 20-3 Recommended McAfee ePO monthly tasks details

Task Description
Monthly McAfee ePO tasks
Purge events to reduce database Purge events automatically.
size.
Remove and update duplicate Run the Duplicate Agent GUID server tasks to find and fix any
GUIDs. duplicate GUIDs in your environment.
Also, run these server tasks:
Duplicate Agent GUID - clear Error Count
Duplicate Agent GUID - remove systems with potentially duplicated GUIDs
Review Audit Logs. Review the McAfee ePO Audit Logs to ensure that individuals with
administrative rights are making only approved changes to
system configurations, tasks, and policies.
Validate McAfee ePO Confirm that only employees authorized to have administrative
Administrator and Reviewer IDs access have properly configured IDs, with the proper permission
sets in the McAfee ePO system.
SQL database tasks
Run your McAfee ePO SQL Set up and run your SQL Monthly Maintenance Plan. See
database Maintenance Plan. Recommended maintenance plan for McAfee ePO database using
SQL Server Management Studio, KB67184.
Monthly Windows Server operating system tasks
Confirm that the Microsoft Review and implement all Microsoft patches to eliminate
Operating System and other vulnerabilities and mitigate risk.
vendor patch levels on the
McAfee ePO server are current. Other vendor patches might also be released and need updating
to reduce vulnerabilities in the environment.
See also
Best practices: Purging events automatically on page 244
Purge events by query on page 245
Best practice: Find systems with the same GUID on page 243
The Audit Log on page 147
Periodic tasks: best practice

Performing periodic maintenance is important to ensure proper McAfee ePO server operations.
Performing every task daily, weekly, or monthly, is not required. But periodic tasks are important to
ensure that overall site health, security, and disaster recovery plans are up to date.
Create a periodic maintenance log to document dates that maintenance was conducted, by whom, and
any maintenance-related comments about the task conducted.
Task Description
Assess your environment, policies, Organizational needs can change. Periodically review both
and policy assignments periodically existing policies and policy assignments to ensure that they still
to confirm that they are still make sense in the environment. Fewer policies simplify server
applicable. administration.
Review existing client tasks and Client tasks run scans, deploy product updates, product patches
task assignments periodically to and hotfixes, and more to systems managed by McAfee ePO.
confirm that they are still needed. Clean out unused tasks to reduce system complexity which can
ultimately affect database size.

20
Task Description
Review existing tags and tag Use tags as an alternative to System Tree groups to combine,
criteria to ensure that they are still or select a group of systems to operate on. For example, to
relevant to your environment. send updates, deploy McAfee managed products, or run scans.
Tagging is useful, but you must monitor tags to ensure that
they are useful and have the impact needed.
Review product exclusions (for You must keep exclusions as specific as possible in your
example, VirusScan Enterprise) and environment.
includes/excludes (for example, Products changes can affect the exclusions that you have
Access Protection rules) periodically configured. Periodically review exclusions to ensure that they
to validate relevancy. still accomplish what is needed. Plus, you can use High and Low
Risk OnAccess scanning configurations to augment exclusions.
Structure the System Tree, or use tags as another method to
control exclusions.
Make any hardware changes or As your network and organization changes, you might find that
remove any repositories that you changing the location and type of repositories you use provides
want to decommission. more efficient and effective coverage.
Validate that you have the required Always use the most current version of McAfee managed
software, such as the latest version products to ensure that you have technical support for those
of the McAfee Agent. products. Plus, you have the latest features and fixes available.
Remove any unsupported software Keeps disk space to a minimum and removes clutter from the
or software for products you aren't McAfee ePO server and distributed repositories. Only keep
using from the master and those products currently in use in your environment in the
distributed repositories. Master Repository.
Validate your System Tree and Keep the System Tree organized and delete systems that are no
remove any agents that have not longer in use, or reporting to McAfee ePO. A clean System Tree
communicated with the McAfee ePO ensures that reports do not contain extraneous information. Set
server in 30 days or that are up a server task to delete inactive systems.
de-commissioned.
Remove server tasks that are no Keep only those server tasks that you intend to use in the task
longer used. listing. You can always disable an unused task that you want to
keep, but don't use regularly. Keeping a minimum list of tasks
that you use regularly reduces McAfee ePO complexity.
Remove Automated Responses that Automated responses are configured to alert individuals,
are no longer relevant. particularly system administrators; when malware event
threats, client treats, or compliance issues must be resolved.
Delete shell systems using a Delete systems with incomplete or missing system and product
McAfee ePO server task. properties from the System Tree. Those systems skew reports and
queries, and waste space in the McAfee ePO database.
Monitor database size Check the size of the McAfee ePO database and determine
whether, and how often, to purge events reported to McAfee
ePO. See How to identify why the ePolicy Orchestrator database
is large, KB76720.
To purge events from the database, see How to remove old
events and shrink the ePolicy Orchestrator database, KB68961
and how to purge the Audit Log, Server Task Log, and Threat
Event Log.

20

Back up and restore, maintain, and manage your SQL Server databases.
Best practice: Maintaining SQL databases

Your McAfee ePO databases require regular maintenance to promote optimal performance and to
protect your data.
Use the Microsoft management tool appropriate for your version of SQL:
SQL version Management tool

SQL 2008 and 2012 SQL Server Management Studio
SQL Express SQL Server Management Studio Express
Depending on your deployment of the McAfee ePO software, plan on spending a few hours each week
on regular database backups and maintenance. Perform these tasks regularly, either weekly or daily.
But, these tasks are not the only maintenance tasks available. See your SQL documentation for details
about what else you can do to maintain your database.
Use a remote command to determine the Microsoft SQL

database server and name
The following McAfee ePO remote command is used to determine the Microsoft SQL database server
and database name.
Task
1 Type this remote command in your browser address bar:

https://<localhost>:8443/core/config
In this command:
<localhost> Is the name of your McAfee ePO server.
:8443 Is the default McAfee ePO server port number. Your server might be configured to use
a different port number.
2 Save the following information that appears in the Configure Database Settings page:
Host name or IP address
Database name
Configure a Snapshot and restore the SQL database

To quickly reinstall a McAfee ePO server, configure a Disaster Recovery Snapshot to save, or confirm
that a snapshot is being saved to the SQL database. Then back up that SQL database, which includes
the Snapshot, and copy the database backup file to an SQL Server to create the restoration.
A quick reinstallation of the McAfee ePO server requires these tasks.

20
Tasks
Configure Disaster Recovery Server Task on page 339
Use the Disaster Recovery Snapshot Server Task to modify the scheduled automatic
Snapshots of your McAfee ePO server configuration saved to the SQL database.
Use Microsoft SQL to back up and restore the database on page 339
To save the Disaster Recovery Snapshot with the McAfee ePO server configuration
information, use Microsoft SQL Server procedures.
Configure Disaster Recovery Server Task

Use the Disaster Recovery Snapshot Server Task to modify the scheduled automatic Snapshots of your
McAfee ePO server configuration saved to the SQL database.
The preconfigured status of your Disaster Recovery Server Snapshot Task depends on the SQL
database your McAfee ePO server uses. Disaster Recovery Snapshot is enabled, by default, on all
Microsoft SQL Servers.
You can only run one Disaster Recovery Snapshot at a time. If you run multiple Snapshots, only the
last Snapshot creates any output and the previous Snapshots are overwritten.
You can modify the default Disaster Recovery Server Task as needed.
Task
1 Select Menu | Automation | Server Tasks, select Disaster Recovery Snapshot Server from the Server Tasks list,
and click Edit.
2 From the Disaster Recovery Server Task builder Descriptions tab Schedule status, click Enabled or
Disabled as needed.
3 From the Schedule tab, change the following settings as needed:

Schedule type Set the frequency when the Snapshot is saved.
Start Date and End Date Set the start and end dates the Snapshots are saved, or click No End Date
to have the task run continuously.
Schedule Set the time when the Snapshot is saved. By default, the Snapshot task runs at 1:59
a.m. daily.
Best practice: un the Disaster Recovery Server Task during off hours to minimize the changes
to the database during the Snapshot creation process.
4 From the Summary tab, confirm that the server task is configured correctly and click Save.
Use Microsoft SQL to back up and restore the database

To save the Disaster Recovery Snapshot with the McAfee ePO server configuration information, use
Microsoft SQL Server procedures.
Before you begin

To complete this task, you must have connectivity and authorization to copy files between
your primary and restore McAfee ePO SQL Servers.
After you create a Snapshot of the McAfee ePO server configuration, you must:

20
Task
1 Create a Microsoft SQL Server backup of the database using:
Microsoft SQL Server Management Studio
Microsoft Transact-SQL
See your Microsoft SQL Server documentation for details to complete these processes.
2 Copy the backup file created to your restore SQL Server.
3 Restore the backup of the primary SQL database that includes the Disaster Recovery Snapshot
records using:
Microsoft SQL Server Management Studio
Microsoft Transact-SQL
See your Microsoft SQL Server documentation for details to complete these processes.
This creates a duplicate SQL Server ready for restoration, if needed, by connecting it to a new McAfee
ePO installation using the Restore option.
Use Microsoft SQL Server Management Studio to find McAfee

ePO server information
From the Microsoft SQL Server Management Studio, determine your existing McAfee ePO server
information.
Task
1 Use a Remote Desktop Connection to log on to the Microsoft SQL database server with host name
or IP address.
2 Open the Microsoft SQL Server Management Studio and connect to the SQL Server.
3 From the Object Explorer list, click <Database Server Name> | Databases | <Database name> | Tables.
4 Scroll down to find the EPOServerInfo table, right-click the table name, and select Edit top 200 Rows from
the list.
5 Find and save the information in these database records.

ePOVersion For example <three-digit ePolicy Orchestrator version>.
DNSName For example epo-2k8.servercom.
ComputerName For example EPO-2K8.
LastKnownTCPIP For example 172.10.10.10.
RmdSecureHttpPort For example 8443.
Make sure that you have this information in case you ever have to restore your McAfee ePO
software.
The Threat Event Log

Use the Threat Event Log to quickly view and sort through events in the database. You can purge the
log only by age.
You can choose which columns are displayed in the sortable table. You can choose from various event
data to use as columns.

20
Depending on which products you are managing, you can also take certain actions on the events.
Actions are available in the Actions menu at the bottom of the page.
Common event format

Most managed products now use a common event format. The fields of this format can be used as
columns in the Threat Event Log. These fields include:
Action Taken Action that the product took in response to the threat.
Agent GUID Unique identifier of the agent that forwarded the event.
DAT Version DAT version on the system that sent the event.
Detecting Product Host Name Name of the system hosting the detecting product.
Detecting Product ID ID of the detecting product.
Detecting Product IPv4 Address IPv4 address of the system hosting the detecting product (if
applicable).
Detecting Product IPv6 Address IPv6 address of the system hosting the detecting product (if
applicable).
Detecting Product MAC Address MAC address of the system hosting the detecting product.
Detecting Product Name Name of the detecting managed product.
Detecting Product Version Version number of the detecting product.
Engine Version Version number of the detecting products engine (if applicable).
Event Category Category of the event. Possible categories depend on the product.
Event Generated Time (UTC) Time in Coordinated Universal Time that the event was detected.
Event ID Unique identifier of the event.
Event Received Time (UTC) Time in Coordinated Universal Time that McAfee ePO received the event.
File Path File path of the system which sent the event.
Host Name Name of the system which sent the event.
IPv4 Address IPv4 address of the system which sent the event.
IPv6 Address IPv6 address of the system which sent the event.
MAC Address MAC address of the system which sent the event.
Network Protocol Threat target protocol for network-homed threat classes.
Port Number Threat target port for network-homed threat classes.
Process Name Target process name (if applicable).
Server ID Server ID that sent the event.
Threat Name Name of the threat.
Threat Source Host Name System name from which the threat originated.
Threat Source IPv4 Address IPv4 address of the system from which the threat originated.
Threat Source IPv6 Address IPv6 address of the system from which the threat originated.

20
Threat Source MAC Address MAC address of the system from which the threat originated.
Threat Source URL URL from which the threat originated.
Threat Source User Name User name from which the threat originated.
Threat Type Class of the threat.
User Name Threat source user name or email address.
View and purge the Threat Event Log

You should periodically view and purge your threat events.
Task
1 Select Menu | Reporting | Threat Event Log.
Action Steps
View Threat 1 Click any of the column titles to sort the events. You can also select Actions | Choose
Event Log. Columns and the Select Columns to Display page appears.
2 From the Available Columns list, select different table columns that meet your
needs, then click Save.
3 Select events in the table, then click Actions and select Show Related Systems to see
the details of the systems that sent the selected events.
Purge Threat 1 Select Actions | Purge.

Events.
2 In the Purge dialog box, next to Purge records older than, type a number and select a
time unit.
3 Click OK.
Records older than the specified age are deleted permanently.
Best practice: Schedule purging the Threat Event Log

You can create a server task to automatically purge the Threat Event Log.
Task

b Click New Task.
2 Name and describe the task. Next to Schedule Status, select Enabled, then click Next.
3 Select Purge Threat Event Log from the drop-down list.
4 Select whether to purge by age or from a queries result. If you purge by query, pick a query that
results in a table of events.
5 Click Next.

20
Bandwidth usage
6 Schedule the task as needed, then click Next.
7 Review the task's details, then click Save.
Bandwidth usage
The McAfee ePO server uses your LAN and WAN bandwidth to receive events from your managed
clients and download software to your managed clients. It's important to understand these
requirements to configure your McAfee ePO server to use the bandwidth efficiently.
Best practice: Agent deployment and bandwidth

When installing a McAfee ePO server in your environment, you must distribute agents, components,
and security products to manage and protect the systems on the network.
During the initial setup of your managed environment, deploying the McAfee Agent generates enough
network traffic that we recommend planning the deployment. Although the installation package for the
McAfee Agent is smaller than other products (such as VirusScan Enterprise), the agent must be
deployed to each client system that you want to manage.
McAfee Agent deployment traffic occurs directly between the McAfee ePO server and the client
systems where the agent is deployed.
This table shows the total bandwidth used on an McAfee Agent server, client system, and McAfee
Agent SQL database server for McAfee Agent 4.8 deployment.
Table 20-4 McAfee Agent bandwidth usage
Agent deployment Total (MB) Transmit (MB) Receive (MB)
McAfee ePO server 5.04 4.83 0.21
SQL database server 4.64 0.04 4.60
Client system 0.42 0.18 0.24
Actual deployment
The first and most extensive use of bandwidth occurs when the McAfee Agent installation package is
deployed to client systems. You can deploy the McAfee Agent installation package from the McAfee
ePO server console to sites, groups, or selected systems in the System Tree. Regardless of the method
you use, deploying the agent installation package over the network generates traffic to each system.
How you deploy the McAfee Agent depends on three variables.

The number of client systems to manage
Their location in the network topology
The bandwidth available between the McAfee ePO server and those systems
McAfee recommends deploying agents:

In stages Do not push network utilization over 80% at any time for a given segment of
resources.
To individual sites or groups This is important if you have more bandwidth-limiting factors
such as slower connections between geographic locations.

20
Bandwidth usage
Calculating client updates bandwidth best practice

New product updates use additional bandwidth. Calculate the requirements before you update your
products.
You can calculate the bandwidth if you know the size of the patch or product being downloaded. To
find the exact size of the product installation files in Windows Explorer, right-click the Install folder and
click Properties. The product files are at this default path:
C:\Program Files(X86)\McAfee\ePolicy Orchestrator\DB\Software\Current\<ProductName>

\Install\
At a minimum, each of your clients must download, on average, 400 KB a day for DAT files. The
following examples show how to calculate the bandwidth used for the client updates using this
formula:
(Size of update file) x (Number of nodes) = Amount of data pulled a day
The following examples use this formula to calculate the amount of data pulled a day and describe if
creating a local repository reduces the bandwidth.
Example 1 A small office in India

The small office in India must download the 400 KB a day for DAT files to its 200 nodes. Using the
formula:
(400 KB) x (200 nodes) = about 80 MB of data randomly pulled a day to India
In the small office in India, you can add a repository, but you must replicate the DAT file from the
McAfee ePO server to the repository. This file replication uses about 70 MB of bandwidth a day over a
slow WAN link that can negatively affect the WAN link to India because it occurs all at once.
Instead, have the agents connect across the WAN link to the next closest repository to download their
DAT file updates. The next repository might be in a larger office, for example Tokyo. The agents can
randomly pull their DAT files throughout the day, and their total bandwidth use is only 80 MB.
In this case, do not use a repository in India.
Example 2 A large office in Tokyo

The large office in Tokyo must download 400 KB a day for DAT files to its 4,000 nodes. Use the
formula:
(400 KB) x (4,000 nodes) = about 1.6 GB of data randomly pulled a day to Tokyo
The large office in Tokyo, with 4,000 nodes, uses 1.6 GB of bandwidth a day just to update the DAT
files alone. Because replication of the DAT file to Tokyo only uses 70 MB of bandwidth a day, it is much
more efficient to have a repository in the Tokyo office. Now all DATs are pulled across the LAN instead
of across the slower WAN link.
Example 3 A large office in New York City

The large office in New York City must download a 23-MB patch update for VirusScan Enterprise to its
1,000 nodes. Use the formula:
(23 MB) x (1,000 nodes) = about 23 GB of data pulled to the New York City office
This 23-MB patch is larger than the 400-KB daily DAT files. You probably have a repository in New York
depending on the speed of the WAN link to New York and how quickly the patch must be pushed out.
You might find a balance if you carefully craft your client tasks to pull updates and patches at a
gradual pace instead of deploying the patch to all nodes in one day.

20
Bandwidth usage
Conclusions
Some McAfee ePO users put a repository at geographic sites that have only a few dozen nodes. If your
site does not have at least 200300 nodes, it cannot benefit from the bandwidth saved using a
repository. If there is no local repository, the agents go to the next nearest repository for their
updates. This repository might be connecting to the server across a WAN link, but it still uses less
bandwidth because you dont have to replicate the whole repository across the WAN.
The exception to this rule is if you are deploying a larger software package. For example, the
VirusScan Enterprise client software is 56 MB. In this case, it is more efficient to place a repository
temporarily at a smaller site so that the client's software can download the 56-MB file locally. Then
disable this repository once the client is rolled out.
Best practices: Bandwidth recommendations for repository

distribution
If the McAfee ePO server is managing systems across a Wide Area Network (WAN), we recommend
that you create at least one distributed repository per Local Area Network (LAN) for client updates.
You must configure when these actions occur, after you install the distributed repository.
When the repositories are updated from the McAfee ePO server Master Repository
When the managed systems pull the updates from the distributed repository
These tasks need randomization intervals configured to avoid network bandwidth saturation.
Number of repositories needed per LAN

This table lists the suggested number of repositories needed depending on the systems in the LAN and
the network bandwidth.
Table 20-5 Number of distributed repositories

Systems in LAN Network bandwidth (LAN)
100 Mbps 1 Gbps
1,000 1 repository 1 repository
2,000 2 repositories 1 repository
10,000 10 repositories 2 repositories
Repository replication randomization interval setting by WAN bandwidth

You must consider WAN bandwidth before you set a randomization interval to automate repository
replication.
Use these steps in this information to automate repository replication in your network.
1 Create an incremental replication task for each distributed repository in each LAN.
2 According to WAN bandwidth in Mbps, set each task to run sequentially at the minimum of the
minutes of the corresponding randomization interval, to avoid overlap.

20
Bandwidth usage
Table 20-6 McAfee ePO server randomization interval setting (minutes)

WAN bandwidth Mbps Randomization interval (minutes)
6 Mbps 1
5 Mbps 2
4 Mbps 3
3 Mbps 4
2 Mbps 5
1 Mbps 6
Randomization interval for client update task

The client update task you create ensures that systems are current with the latest DAT and engine
files. This task requires a randomization interval, with these variables:
Network bandwidth
Systems in the LAN
Distributed repositories in LAN
To create the client update task, perform these steps.

1 Add the local distributed repository to the repository list in the agent policy.
2 Select the closest repository using Ping Time.
3 Create an agent update task with a randomization interval set according to these tables.
Table 20-7 Recommended interval (minutes) for network bandwidth of 1 Gbps

Systems in LAN Distributed repositories in LAN
1 2 3
Recommended randomization interval (minutes)
1,000 5 0 0
2,000 10 5 0
3,000 15 10 0
4,000 20 15 5
5,000 30 20 10
10,000 60 40 20
20,000 120 80 40
30,000 180 120 60
Table 20-8 Recommended interval (minutes) for network bandwidth of 100 Mbps
1 2 3 4 5
1,000 60 30 20 15 10
2,000 120 60 40 30 20
3,000 180 90 60 45 30

20
Bandwidth usage
Table 20-8 Recommended interval (minutes) for network bandwidth of 100 Mbps
(continued)
1 2 3 4 5
4,000 240 120 80 60 40
5,000 300 150 100 75 50
See also
Configure settings for global updates best practice on page 280
Updating tasks on page 222
Calculating bandwidth for repository replication and product updates best

practice
Repository replication consumes valuable bandwidth in all environments. Before you install
repositories, calculate the bandwidth required for their replication.
If your enterprise network has geographically diverse networks and WAN network connection speeds
that vary, you must calculate the update bandwidth needed from your McAfee ePO server to your
managed systems. These are two system update requirements.
Relatively small, daily, DAT file updates
Large, infrequent, product software updates
Calculating DAT file bandwidth usage

If you are replicating only DAT files, the bandwidth used is about 70 MB of replication per day. Agents
don't use all DAT files that are copied to the repository, but there are 35 incremental DAT files that
must be available to all agents in case they are behind on DATs. When determining if you need a
repository in a specific location, determine what is more costly in terms of bandwidth usage. You can
replicate 70-MB worth of data to a repository, or tell the agents to go to the next nearest repository
that might not be located near the agents.
The following example uses updating the DAT files for VirusScan Enterprise, that are released daily.
The numbers used to determine if a repository is needed at a site are:
400 KB The average size of the daily DAT file to download
100 The number of system agents that must download those daily DAT files
Example 1: Downloading directly from the central McAfee ePO server
To download the daily DAT file randomly, from the central McAfee ePO server, to the system agents
takes the following bandwidth: 100 agents * 400-KB file = about 40 MB of bandwidth
Example 2: Downloading the DAT file to the local repository
For the McAfee ePO server to replicate the DAT file to each repository every day takes at least 70 MB
of bandwidth.
In the previous examples, it is a waste to use 70 MB of bandwidth to download a DAT file to a

repository for only 100 system agents. Those 100 system agents can download the same file using
only 40 MB of bandwidth.

20
Bandwidth usage
Calculating product update bandwidth usage

Always calculate how much bandwidth the deployment needs by taking the size of the deployment
package, multiplied by the number of nodes targeted, divided by the number of repositories used. For
example, VirusScan Enterprise 8.8, which is 56 MB, deployed to 1,000 nodes, pulled across three
repositories, equals about 56 GB of data. That 56 GB of data is being pulled across three repositories
which equal about 19 GB per repository.
Randomization is critical to any client task that uses bandwidth.
56 MB (VSE) * 1,000 (nodes) = 56 GB (total) / 3 (repositories) = about 19 GB per

repository
The following formula calculates the bandwidth to move the 19 GB of data per repository randomly
over a 9-hour workday. The total equals about 2.1 GB of data per hour pulled from each repository.
19 GB (per repository) / 9 (hours) = about 2.1 GB per hour

21 Reporting with queries
McAfee ePO provides built in querying and reporting capabilities. These are highly customizable,
flexible, and easy to use.
Both the Query Builder and Report Builder create and run queries and reports that organize user-configured
data in user-specified charts and tables. The data for these queries and reports can be obtained from
any registered internal or external database used with your McAfee ePO system.
Contents
Reporting features
Best practices: How to use custom queries
Multi-server rollup querying
Best practices: Running reports with the web API
Reporting features
You can use the preconfigured queries, create custom queries, use the output of the queries to
perform tasks, and create reports as output.
Whenever you change a policy, configuration, client or server task, automatic response, or report,
export the settings before and after the change.
To view one of the preconfigured queries, click Run. You can then perform the following tasks:
Save the output as a report.
Duplicate the query and change the output.
View results in the query system.
Take action on the results as you normally would in the System Tree.
As you add new products using extensions to McAfee ePO, new preconfigured queries and reports
become available.
Reporting lag time

When you run McAfee ePO query reports, you must be aware that reports have a lag-time. This
lag-time means information is not added to the report during the time when it's actually being run.
This information lag-time begins when you start the query, lasts until the query is done, and varies
depending on the time it takes to run the query.
Report lag-time example:

21
Reporting with queries
You run a query hourly and the query takes 10 minutes to run.
Events that occur during the 10 minutes, while the query is being run, are not included in that
report, but are written to the database.
Those events appear in the next query report run an hour later.

Creating custom queries on the McAfee ePO server is easy, plus you can duplicate and change existing
queries to suit your needs.
You create custom queries using the Query Builder wizard. To access the Query Builder wizard, select
Menu | Reporting | Queries and Reporting, then click New Query.
You can approach custom queries two ways:

1 You can determine exactly which kind of query that you want to create before you create it.
2 You can explore the Query Builder wizard and try different variables to see the different types of
available queries.
Both approaches are valid and can yield interesting data about your environment. If you are new to
the query system, try exploring different variables to see the types of data that McAfee ePO can
return.
Once you have created your report, you can act on the results. The type of action depends on the type
of output created by the report. You can do anything that you could do in the System Tree for
example, you can wake up systems, update them, delete them, or move them to another group. The
wake-up action is useful when running reports on systems that:
Have not communicated with the McAfee ePO server recently
Are suspected of not working properly when you try to wake them up
Need a new agent deployed to them directly from McAfee ePO
Create custom event queries

You can create a custom query from scratch or duplicate and change an existing query.
Task
1 Select Menu | Reporting | Queries & Reports, then New Query. The Query wizard opens and displays the
Result Types tab.

21
The result types are organized into groups on the left side of the page. Depending on what
extensions have been checked in to McAfee ePO, these groups vary. Most of the result types are
self-explanatory, but two of the more powerful result types are Threat Events and Managed
Systems. You can access these two events types as shown in the following examples.
Threat Events In the Feature Group, select Events. Under Result Types, select Threat Events.
Figure 21-1 Query Builder with Threat Events selected

21
Managed Systems In the Feature Group, select System Management. Under Result Types, select
Managed Systems.
Figure 21-2 Query Builder with Managed Systems selected
2 Choose your chart type. You have several chart types to choose from and some are more complex
than others. The two simplest charts are the pie chart and the single group summary table. The pie
chart compares multiple values in a graphic format, and the summary table displays a data set with
over 20 results.
To create a pie chart, in the Chart type, click Pie Chart.
3 Choose the label or variable that you want the report to display.
Many times the report does not have to return data on McAfee products. For example, you can
report on the operating system versions used in your environment.
In the Labels are list, click OS Type.
4 Choose the columns that you want to see when you drill down on any of the variables in the report.
Choosing columns is not a critical component when building a query and can be adjusted later.
You can also drag and drop columns from left to right and add and remove columns to display.
To use the default columns, click Next.
You can filter the data that you want the query to return. You can leave the filter area blank, which
returns every device in your tree, or specify the return results you are interested in. Examples of
filter options include:
A group in your System Tree where the report applies. For example, a geographic location or
office.
Only include laptop or desktop systems.

21
Only specific operating system platforms. For example, servers or workstations.
Only include systems that have an older DAT version.
Only include systems with an older version of VirusScan Enterprise.
Only return systems that have communicated with the McAfee ePO server in the past 14 days.
5 Click Next to not create any filters and display all operating system types.
6 Click Run to generate the report and see the results.

After you create the reports and display the output, you can fine-tune your report without starting
again from the beginning. To do this, click Edit Query. Clicking Edit allows you to go back and adjust
your report and run it again in seconds.
When you have made all changes to your report, click Save to save it permanently. Now, this query
is included with your dashboards and you can run it any time.
How event summary queries work best practice

Client events and threat events make up most of the event data in your database. Queries help you
track how many events are stored in your database.
Event summary queries help you manage any performance problems that these events might cause
for your McAfee ePO server and database.
Client events from your agents relate their task status to McAfee ePO. Items like update complete,
update failed, deployment completed, or encryption started are considered client events. Threat
events include a virus was found, a DLP event was triggered, or an intrusion was detected. Depending
on which products you have installed and which events you are collecting, there might be thousands
or even millions of these events in your database.
Best practice: Create client event summary queries

To display events sent from your agents to McAfee ePO, create client event summary queries that
send threat notifications to your administrator.
This example creates a client events summary query. It displays events sent from each McAfee Agent
to McAfee ePO. Items like update complete, update failed, deployment completed, or encryption
started are considered client events.
Task
1 To create a client events summary query, select Menu | Reporting | Queries & Reports.
2 From the Queries page, click New Query.

21
3 From the Query Builder, starting with the Result Types tab, click Events in the Features Group, Client
Events in Result Types, then click Next.
Figure 21-3 Query Builder with Client Events selected
4 On the Chart page under Summary, click Single Group Summary Table to display a total count of all client
events in the events table.
5 To create a filter with a good human-readable description of the events, click Event Description, in the
Labels are list under Threat Event Descriptions.
Optionally, you can filter by the Event ID, which is the number that represents client event data in
McAfee ePO. For details about managed product generated event IDs listed in McAfee ePO, see
KnowledgeBase article McAfee point product generated Event IDs listed in ePO, KB54677.
6 If needed, adjust the column information based on the type that you want displayed.
This step is not critical for the creation of the query.
7 Click Next, the Filter page appears.

You do not need any filtering because you want every client event returned in the database.
Optionally, you can create a query based on events generated in a certain time, for example, the
last 24 hours, or the last seven days.

21
8 Click Run to display the query report.
Figure 21-4 Query Builder output
In this example, there are a total of 308 client events. You can click one event and drill down to
display more information about it.
9 Click Save and type an appropriate name for the report. For example, All Client Events by
Event Description.
Create a threat events summary query: best practice

To provide threat notification to your administrators, create a threat events summary query to display
threat events sent from your agents to the McAfee ePO server.
In this example, threat events include a virus found, a Data Loss Protection event triggered, or an
intrusion detected.
Task
1 To start the query configuration, select Menu | Reporting | Queries & Reports.
2 From the Queries page, click New Query.
3 From the Query wizard page, starting with the Result Types tab, click Events in the Features Group
and Threat Events in the Result Type, and click Next.
4 From the Chart page, under Summary, click Single Group Summary Table, to display a total count of all
threat events in the events table.

21
5 To create a filter with a good human-readable description of the events, click Event Description, in the
Labels are list, under Threat Event Descriptions.
Optionally, you can filter by the Event ID which is the number that represents client event data in
McAfee ePO. For details about managed product generated event IDs listed in McAfee ePO, see
KnowledgeBase article McAfee point product generated Event IDs listed in ePO, KB54677.
6 If needed, adjust the columns information based on the type that you want displayed, then click
Next.
7 On the Filter page, you do not need any filtering because you want every client event returned in
the database. Optionally, you can create a query based on events generated in a certain time, for
example the last 24 hours, or the last 7 days. Click Run to display the query report.
8 To determine about how many events you should have on your network, use the following formula:
(10,000 nodes) x (5 million events) = estimated number of events
For example, if you have 50,000 nodes, your range is 25 million total client and threat events.
This number varies greatly based on the number of products and policies you have and your data
retention rate. Do not panic if you exceed this number.
If you significantly exceed this number, determine why you have so many events. Sometimes this
many events are normal if you receive a significant number of viruses in unrestricted networks,
such as universities or college campuses. Another reason for a high event count could be how long
you keep the events in your database before purging. Here is what to check:
Are you purging your events regularly?
Is there a specific event in the query that comprises most of your events?
Remember, it's common to forget to include a purge task. This causes McAfee ePO to retain every
event that has occurred since the McAfee ePO server was built. You can fix this simply by creating a
purge task.
If you notice one or two events make up a disproportionate number of your events, you can then
determine what they are by drilling down into those events. For example, if you see that the event
with the most instances is an access protection rule from VirusScan Enterprise. This is a common
event. If you double-click the Access Protection rule event to drill down on the cause, you can see that
a few access protection rules are being triggered repeatedly on VirusScan Enterprise.
9 At this point, determine whether these are important events in your organization and if they are
being looked at by administrators. Ignoring some events is common by some administrators.
Ultimately, when dealing with excessive events in your database, you must follow this process:
a Create a query that shows all events you are questioning, then use the information in this
section to analyze these threat events.
b Determine if anyone is looking at these excessive events in the first place.
c If events are not being analyzed, change your policy to stop the event forwarding.
d If the event is important, make sure that you are monitoring the number of events.
If no one is looking at these events, you might consider disabling them completely in the VirusScan
Enterprise access protection policy to stop them from being sent to the McAfee ePO server. Or, you
can adjust your policy to send only the access protection events that you are concerned with
instead of excessive events that are not being analyzed. If you do want to see these events, you
can leave the policy as configured, but confirm that you are following the rules about purging
events from the McAfee ePO server so that these events do not overrun your database.

21
See also
How event summary queries work best practice on page 353
Best practices: Purging events automatically on page 244
Best practices: Filtering 1051 and 1059 events on page 246
Create custom table queries: best practice

Create a query that displays the results in a table so that you can act on the query results.
For example, you might need to purge data or events based on your query. You might have events of
a specific type that are overwhelming your database, such as 1051 and 1059 events. You can also use
this technique to purge other threat events based on the custom queries you create.
A table query is used to return data in a simple table format, without graphs or charts. Server tasks
can act on simple table data. For example, you can automatically delete this data.
This task creates a custom query that returns all 1051 and 1059 events in the database.
Task
1 To open the Queries dialog box, select Menu | Reporting | Queries & Reports, then click New Query.
2 Click Events in the Features Group and Client Events in the Result Types, and click Next.
3 In the Display Results As pane, click List, then click Table, then click Next.
4 Click Next to skip the Columns dialog box.
You can skip this step because McAfee ePO does not use the columns you choose in the server task.
5 In Available Properties under Client Events, click Event ID to create an Event ID filter.
An Event ID row is added in the Filter pane.
6 Click the plus sign, +, at the right to add another Event ID comparison row, select equals in the
Comparison column, add 1051 and 1059 in the Value column; then click Save and Run.
7 (Optional) You can select all these 1051 and 1059 events, then click Actions | Purge to purge them in
real time. You can filter which events to purge based on those events older than X Days, Weeks,
Months, or Years. Or you can Purge using a specific previously defined query.
Instead of purging the events in real time during business hours, you can create a server task that
runs the purge nightly during off hours.
8 To create a erver task, select Menu | Automation | Server Tasks and click Actions | New Task.
9 Give the task an appropriate name and description; then click Next.
For example, Purge of 1051 and 1059 Events Nightly.
10 Click Purge Threat Event Log from the Actions list, then click Purge by Query.
11 In the list, find and click the custom query that you created.
12 Schedule the task to run every night, then click Save.

21

McAfee ePO includes the ability to run queries that report on summary data from multiple databases.
Use these result types in the Query Builder for this type of querying:
Rolled-Up Threat Events Rolled-Up Managed Systems
Rolled-Up Client Events Rolled-Up Applied Policies
Rolled-Up Compliance History
Action commands cannot be generated from rollup result types.
How it works
To roll up data for use by rollup queries, you must register each server (including the local server) that
you want to include in the query.
Once the servers are registered, you must configure Roll Up Data server tasks on the reporting server
(the server that performs the multi-server reporting). Roll Up Data server tasks retrieve the
information from all databases involved in the reporting, and populate the EPORollup_ tables on the
reporting server. The rollup queries target these database tables on the reporting server.
As a prerequisite to running a Rolled-Up Compliance History query, you must take two preparatory
actions on each server whose data you want to include:
Create a query to define compliance.
Generate a compliance event.
Create a Rollup Data server task

Rollup Data server tasks draw data from multiple servers at the same time.
Before you begin

Register each McAfee ePO reporting server that you want to include in rollup reporting.
Registering each server is required to collect summary data from those servers to
populate the EPORollup_ tables of the rollup reporting server.
The reporting server must also be registered to include its summary data in roll up
reporting.
You can't roll up data from registered McAfee ePO servers at versions that are no longer supported. For
example, you can't aggregate data from McAfee ePO servers at version 4.5 or earlier.
Task

b Click New Task.
2 On the Description page, type a name and description for the task, and select whether to enable it,
then click Next.
3 Click Actions, then select Roll Up Data.
4 From the Roll up data from: drop-down menu, select All registered servers or Select registered servers.

21
5 If you chose Select registered servers, click Select. Choose the servers you want data from in the Select
Registered Servers dialog box, then click OK.
6 Select the data type to be rolled up, then click Next. To select multiple data types, click the + at the
end of the table heading.
The data types Threat Events, Client Events, and Applied Policies can be further configured to
include the properties Purge, Filter, and Rollup Method. To do so, click Configure in the row that
describes the available properties.

The Summary page appears.
If you are reporting on rolled-up compliance history data, make sure that the time unit of the
Rolled-Up Compliance History query matches the schedule type of the Generate Compliance Event
server tasks on the registered servers.
8 Review the settings, then click Save.
Create a query to define compliance

Compliance queries are required on McAfee ePO servers whose data is used in rollup queries.
Task
1 Select Menu | Reporting | Queries & Reports, then click New Query.
2 On the Result Type page, select System Management for Feature Group and Managed Systems for Result
Types, then click Next.
3 Select Boolean Pie Chart from the Display Result As list, then click Configure Criteria.
4 Select the properties to include in the query, then set the operators and values for each property.
Click OK. When the Chart page appears, click Next.
These properties define compliance for systems managed by this McAfee ePO server.
6 Select the filters to be applied to the query, click Run, then click Save.
Generate compliance events

Compliance events are used in rollup queries to aggregate data in a single report.
Task
For option definitions, click ? in the interface.
1 Select Menu | Automation | Server Tasks , then click Actions | New Task.
2 On the Description page, type a name for the new task, then click Next.
4 Click browse (...) next to the Query field and select a query. The Select a query from the list dialog
box appears with the My Groups tab active.

21
5 Select the compliance-defining query. This could be a default query, such as McAfee Agent Compliance
Summary in the McAfee Groups section, or a user-created query, such as one described in Creating a
query to define compliance.
6 From the Sub-Actions drop-down menu, select Generate Compliance Event and specify the percentage or
number of target systems, then click Next.
You can generate events using the generate compliance event task if noncompliance rises above a
set percentage or set number of systems.
7 Schedule the task for the time interval needed for Compliance History reporting. For example, if
compliance must be collected on a weekly basis, schedule the task to run weekly. Click Next.
8 Review the details, then click Save.
Export query results to other formats

Query results can be exported to these formats: HTML, PDF, CSV, and XML.
Exporting query results differs from creating a report. First, no additional information is added to the
export output as you do when you create a report; only the output data is added to the report.
Second, more formats are supported. The exported query results can be used for further processing
using the supported machine-friendly formats such as XML and CSV. Reports are designed to be
human readable, and as such are only output as PDF files.
Unlike query results in the console, exported data is not actionable.
Task
1 Select Menu | Reporting | Queries & Reports, select a query, then click Run.
2 After the query runs, click Options | Export Data.

The Export page appears.
3 Select what to export. For chart-based queries, select Chart data only or Chart data and drill-down tables.
4 Select whether the data files are exported individually or in a single archive (.zip) file.
5 Select the format of the exported file.

CSV Saves the data in a spreadsheet application (for example, Microsoft Excel).
XML Transforms the data for other purposes.
HTML Use this report format to view the exported results as a webpage.
PDF Print the results.
6 If exporting to a PDF file, configure the following:

Select the Page size and Page orientation.
(Optional) Show filter criteria.
(Optional) Include a cover page with this text and enter the needed text.
7 Select whether the files are emailed as attachments to selected recipients, or they are saved to a
location on the server to which a link is provided. You can open or save the file to another location
by right-clicking it.
8 Click Export.

21
The files are either emailed as attachments to the recipients, or you are taken to a page where you
can access the files from links.

The McAfee ePO API framework allows you to run commands from a web URL or use any scripting
language to create command-line scripts to automate common management activities.
This section describes creating web URLs to run queries. For detailed examples of command-line
scripts and tools, see the McAfee ePolicy Orchestrator Web API Scripting Guide.
Use the web URL API or the McAfee ePO user interface
You can run queries using the web URL application programming interface (API) instead of using the
McAfee ePO user interface.
Using the web URL API or the McAfee ePO user interface, you can:
Run the URL and display the output as a list of text
Manipulate the text output using other scripts and tools
Change the query
Filter the output using Boolean operators that aren't available in the user interface
For example, you can run the New Agents Added to ePO per Week query in the McAfee ePO user interface and
get this output.
Figure 21-5 Query output with the user interface

21
To run this query, select Menu | Reporting | Queries & reports, select New Agents Added to ePO per Week query, then
click Actions | Run.
Or you can paste this web URL query in your browser address bar.
https://<localHost>:8443/remote/core.executeQuery?queryId=34&:output=terse
OK:
count Completion Time (Week)
----- ----------------------
3 4/27/14 - 5/3/14
2 5/4/14 - 5/10/14
6 5/11/14 - 5/17/14
1 5/18/14 - 5/24/14
McAfee ePO command framework: best practice

The structure of the McAfee ePO framework allows you to access all McAfee ePO command objects and
their parameters using the API or the user interface.
To understand the McAfee ePO framework, you can compare how the AppliedTag command is
accessed from multiple places in the McAfee ePO user interface and the web URL.
The AppliedTag command is accessed from the System Tree page in the McAfee ePO user interface.
You can find valid AppliedTag command parameters using this core.listTables web URL command:
https://<localHost>:8443/remote/core.listTables
The following Web URL command structure, and its parts, are used to find the AppliedTags command.
https://<localHost:8443/remote/core.listDatatypes?type=applied_tags
Following are the parts of the web URL command.

Basic URL Your remote console connection URL.
The default port number is 8443.
Command name Appears before the ? and is listed in the web API Help.
Command argument Appears after the ? and is separated by & (ampersands).

You can also add S-Expressions to your commands.
See also
Using the web URL Help: best practice on page 362
Using S-Expressions in web URL queries: best practice on page 364
Using the web URL Help: best practice

Use the web URL Help to learn which preconfigured queries, SQL tables, and arguments are available
for your McAfee ePO web URL queries.
Use these Help commands when creating web URL queries:
https://<localHost>:8443/remote/core.help?
https://<localHost>:8443/remote/core.listQueries?:output=terse

21
https://<localHost>:8443/remote/core.help?command=core.executeQuery
https://<localHost>:8443/remote/core.listTables
Using the core.help command

All commands and their basic parameters for creating McAfee ePO web URLs are listed in the
core.help command output.
Type this command to see the Help.

https://<localHost>:8443/remote/core.help?
Using the core.listQueries Help command

To run an existing query using the McAfee ePO web URL, use the queryID number appended to the
base core.executeQuery command. Type this command to see the listQueries Help.
Type the following command to query with an ID:
https://<localHost>:8443/remote/core.executeQuery?queryId=<IdNumber>
Using the core.executeQuery Help command

Before you can create a McAfee ePO web URL query, or change query parameters exported from an
existing query, you must know which commands and arguments are available.
Type this command to see the core.executeQuery Help.
https://<localHost>:8443/remote/core.help?command=core.executeQuery
This table lists core.executeQuery Help.
Optional parameters and options appear in square brackets "[...]."
Table 21-1 Web URL core.executeQuery Help

Command Arguments Parameters Options Description
core.executeQuery queryId Executes a SQUID query.
Returns the data from the
execution of the query or
displays on error.
[database=<>] The name of the remote
database; if blank, the default
database for the given database
type is used.
core.executeQuery target= The SQUID target type to query.
Optionally, you can add "." and
the database type before the
target. For example,
databaseType.target.
[select=<>] The SQUID select clause of the
query; if blank, all columns are
returned.
[where=<>] The SQUID where clause of the
query; if blank, all rows are
returned.

21
Table 21-1 Web URL core.executeQuery Help (continued)

Command Arguments Parameters Options Description
[order=<>] The SQUID order-by clause of
the query; if blank, database
order is returned.
[group=<>] The SQUID group-by clause of
the query; if blank, no grouping
is performed.
[database=<>] The name of the remote
database; if blank, the default
database for the given database
type is used.
[depth=<>] The SQUID depth to fetch
sub-results. (default: 5).
[joinTables=<>] The comma-separated list of
SQUID targets to join with the
target type; "*" means join all
types.
Using the core.listTables Help command

To create a McAfee ePO web URL query or to change query parameters exported from an existing
query, you must know the names of the SQL tables and their parameters. These three commands
provide that information.
https://<localHost>:8443/remote/core.listTables Lists all SQL tables and their parameters
https://<localHost>:8443/remote/core.listTables?:output=terse Lists a summary of all

SQL tables and their parameters
https://<localHost>:8443/remote/core.listTables?table=<tableName> Lists all arguments

for a specific SQL table
Type this command to see the core.listTables Help.
https://<localHost>:8443/remote/core.listTables?:output=terse
To list only the parameters for a specific table, use this command:
https://<localHost>:8443/remote/core.listTables?table=<tableName>
See also
Run query with ID number: best practice on page 370
Using S-Expressions in web URL queries: best practice

You can use S-Expressions (Symbolic Expressions) in your McAfee ePO web URL commands to select
specific command objects and their parameters to join tables, then group, sort, and order the output.
Use the core.executeQuery command with the [select=<>] option to create S-Expressions.

21
This diagram shows the basic requirements for a fully qualified S-Expression query.
Figure 21-6 Web URL query with S-Expression
A fully qualified S-Expression has these parts:

select=(select ...) S-Expression function format.
<tableName>.<argumentName> The names of the SQL table columns you want to display and
manipulate. For example, EPOLeafNode.NodeName is a managed system name and
EPOBranchNode.NodeName is a System Tree group name.
In this example web URL query, the EPOLeafNode and EPOBranchNode tables are automatically
joined to fulfill the query.
The two tables in this example must be fully qualified, or related, for the automatic join to work.
Find the valid parameters for the target tables and confirm the table relationships.
Group, sort, order, and filter web URL query output

Within your web URL query S-Expressions, you can group, sort, order, and filter web URL query using
the arguments listed for the core.executeQuery command.
Ordering the output
Before you can configure a sort order for your web URL query output, you must determine if the data
in a table column can be sorted. Use this command to confirm the column data can be sort ordered.
https://<localHost>:8443/remote/core.listTables?table=<tableName>
This example confirms you can sort the EPOBranchNode table NodeName column data. In the NodeName
row, True is listed in the Order ? column.
https://<localHost>:8443/remote/core.listTables?table=EPOBranchNode
This command displays this Help.
OK:
Name: Groups
Target: EPOBranchNode
Type: join
Database Type:
Description: null
Columns:
Name Type Select? Condition? GroupBy? Order? Number?
------------- ------------- ------- ---------- -------- ------ -------
AutoID group False True False True True
NodeName string True False True True False
L1ParentID group False False True True True
L2ParentID group False False True True True
Type int False False False True True

21
BranchState int False False False True True

Notes string True True False True False
NodePath string False False False True False
NodeTextPath string_lookup True True True True False
NodeTextPath2 string_lookup True True True True False
Related Tables:
Name
----
Foreign Keys: None
This Order command is used to sort the McAfee ePO branch nodes, or System Tree Group Names, in
descending order.
https://<localHost>:8443//remote/core.executeQuery?
target=EPOLeafNode&:output=terse&select=(select EPOLeafNode.NodeName EPOLeafNode.Tags
EPOBranchNode.NodeName&order=(order(desc EPOBranchNode.NodeName)
This is the command output.
OK:
System Name Tags Group Name
--------------- ------------ --------------
DP-2K12R2S-SRVR Server SuperAgents
DP-2K8ER2EPO510 Server Servers
DP-W7PIP-1 Workstation NAT Systems
DP-EN-W7E1XP-2 Lost&Found
DP-2K8AGTHDLR Server, test Agent handlers
Grouping the output
This command groups, or counts, the System Tree system names, and groups them by McAfee ePO
branch nodes, or System Tree Group Names.
https://<localHost>:8443/remote/core.executeQuery?
target=EPOLeafNode&:output=terse&select=(select EPOBranchNode.NodeName (count))&group=(group
EPOBranchNode.NodeName)
This is the command output.
OK:
Group Name count
-------------- -----
Agent handlers 1
Lost&Found 1
NAT Systems 3
Servers 1
SuperAgents 1
Filtering the output using a string

This command filters the System Tree system names to display only the names with the string "2k8"
in the name.
EPOBranchNode.NodeName)&where=(contains EPOLeafNode.NodeName "2k8")
This is the command output displaying only the names with the string "2k8" in the name.
OK:
--------------- ------------ --------------
DP-2K8AGTHDLR Server, test Agent handlers

21
Filtering the output using the top <number> of the list

This command filters the System Tree system names to only display the top 3 names in the list.
target=EPOLeafNode&:output=terse&select=(select (top 3) EPOLeafNode.NodeName
EPOLeafNode.Tags EPOBranchNode.NodeName)
This is the command output displaying the top 3 names in the list.
OK:
--------------- ------ -----------
DP-2K12R2S-SRVR Server SuperAgents
DP-EN-W7E1XP-2 Lost&Found
Filtering the output using common attributes

This command filters the System Tree systems to display only a specific number of common attributes.
EPOBranchNode.NodeName)&where=(hasTag EPOLeafNode.AppliedTags 4)
This is the command output with 4 common attributes.
OK:
----------- -------------- -----------
DP-W7PIP-1 7, Workstation Workstation
You can combine filters
You can use the most common filters AND and OR. For example:
(AND <expression> <expression> )
(OR <expression> <expression> )
They can be combined in any combination. For example: (AND (hasTag

EPOLeafNode.AppliedTags 3) (contains EPOLeafNode.NodeName 100))
Parentheses must be matched.
You can also use filters that cant be constructed in the McAfee ePO user interface. For example:
(OR
(AND (hasTag EPOLeafNode.AppliedTags 3)
(contains EPOLeafNode.NodeName 100))
(AND (hasTag EPOLeafNode.AppliedTags 4)
(contains EPOLeafNode.NodeName 100))
)
See also

21
Parsing query export data to create web URL queries best

practice
You can use the data exported from existing queries to create valid web URL queries and
S-Expressions.
The following example is the exported data from the preconfigured VSE: DAT Deployment query. This
exported file is used to describe the steps and processes to create a web URL queries.
<list id="1">
<query id="2">
<dictionary id="3"/>
<name>VSE: DAT Deployment</name>
<description>Displays the three highest DAT versions, and a slice for all the other
versions.</description>
<target>EPOLeafNode</target>
<table-uri>query:table?orion.table.columns=EPOComputerProperties.ComputerName
%3AEPOComputerProperties.DomainName%3AEPOLeafNode.os%3AEPOComputerProperties.Description
%3AEPOLeafNode.Tags%3AEPOProdPropsView_VIRUSCAN.productversion
%3AEPOProdPropsView_VIRUSCAN.hotfix%3AEPOProdPropsView_VIRUSCAN.servicepack
%3AEPOProdPropsView_VIRUSCAN.enginever
%3AEPOProdPropsView_VIRUSCAN.enginever64%3AEPOProdPropsView_VIRUSCAN.datver
%3AEPOLeafNode.LastUpdate&orion.table.order.by=EPOComputerProperties.ComputerName
%3AEPOLeafNode.LastUpdate&orion.table.order=az</table-uri>
<condition-uri>query:condition?orion.condition.sexp=%28+where+%28+version_ge
+EPOProdPropsView_VIRUSCAN.productversion+%228%22+%29+%29</condition-uri>
<summary-uri>query:summary?
pie.slice.title=EPOProdPropsView_VIRUSCAN.datver&pie.count.title=EPOLeafNode&orion.query.type=pi
summary-uri>
</query>
</list>
The exported query contains strings that are URL-encoded. Use this table to convert the URL-encoded
characters to valid web URL query characters.
Table 21-2 Convert URL-encoded characters to web URL query characters

URL-encoded characters Web URL query characters
%22 quotation marks ""...""
"+" space " "
%28 opening parenthesis "("
%29 closing parenthesis ")"
&amp ampersand "&"
az (in an order command) "asc" = ascending order
za (in an order command) "desc" = descending order

21
XML query data file structure

The XML query export data file is separated into sections of data. Some sections aren't used in your
final web URL query, and some sections can be used almost as they appear.
Figure 21-7 Exported query and web URL query data comparison
The commands in the <summary-uri>query: code creates the pie chart and are not used to create the
web URL query output. The order=desc parameter is shown as a sorting and grouping example in the
final web URL query.
This table lists the numbers shown in the figure, the major sections of the exported query and the
final web URL query, and how they are used.
Table 21-3 Convert URL-encoded characters to web URL query characters

Number Exported query Web URL query Description
<target>...</target> target=... Lists the table parsed in the query.
sexp=... select=(select... Lists the S-Expressions command objects, their

parameters, and joint tables.
order=... order=(order(... Lists the sort order used in the output.
Web URL query separated into parts

21
Using the information from the existing query exported XML file, you can create this file, with line
breaks for clarity:
https://<localHost>8443/remote/core.executeQuery?
target=EPOLeafNode&
select=(select EPOLeafNode.NodeName EPOProdPropsView_VIRUSCAN.datver)&
:output=terse&
order=(order(desc EPOLeafNode.NodeName))
The ? and &s indicate the different parts of the web URL query.
When you remove the line breaks, this example is final web URL query.
https://<localHost>:8443/remote/core.executeQuery?target=EPOLeafNode&select=(select
EPOLeafNode.NodeName EPOProdPropsView_VIRUSCAN.datver)&:output=terse& order=(order(desc
EPOLeafNode.NodeName))
Following is the output of the web URL query.
OK:
System Name DAT Version (VirusScan Enterprise)
--------------- ----------------------------------
DP-W7PIP-3 7465.0000
DP-W7PIP-2 7429.0000
DP-W7PIP-1 7437.0000
DP-EN-W7E1XP-2
DP-2K8ER2EPO510 7465.0000
DP-2K8AGTHDLR 7437.0000
DP-2K12R2S-SRVR
Run query with ID number: best practice

The quickest way to run a query using a web URL is to use the preconfigured query ID, then use the
output from the web browser in other scripts or in an email.
Before you begin

You must have administrator permissions to run the query.
Running web API queries is quicker than running a query using the McAfee ePO user interface. Plus,
you can use their output in scripts and redirect the output and port it for further processing.
For example, to access the query New Agents Added to ePO per Week using the McAfee ePO user
interface, select Menu | Reports | Queries & Reports, select the New Agents Added to ePO per Week query, and click
Actions | Run.
This web URL output is similar to the query output with the user interface, plus it allows you to use the
output in another script or manipulate it as needed.

21
Task
As an alternative, you can paste, https://<localHost>:8443/remote/core.executeQuery?
queryId=34 in a browser address bar to display this URL output.
1 Use your browser to log on to your McAfee ePO server.
2 To get a list of the preconfigured queries and their ID numbers, type this URL into the browser
address bar, then press Enter.
3 From the listQueries command output, find the query to run.

In this example, the queryId=34 argument is appended to the web URL https://<localHost>/
remote/core.executeQuery?queryId=<number> to run the New Agents Added to ePO per Week
query.
Run query with XML data best practice

Exporting existing query XML definitions is a great way to learn how to create web URL queries.
In this example, export the "VSE: DAT Deployment XML" definition file and use those table objects to
create a list of the VirusScan Enterprise DAT file versions for each system in your network.
Task
1 Export the existing query definition XML file and open it in a text editor.
Your export files look similar to this VSE: DAT Deployment XML definition file.
<list id="1">
<query id="2">
<dictionary id="3"/>
<name>VSE: DAT Deployment</name>
<description>Displays the three highest DAT versions, and a slice for all the other
versions.</description>
<target>EPOLeafNode</target>
<table-uri>query:table?orion.table.columns=EPOComputerProperties.ComputerName
%3AEPOLeafNode.LastUpdate&orion.table.order.by=EPOComputerProperties.ComputerName
%3AEPOLeafNode.LastUpdate&orion.table.order=az</table-uri>
<condition-uri>query:condition?orion.condition.sexp=%28+where+%28+version_ge
+EPOProdPropsView_VIRUSCAN.productversion+%228%22+%29+%29</condition-uri>
<summary-uri>query:summary?
pie.slice.title=EPOProdPropsView_VIRUSCAN.datver&pie.count.title=EPOLeafNode&orion.query.type
summary-uri>
</query>
</list>

21
2 Open an existing web URL query file to use as a template, then save it with a new name. For
example, URL_template.
Following is an example of an existing web URL template file.
target=<tableTarget>&
select=(select <tableObjectNames>)
3 From the query definition XML file, find the query target listed between the target tags.
For example, <target>EPOLeafNode</target> and paste the target table name in target= of your
template URL.
This is the template the URL with the target table name added.
target=EPOLeafNode&
select=(select <tableObjectNames>)
4 From the query definition XML file, find the S-Expression function, listed between the opening and
closing <condition-uri> ... </condition-uri> tags, then perform these steps:
a In the URL template file, paste the object names in the select=(select parameter and the
closing parenthesis. This example adds the EPOLeafNode.NodeName (system name) and
EPOProdPropsView_VIRUSCAN.datver (VirusScan Enterprise DAT version) from the
EPOLeafNode (System Tree) table.
target=EPOLeafNode&
select=(select EPOLeafNode.NodeName EPOProdPropsView_VIRUSCAN.datver)
b Add the sort order function. For example, to sort the output by system name, add the string "&
order=(order(desc EPOProdPropsView_VIRUSCAN.datver)" in the existing S-Expression.
The following example sorts the output by the VirusScan Enterprise DAT version.
target=EPOLeafNode&
select=(select EPOLeafNode.NodeName EPOProdPropsView_VIRUSCAN.datver&
order=(order(asc EPOProdPropsView_VIRUSCAN.datver))
5 Replace the <localHost> variable with your McAfee ePO server DNS name, or IP address and paste
the URL in your browser address bar. Your output should be similar to this output, but with many
entries.
OK:
System Name: DP-2K12R2S-SRVR
DAT Version (VirusScan Enterprise):
System Name: DP-EN-W7E1XP-2

DAT Version (VirusScan Enterprise):
System Name: DP-W7PIP-2

DAT Version (VirusScan Enterprise): 7429.0000
System Name: DP-W7PIP-1

DAT Version (VirusScan Enterprise): 7437.0000
.
.
.

21
6 (Optional) To have the information appear in table format, paste the string :output=terse& before
any ampersand in the URL and rerun the command. This is an example of your template file
with :output=terse& added.
target=EPOLeafNode&:output=terse&select=(select EPOLeafNode.NodeName
EPOProdPropsView_VIRUSCAN.datver)&
order=(order(desc EPOLeafNode.NodeName))
Confirm that your output is similar to the following example.
OK:
System Name DAT Version (VirusScan Enterprise)
--------------- ----------------------------------
DP-2K12R2S-SRVR
DP-EN-W7E1XP-2
DP-W7PIP-2 7429.0000
DP-W7PIP-1 7437.0000
DP-2K8AGTHDLR 7437.0000
DP-2K8ER2EPO510 7465.0000
DP-W7PIP-3 7465.0000
.
.
.
You have created a web URL query using the information exported from an existing XML query
definition.
See also
Using S-Expressions in web URL queries: best practice on page 364
Parsing query export data to create web URL queries best practice on page 368
Run query using table objects, commands, and arguments: best

practice
You can create web URL queries using a web query template and the web URL Help.
This example describes creating a simple web URL query that displays this information about your
managed systems:
System name VirusScan Enterprise product family
McAfee Agent version VirusScan Enterprise version
When the agent was last updated Displays the information as a table
Task
1 To find the name of the SQL table with most of your information, use this Help command.
https://<localHost>:8443/remote/core.listTables?:output=terse
2 Using your text editor, type this web URL template command.
https://<localHost>:8443/remote/core.executeQuery?target=<tableName>&select=(select
<columns>)
3 Use the information from this command to find the arguments for the system names, McAfee Agent
version, and when it was last updated.
https://<localHost>:8443/remote/core.listTables?:output=terse&table=EPOLeafNode

21
This command displays this information, which you need for your web URL query:
Query "target" EPOLeafNode
System name EPOLeafNode.NodeName
McAfee Agent version EPOLeafNode.AgentVersion
When the agent was last updated EPOLeafNode.LastUpdate
Products installed on each system EPOProductPropertyProducts
OK:
Name: Managed Systems
Target: EPOLeafNode
Type: target
Database Type:
Description: Retrieves information about systems that have been added to your System Tree.
Columns:
Name Type Select? Condition? GroupBy? Order? Number?
---------------------------- ------------- ------- ---------- -------- ------ -------
AutoID int False False False True True
Tags string True False False True False
ExcludedTags string True False False True False
AppliedTags applied_tags False True False False False
LastUpdate timestamp True True True True False
os string True False False False False
products string False False False False False
NodeName string True True True True False
ManagedState enum True True False True False
AgentVersion string_lookup True True True True False
AgentGUID string True False False True False
Type int False False False True False
ParentID int False False False True True
ResortEnabled boolean True True False True False
ServerKeyHash string True True False True False
NodePath string_lookup False False False True False
TransferSiteListsID isNotNull True True False True False
SequenceErrorCount int True True False True True
SequenceErrorCountLastUpdate timestamp True True False True False
LastCommSecure string_enum True True True True False
TenantId int False False False True True
Related Tables:
Name
--------------------------
EPOProdPropsView_EEFF
EPOProdPropsView_VIRUSCAN
EPOProductPropertyProducts
EPOProdPropsView_PCR
EPOBranchNode
EPOProdPropsView_EPOAGENT
EPOComputerProperties
EPOComputerLdapProperties
EPOTagAssignment
EPOProdPropsView_TELEMETRY
Foreign Keys:
Source table Source Columns Destination table Destination columns Allows
inverse? One-to-one? Many-to-one?
------------ -------------- -------------------------- ------------------- --------------- ---------

EPOLeafNode AutoID EPOComputerProperties ParentID
False False True
EPOLeafNode AutoID EPOTagAssignment LeafNodeID
False False True
EPOLeafNode ParentID EPOBranchNode AutoID
False False True
EPOLeafNode AutoID EPOComputerLdapProperties LeafNodeId
False False True
EPOLeafNode AutoID EPOProductPropertyProducts ParentID
False False True

21
4 Add the arguments from step 3 to the web URL template command and test it. Confirm that your
command looks similar to this example.
EPOLeafNode.NodeName EPOLeafNode.AgentVersion EPOLeafNode.LastUpdate)
Confirm that your output is similar to this example.
OK:
System Name: DP-2K8ER2EPO510
Agent Version (deprecated): 4.8.0.887
Last Communication: 6/13/14 9:21:49 AM PDT


Agent Version (deprecated): null
Last Communication: null
.
.
.
5 Use the core.listTables Help command again, but with the EPOProdPropsView_VIRUSCAN table.
This table lists the VirusScan Enterprise products and versions installed on each system. Confirm
that your command looks similar to this example.
https://<localHost>:8443/remote/core.listTables?table=EPOProdPropsView_VIRUSCAN
6 Using the output of step 5, add these parameters to your web URL command and test it.
VirusScan Enterprise product family EPOProdPropsView_VIRUSCAN.ProductFamily
VirusScan Enterprise version EPOProdPropsView_VIRUSCAN.productversion
Confirm that your example looks similar to the following.

EPOLeafNode.NodeName EPOLeafNode.AgentVersion EPOLeafNode.LastUpdate
EPOProdPropsView_VIRUSCAN.ProductFamily EPOProdPropsView_VIRUSCAN.productversion)
Confirm that your example output looks similar to the following.
OK:
System Name: DP-2K8ER2EPO510
ProdProps.productFamily (VirusScan Enterprise): VIRUSCAN
Product Version (VirusScan Enterprise): 8.8.0.1266

Product Version (VirusScan Enterprise):

Agent Version (deprecated): null
Last Communication: null
Product Version (VirusScan Enterprise):
.
.
.

21
7 Finally, to show the output as a table, add the command :output=terse& after the first ampersand
and rerun the command.
Confirm that your example command looks similar to the following.
target=EPOLeafNode&:output=terse&select=(select EPOLeafNode.NodeName
EPOLeafNode.AgentVersion EPOLeafNode.LastUpdate EPOProdPropsView_VIRUSCAN.ProductFamily
EPOProdPropsView_VIRUSCAN.productversion)
Confirm that your example output looks similar to the following.
OK:
System Name Agent Version (deprecated) Last Communication
ProdProps.productFamily (VirusScan Enterprise) Product Version (VirusScan Enterprise)
--------------- -------------------------- ----------------------- ----------------------------------
DP-2K8ER2EPO510 4.8.0.887 6/13/14 10:21:50 AM PDT
VIRUSCAN 8.8.0.1266
DP-2K12R2S-SRVR 4.8.0.887 6/13/14 10:55:19 AM PDT
VIRUSCAN
DP-EN-W7E1XP-2 null null
VIRUSCAN
DP-W7PIP-1 4.8.0.887 6/13/14 10:37:20 AM PDT
VIRUSCAN 8.8.0.1266
DP-W7PIP-2 4.8.0.887 6/13/14 10:36:56 AM PDT
VIRUSCAN 8.8.0.1266
DP-W7PIP-3 4.8.0.887 6/13/14 10:37:00 AM PDT
VIRUSCAN 8.8.0.1266
DP-2K8AGTHDLR 4.8.0.887 6/13/14 10:25:10 AM PDT
VIRUSCAN 8.8.0.1266
See also

A Additional information
Contents
Open a remote console connection
Plan your disaster recovery
Registered servers
Issues
SSL certificates
Configure Product Improvement Program
Restore administrator rights
Ports overview
Open a remote console connection

Using your McAfee ePO server name, or IP address, and the server communication port number you
can connect and configure McAfee ePO from any supported Internet browser.
When you connect to McAfee ePO using a remote connection, some configuration changes are not
allowed. For example, you can't run registered executables from a remote connection.
To configure a remote connection you must determine your McAfee ePO server name, or IP address,
and the server communication port number. When you open McAfee ePO, while logged on to your
physical McAfee ePO server, notice the address that appears in your browser. Confirm that it is similar
to:
https://win-2k8-epo59:8443/core/orionSplashScreen.do
In this example URL:

A
Additional information
win-2k8-epo59 Is the name of the McAfee ePO server
:8443 Is the console-to-application server communication port number used by McAfee ePO.
The default is port number is "8443" unless you changed it.
Task
1 Open any McAfee ePO supported Internet browser. See McAfee ePO Installation Guide for a list of
supported browsers.
2 In the browser address bar type either of the following, and click Enter:
https://<servername>:8443
https://<ipaddress_of_server>:8443
For example, https://win-2k8-epo59:8443
3 Logon to McAfee ePO and you have established a remote console connection.
See the McAfee ePO Web API Scripting Guide for examples of expanded commands you can run from
a remote console connection.

Configure the McAfee ePO server for a disaster recovery scenario as soon as possible after you
complete your installation.
Disaster Recovery
The Disaster Recovery feature helps you quickly recover or reinstall your McAfee ePO software.
Disaster Recovery uses a Snapshot feature that periodically saves your McAfee ePO configuration,
extensions, keys, and more to snapshot records in the McAfee ePO database. For additional
information, see KnowledgeBase Article McAfee ePO server backup and disaster recovery procedure,
KB66616.
The records saved by the snapshot contain the whole McAfee ePO configuration at the specific time the
snapshot is taken. Once the snapshot records are saved to the database, you can use the Microsoft
SQL backup feature to save the whole McAfee ePO database and restore it to another SQL Server.
The McAfee ePO software Disaster Recovery configuration includes these general steps performed on
the McAfee ePO primary server:
1 Take a snapshot of the McAfee ePO server configuration and save it to the primary SQL database.
You can create this snapshot manually or through a default server task provided for this purpose.
2 Back up the SQL database using the Microsoft SQL Server Management Studio or the BACKUP
(Transact-SQL) command-line process.
3 Copy the SQL database backup file, created in step 2, to the duplicate SQL Server used to restore
the database.
4 Reinstall the McAfee ePO software using the Restore option when the McAfee ePO Setup starts.

A
Server clusters for disaster recovery

If you require zero downtime when a hardware failure occurs, you can cluster your McAfee ePO server
and SQL Servers. However, zero downtime requires additional hardware and increases the cost of
implementation.
You might choose to cluster only the SQL Servers to minimize downtime. If the McAfee ePO server
fails due to a hardware failure, you can reinstall its operating system, which takes only a few hours,
and point the McAfee ePO server to your SQL database.
The full restore procedures are described in McAfee ePO server backup and disaster recovery
procedure, KnowledgeBase article KB66616.
Cold and hot spares on one physical site

If your large production environment requires minimal downtime, you can use a cold or hot spare
McAfee ePO server. The spare server runs a restored installation of McAfee ePO and points to your SQL
database.
If you have only one physical site, cluster your SQL Servers. If your McAfee ePO server fails, you can
simply change the IP address of the spare McAfee ePO server to the IP address of the failed McAfee
ePO server. This IP address change is transparent to the agents and provides the least downtime in a
disaster situation.
You must have a last-known-good SQL database backup for this IP address change to work.
Cold and hot spares on two physical sites

For total disaster recovery, use two physical sites, one primary site and one secondary site.
Your primary site has a clustered SQL Server and one McAfee ePO server. McAfee recommends that
the secondary site use a hot or cold spare McAfee ePO server and a SQL database. We recommend
that you locate the secondary McAfee ePO server at another physical site that has a different IP
address and different DNS name. You can use SQL replication or SQL Log Shipping to copy the McAfee
ePO database from the primary site to the secondary site's SQL Server on a nightly or weekly basis
during non-business hours. Then make sure that your secondary McAfee ePO server is selecting your
secondary SQL Server. See the Microsoft article, Types of Replication (http://
technet.microsoft.com/en-us/library/ms152531.aspx) for details.
Figure A-1 Primary and secondary McAfee ePO site configuration
If the primary site fails to communicate, configure all agents previously communicating with the
primary McAfee ePO server to communicate with the secondary server. The agents find the McAfee
ePO server by communicating to its IP address first, and if that fails they use its DNS name. If the
agents find that the primary McAfee ePO server's IP address is not available, these steps occur.

A
Registered servers
1 The agents query the DNS where you have changed the IP address for the primary server.
2 The agents select the IP address of the secondary server.
3 The agents try to connect to the secondary McAfee ePO server and SQL database.
Registered servers
Access additional servers by registering them with your McAfee ePO server. Registered servers allow
you to integrate your software with other, external servers. For example, register an LDAP server to
connect with your Active Directory server.
McAfee ePO can communicate with:
Other McAfee ePO servers SNMP servers
Additional, remote, database servers Syslog servers
LDAP servers
Each type of registered server supports or supplements the functionality of McAfee ePO and other
McAfee and third-party extensions and products.
We recommend that you use certificates with RSA public key lengths of 2048 bits or greater for the
registered servers that connect to McAfee ePO. For more information, including additional supported
public key algorithms and key lengths, see KnowledgeBase article, KB87731.
Contents
Register McAfee ePO servers
Using database servers
Register SNMP servers
Register syslog servers
Register LDAP servers
Mirroring an LDAP server
Sharing objects between servers
Register McAfee ePO servers

You can register additional McAfee ePO servers for use with your main McAfee ePO server to collect or
aggregate data, or to allow you to transfer managed systems between the registered servers.
Before you begin

To register one McAfee ePO server with another, you need to know detailed information
about the McAfee ePO server SQL database of the server you are registering. You can use
the following remote command to determine the Microsoft SQL database server name,
database name, and more:
https://<server_name>:<port>/core/config
These are the variables in the remote command:

<server_name> The DNS server name or IP address of the remote McAfee ePO server
<port> The assigned McAfee ePO server port number, usually "8443", unless your
server is configured to use a different port number

A
Registered servers
Task
1 Select Menu | Configuration | Registered Servers and click New Server.
2 From the Server type menu on the Description page, select ePO, specify a unique name and any
notes, then click Next.
3 Specify the following options to configure the server:
Option Definition
Authentication type Specifies the type of authentication to use for this database, including:
Windows authentication
SQL authentication
Client task sharing Specifies whether to enable or disable client task for this server.
Database name Specifies the name for this database.
Database port Specifies the port for this database.
Database server Specifies the name of the database for this server. You can specify a
databaseMcAfee ePO using DNS Name or IP address (IPv4 or IPv6).
ePO Version Specifies the version of the server being registered.
Password Specifies the password for this server.
Policy sharing Specifies whether to enable or disable policy sharing for this server.
SQL Server instance Allows you to specify whether this is the default server or a specific instance,
by providing the Instance name.
Ensure that the SQL browser service is running before connecting to a specific
SQL instance using its instance name. Specify the port number if the SQL
browser service is not running.
Select the Default SQL server instance and type the port number to
connect to the SQL server instance.
SSL communication Specifies whether McAfee ePO uses SSL (Secure Socket Layer)
with database server communication with this database server including:
Try to use SSL
Always use SSL
Never use SSL
Test connection Verifies the connection for the detailed server.
If you register a server with a different McAfee ePO version, this

information-only warning appears: Warning Version mismatch!

A
Registered servers
Option Definition
Transfer systems Specifies whether to enable or disable the ability to transfer systems for this
server. When enabled, select Automatic sitelist import or Manual sitelist import.
When choosing Manual sitelist import, it is possible to cause older versions of

McAfee Agent (version 4.0 and earlier) to be unable to contact their Agent
Handler. This can happen when:
Transferring systems from this McAfee ePO server to the registered
McAfee ePO server
An Agent Handler name appears alpha-numerically earlier than the
McAfee ePO server name in the supplied sitelist
Older agents use that Agent Handler
Use NTLMv2 Optionally choose to use NT LAN Manager authentication protocol. Select this
option when the server you are registering uses this protocol.
User name Specifies the user name for this server.
4 Click Save.
Using database servers

McAfee ePO can retrieve data from not only its own databases, but from some extensions as well.
You might need to register several different server types to accomplish tasks within McAfee ePO.
These can include authentication servers, Active Directory catalogs, McAfee ePO servers, and database
servers that work with specific extensions you have installed.
Database types
An extension can register a database type, otherwise known as a schema or structure, with McAfee
ePO. If it does, that extension can provide data to queries, reports, dashboard monitors, and server
tasks. To use this data, you must first register the server with McAfee ePO.
Database server
A database server is a combination of a server and a database type installed on that server. A server
can host more than one database type, and a database type can be installed on multiple servers. Each
specific combination of the two must be registered separately and is referred to as a database server.
After you register a database server, you can retrieve data from the database in queries, reports,
dashboard monitors, and server tasks. If more than one database using the same database type is
registered, you are required to select one of them as the default for that database type.
Register a database server

Before McAfee ePO can retrieve data, you must register it with the database server.
Task
1 Open the Registered Servers page: select Menu | Configuration | Registered Servers, then click New Server.
2 Select Database server in the Server type drop-down list, enter a server name and an optional
description, then click Next.

A
Registered servers
3 Choose a Database type from the drop-down list of registered types. Indicate if you want this
database type to be as the default.
If there is already a default database assigned for this database type, it is indicated in the Current
Default database for database type row.
4 Indicate the Database Vendor. Currently, only Microsoft SQL Server and MySQL are supported.
5 Enter the connection specifics and logon credentials for the database server.
6 To verify that all connection information and logon credentials are entered correctly, click Test
Connection.
A status message indicates success or failure.
7 Click Save.
Modify a database registration

If connection information or logon credentials for a database server changes, you must modify the
registration to reflect the current state.
Task
1 Open the Registered Servers page by selecting Menu | Configuration | Registered Servers.
2 Select a database to edit, then click Actions | Edit.
3 Change the name or notes for the server, then click Next.
4 Modify the information as appropriate. To verify the database connection, click Test Connection.
5 Click Save to save your changes.
Remove a registered database

You can remove databases from the system when they are no longer needed.
Task
1 Open the Registered Servers page: select Menu | Configuration | Registered Servers.
2 Select a database to delete, and click Actions | Delete.
3 When the confirmation dialog appears, click Yes to delete the database.
The database has been deleted. Any queries, reports, or other items within McAfee ePO that used the
deleted database is designated as invalid until updated to use a different database.
Register SNMP servers

To receive an SNMP trap, you must add the SNMP servers information, so that McAfee ePO knows
where to send the trap.

A
Registered servers
Task
1 Select Menu | Configuration | Registered Servers, then click New Server.
2 From the Server Type menu on the Description page, select SNMP Server, provide the name and any
additional information about the server, then click Next.
3 From the URL drop-down list, select one of these types of server address, then enter the address:
DNS Name Specifies the DNS name of the registered server.
IPv4 Specifies the IPv4 address of the registered server.
IPv6 Specifies the DNS name of the registered server which has an IPv6 address.
4 Select the SNMP version that your server uses:

If you select SNMPv1 or SNMPv2c as the SNMP server version, type the community string of the
server under Security.
If you select SNMPv3, provide the SNMPv3 Security details.
5 Click Send Test Trap to test your configuration.
6 Click Save.
The added SNMP server appears on the Registered Servers page.
Register syslog servers

You can enable McAfee ePO to synchronize with your syslog server. A syslog is a way for network
devices to send event messages to a separate logging server. For example, you can use syslog to
collect information about specific threat events.
Before you begin

You must have the domain name or IP address for your syslog server.
Task
2 From the Server type menu on the Description page, select Syslog Server, specify a unique name and
any details, then click Next.
3 From the Registered Server Builder page, configure these settings:

a Server name Use DNS-style domain names (for example, internaldomain.com) and fully
qualified domain names or IP addresses for servers. (for example,
server1.internaldomain.com or 192.168.75.101)
b TCP port number Type the syslog server TCP port. The default is 6514.
c Enable event forwarding Click to enable even forwarding from Agent Handler to this syslog server.
d Test Click Test Connection to verify the connection to your syslog server.
4 Click Save.

A
Registered servers
After you register the syslog server, you can set McAfee ePO to send events to your syslog server.
These events are saved, by default, on your Agent Handler at this path: C:\Program Files
(x86)\McAfee\Agent Handler\DB\Logs\server_<serverName>.log. This log file includes any syslog
server errors that might occur.
Register LDAP servers

You must have a registered LDAP (Lightweight Directory Access Protocol) server to use Policy
Assignment Rules, to enable dynamically assigned permission sets, and to enable Active Directory
User Login.
Task
2 From the Server type menu on the Description page, select LDAP Server, specify a unique name and any
details, then click Next.
3 Choose whether you are registering an OpenLDAP or Active Directory server in the LDAP server type
list.
The rest of these instructions assume that an Active Directory server is being configured.
OpenLDAP-specific information is included where required.
4 Choose if you are specifying a Domain name or a specific server name in the Server name section.
Use DNS-style domain names. For example, internaldomain.com and fully-qualified domain
names or IP addresses for servers, and server1.internaldomain.com or 192.168.75.101.
Using domain names gives failover support, and allows you to choose only servers from a specific
site if wanted.
OpenLDAP servers can only use server names and cannot be specified by domain.
5 Choose if you want to Use Global Catalog.

This option is deselected by default. Selecting Use Global Catalog can provide significant performance
benefits. Only select this option if the registered domain is the parent of only local domains. If
non-local domains are included, chasing referrals could cause significant non-local network traffic,
possibly severely impacting performance.
Use Global Catalog is not available for OpenLDAP servers.
6 If you have chosen to not use the Global Catalog, choose whether to Chase referrals or not.
Chasing referrals can cause performance problems if it leads to non-local network traffic, whether a
Global Catalog is used.
7 Choose whether to Use SSL when communicating with this server or not.
8 If you are configuring an OpenLDAP server, enter the Port.
9 Enter a User name and Password as indicated.

These credentials must be for an admin account on the server. Use domain\username format on
Active Directory servers and cn=User,dc=realm,dc=com format on OpenLDAP servers.
10 Either enter a Site name for the server, or select it by clicking Browse and navigating to it.

A
Registered servers
11 Click Test Connection to verify communication with the server as specified. Alter information as
necessary.
12 Click Save to register the server.
Mirroring an LDAP server

LDAP server mirroring to the McAfee ePO database increases performance on any product which uses
user-based policies (UBP) and allows LDAP access to Agent Handlers behind a DMZ.
This diagram shows the default LDAP server to Agent Handler connection process and the mirrored
LDAP connection process.
Figure A-2 Default and LDAP mirrored connection processes
Default connection process from the configured LDAP server to the Agent Handler.
Mirrored LDAP connection with the LDAP Synchronize server task requesting user information
from the LDAP server.
Shows the LDAP server user information mirrored to the McAfee ePO database.
Shows an Agent Handler behind the DMZ accessing the mirrored LDAP server information in the
Why use LDAP mirroring?

When the LDAP server user information is mirrored to the McAfee ePO database:

A
Registered servers
Medium to large organizations can access that user information used by the Agent Handler from
the database faster to satisfy LDAP requests for UBPs.
Agent Handlers behind a DMZ can access the LDAP user information.
The LDAP information in the database can't be accessed or queried from the McAfee ePO user interface.
By default, the LDAP information in the database is updated every 8 hours by the LdapSync: Sync
across users from LDAP server task unless:
An "LDAP change notification" is sent to the Agent Handler from the McAfee ePO server.
By default, the LDAP user information cache in the Agent Handler is updated every 30 minutes.
You manually run the server task.
Sharing objects between servers

Frequently, the easiest and fastest way to replicate behavior from one McAfee ePO server to another is
to export the item describing the behavior and import it onto the other server.
Export objects and data from your McAfee ePO server

Exported objects and data can be used for backing up important data, and to restore or configure the
McAfee ePO servers in your environment.
Most objects and data used in your server can be exported or downloaded for viewing, transforming,
or importing into another server or applications. The following table lists the various items you can act
on. To view data, export the tables as HTML or PDF files. To use the data in other applications, export
the tables or to CSV or XML files.
An exported XML file usually contains an element named <list> in the event multiple items are being
exported. If only one object is exported, this element might be named after the object. (For example
<query>). Any more detailed contents are variable depending on the exported item type.
The following items can be exported. Installed extensions can add items to this list. Check the
extension documentation for details.
Dashboards Server Tasks
Permission Sets Users
Queries Automatic Responses
Reports
You can also export items from:
Policy Catalog
Client Task Catalog
Tag Catalog
The following items can have a table of their current contents exported.
Audit Log
Issues

A
Issues
Task
1 From the page displaying the objects or data, click Actions and select an option. For example, when
exporting a table, select Export Table, then click Next.
2 When exporting content that can be downloaded in multiple formats, such as Query data, an Export
page with configuration options appears. Specify your preferences, then click Export.
3 When exporting objects or definitions, such as client task objects or definitions, one of the following
occurs:
A browser window opens where you can choose Open or Save.
An Export page with a link to the file opens. Left-click the link to view the file in your browser, or
right-click the link to save the file.
Importing items into McAfee ePO

Items exported from a McAfee ePO server can be imported into another server.
McAfee ePO exports items into XML. These XML files contain exact descriptions of the exported items.
Importing items
When importing items into McAfee ePO, certain rules are followed:
All items except users are imported with private visibility by default. You can apply other
permissions either during or after import.
If an item exists with the same name, "(imported)" or "(copy)" is appended to the imported
item's name.
Imported items requiring an extension or product that does not exist on the new server is
designated as invalid.
McAfee ePO only import XMLs files exported by McAfee ePO.
Specific details on how to import different kinds of items can be found in the documentation for the
individual items.
Issues
Issues are action items that can be prioritized, assigned, and tracked.
Contents
Issues and how they work
View issues
Remove closed issues from the Issues table
Create issues manually
Configure responses to automatically create issues
Manage issues
Use tickets with McAfee ePO

A
Issues
Issues and how they work

Issues are managed by users with proper permissions and the installed managed product extensions.
An issue's state, priority, severity, resolution, assignee, and due date are all user-defined, and can be
changed at any time. You can also specify default issue responses from the Automatic Responses
page. These defaults are automatically applied when an issue is created, based on a user-configured
response. Responses also allow multiple events to be aggregated into a single issue so that the
McAfee ePO server is not overwhelmed with large numbers of issues.
Issues can be deleted manually, and closed issues can be manually purged based on their age and
automatically purged through a user-configured server task.
View issues
The Issues page provides a list of current and closed issues.
Task
1 Open the Issues page: select Menu | Automation | Issues.

Remove closed issues from the Issues table

Periodically remove closed issues from the Issues table to improve database performance.
Items removed from the Issues table are deleted permanently.
Task
1 Open the Issues page: select Menu | Automation | Issues.
2 Click Purge.
4 Click OK.
Create issues manually

Create an issue when you have an item for administrators to address. Provide enough information so
that other users understand why you created the issue.

A
Issues
Task
1 Select Menu | Automation | Issues, then click New Issue.
2 In the New Issue dialog box, select an issue type from the Create issue of type drop-down list, then click
OK. If you are unsure which issue type to select, choose Basic.
3 Configure the new issue. Any due dates you specify must be in the future.
4 Click Save.
Configure responses to automatically create issues

Use responses to automatically create issues when certain events occur.
Task
1 Open the Response Builder.

a Select Menu | Automation | Automatic Responses.
b Click New Response.
2 Complete the fields, then click Next.
3 Select properties to narrow the events that trigger the response, then click Next.
4 Specify these additional details, then click Next.

The frequency of events required to generate a response.
A method to group events.
The maximum time period that you want this response to occur.
5 Select Create issue from the drop-down list, then select the type of issue to create.
This choice determines the options that appear on this page.
6 Type a name and description for the issue. Optionally, select one or more variables for the name
and description.
This feature provides a number of variables providing information to help fix the issue.
7 Type or select any additional options for the response, then click Next.
8 Review the details for the response, then click Save.
Manage issues
You can add comments, assign, delete, edit, and view details of issues.
Task
1 Select Menu | Automation | Issues.
2 Perform any of the following tasks.

A
SSL certificates
Option Definition
Adding comments 1 Select the checkbox next to each issue you want to comment, then click
to issues Action | Add comment.
2 In the Add comment panel, type the comment you want to add to the
selected issues.
3 Click OK to add the comment.
Assigning issues Select the checkbox next to each issue you want to assign, then click Assign
to user.
Display required Click Actions | Choose Columns. Select columns of data to be displayed on the
columns on Issues Issues page.
page
Deleting issues 1 Select the checkbox next to each issue you want to delete, then click
Delete.
2 Click OK to delete the selected issues.
Editing issues 1 Select the checkbox next to an issue, then click Edit.
2 Edit the issue as needed.
3 Click Save.
Exporting the list of 1 Click Actions | Export Table to open the Export page.
issues
2 From the Export page, you can specify the format of files to be exported,
as well as how they are packaged.
Viewing issue Select an issue.

details
The Issue Details page shows all settings for the issue as well as the Issues
Activity Log.
Use tickets with McAfee ePO

To integrate automatic ticketing with McAfee ePO, you or McAfee Professional Services can use issue
APIs to configure a remote server.
See the McAfee ePolicy Orchestrator Web API Scripting Guide for detailed Web API use and examples.
SSL certificates
Browsers supported by McAfee ePO warn about a servers SSL certificate if the browser cannot verify
whether a TrustedSource signed the certificate. Creating a self-signed certificate with OpenSSL stops
the browser warning.
Creating a self-signed certificate can provide the basic security and functionality needed for systems
used on internal networks, or if you don't want to wait for a certification authority to authenticate a
certificate.

A
SSL certificates
Create a self-signed certificate with OpenSSL

Sometimes you might not be able to, or want to, wait for a certification authority to authenticate a
certificate. During initial testing or for systems used on internal networks, a self-signed certificate can
provide the basic security and functionality needed.
Before you begin

To create a self-signed certificate, install the OpenSSL for Windows software. OpenSSL is
available from:
http://www.slproweb.com/products/Win32OpenSSL.html http://www.slproweb.com/
products/Win32OpenSSL.html
To create and self-sign a certificate to use with your McAfee ePO server, use OpenSSL for Windows
software. There are many tools you can use to create a self-sign a certificate. This task describes the
process using OpenSSL.
To have a third party, for example Verisign or Microsoft Windows Enterprise Certificate Authority, create
a signed certificate for McAfee ePO, see How to generate a custom SSL certificate for use with ePO
using the OpenSSL toolkit, KB72477.
The file structure used in the following task is:
OpenSSL does not create these folders by default. They are used in these examples and can be created
to help you find your output files.
C:\ssl\ Installation folder for OpenSSL.
C:\ssl\certs\ Used to store the certificates created.
C:\ssl\keys\ Used to store the keys created.
C:\ssl\requests\ Used to store the certification requests created.
We recommend that you use certificates with RSA public key lengths of 2048 bits or greater.
Task
1 To generate the initial certificate key, type the following command at the command line:
C:\ssl\bin>openssl genrsa -des3 -out C:/ssl/keys/ca.key 2048

The following screen appears.
Loading 'screen' into random state - done

Generating RSA private key, 2048 bit long modulus
........................++++++
.++++++
unable to write 'random state'
e is 65537 (ox10001)
Enter pass phrase for keys/ca.key:
Verifying - Enter pass phrase for keys/ca.key:
C:\ss\bin>

A
SSL certificates
2 Enter a passphrase at the initial command prompt and verify the pass phase at the second
command prompt.
Make a note of the passphrase you enter. You need it later in the process.
The file name ca.key is generated and stored in the path C:\ssl\keys\.
The key looks similar to the following example.
3 To self-sign the certificate key you created, type the following command at the command line:
openssl req -new -x509 -days 365 -key C:/ssl/keys/ca.key -out C:/ssl/certs/ca.cer
The following screen appears.
Type the information needed after the following command prompts:

Country Name (two letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (for example, city) []:
Organization Name (for example, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (for example, section) []:

A
SSL certificates
Common Name (for example, YOUR name) []:
At this command prompt, type the name of your server, for example your McAfee ePO server
name.
Email Address []:
The file named ca.cer is generated and stored in the path C:\ssl\certs\.
The self-signed certificate looks similar to the following example.
4 To upload the self-signed certificate, open the Edit Server Certificate page.
b From the Setting Categories list, select Server Certificate, and click Edit.
5 Browse to the server certificate file, then click Open.

In this example, browse to C:\ssl\certs\ and select ca.cer.
6 If needed, type the PKCS12 certificate password.
7 If needed, type the certificate alias name.
8 Browse to the private key file, then click Open.

In this example, browse to C:\ssl\keys\ and select ca.key.
9 If needed, type the private key password, then click Save.
10 Restart McAfee ePO for the change to take effect.
Other useful OpenSSL commands

You can use other OpenSSL commands to extract and combine the keys in generated PKCS12
certificates. You can also convert a password protected private key PEM file to a non-password
protected file.
Commands to use with PKCS12 certificates

Use these commands to create a PKCS12 certificate with both the certificate and key in one file.

A
SSL certificates
Description OpenSSL command format

Create a certificate and key in one openssl req -x509 -nodes -days 365 -newkey rsa:
file 1024 -config path \openssl.cnf -keyout path
\pkcs12Example.pem -out path \pkcs12Example.pem
Export the PKCS12 version of the openssl pkcs12 -export -out path
certificate \pkcs12Example.pfx -in path \pkcs12Example.pem -name
" user_name_string "
Use these commands to separate the certificate and key from a PKCS12 certificate with them
combined.
Description OpenSSL command format

Extracts the .pem key out openssl pkcs12 -in pkcs12ExampleKey.pfx -out
of .pfx pkcs12ExampleKey.pem
Removes password on key openssl rsa -in pkcs12ExampleKey.pem -out
pkcs12ExampleKeyNoPW.pem
The McAfee ePO server can then use the pkcs12ExampleCert.pem

as the certificate and the pkcs12ExampleKey.pem as the key (or the
key without a password pkcs12ExampleKeyNoPW.pem).
Command to convert a password protected private key PEM file

To convert a password protected private key PEM file to a non-password protected file, type:
openssl rsa -in C:\ssl\keys\key.pem -out C:\ssl\keys\keyNoPassword.pem
In the previous example, C:\ssl\keys is the input and output paths for the file names key.pem and
keyNoPassword.pem.
Convert an existing PVK file to a PEM file

The McAfee ePO software supports PEM-encoded private keys, including both password protected and
non-password protected private keys. Using OpenSSL you can convert a PVK-formatted key to a PEM
format.
Before you begin

To convert the PVK formatted file, install the OpenSSL for Windows software. This software
is available from:
http://www.slproweb.com/products/Win32OpenSSL.html
Using the OpenSSL for Windows software, convert your PVK format certificate to PEM format.
Task
1 To convert a previously created PVK file to a PEM file, type the following at the command line:
openssl rsa -inform PVK -outform PEM -in C:\ssl\keys\myPrivateKey.pvk -out C:\ssl
\keys\myPrivateKey.pem -passin pass:p@$$w0rd -passout pass:p@$$w0rd
In this example, passin and passout arguments are optional.

A
SSL certificates
2 If prompted, type the password used when you originally created the PVK file.
If the passout argument is not used in the example, the newly created PEM-formatted key is not
password protected.
Migrate certificates to the hash algorithm

Migrate your existing certificates to more secure algorithm certificates or regenerate them to
remediate vulnerabilities in your McAfee ePO environment.
Many organizations are deprecating the TLS/SSL certificate signed by SHA-1 algorithm. A fresh
installation of McAfee ePO installs the new hash algorithm certificates. But, if you have upgraded
McAfee ePO from an older version, you can migrate McAfee ePO certificates to the latest hash
algorithm.
The Certificate Manager page allows you to:
Migrate certificates that are signed by older signing algorithm to the new algorithm such as SHA-1
to SHA256.
Regenerate your certificates when your existing certificates are compromised due to vulnerabilities
in your environment.
Migrate or regenerate certificates for managed products that are derived from McAfee ePO root CA.
This task replaces certificates that are used for all these McAfee ePO operations:
Authenticating to browsers
Certificate-based user authentication
Task
1 Log on as an administrator, then click Menu | Configuration | Certificate Manager.

The Certificate Manager page provides information about the installed Root Certificate, Agent
Handlers certificates, server certificates, and other certificates that are derived from McAfee ePO
root CA.
2 Click Regenerate Certificate, then click OK to confirm.

The McAfee ePO root CA and other certificates that are derived from the root CA are regenerated
and stored in a temporary location on the server. The time to complete the process varies
depending on the number of Agent Handlers and number of extensions that derives from McAfee
ePO root CA.
3 Click OK to confirm the certificate generation.

You can see the certificate distribution percentage to get information about how many agents have
received the newly generated certificates and how many are pending. Administrators can perform
operations such as wake-up agent, delete systems, on the pending systems.
Distribution percentage is calculated based on the agent-server communication after the certificates
are regenerated.
If the certificate generation fails, click Restart Migration to revert to the previous certificates and start
the certificate migration again after fixing the issues.

A
SSL certificates
4 Once the certificates are generated, click Activate Certificates to carry out all future operations using
new certificates.
A backup of original certificates is created before proceeding with activation process.
Make sure that the distribution percentage is 100%. If not the pending systems do not receive the
newly generated certificates and cannot communicate with the McAfee ePO when the certificates are
activated. Deploy agent on the pending systems to enable them to communication with the server.
If the certificate activation fails, click Restart Migration to revert to the previous certificates and start
the certificate migration again after fixing the issues.
5 Once activation of certificates is complete, perform these steps.

a Stop the Agent Handler services (including the Remote Agent Handler services).
b Restart the McAfee ePO services.
c Start the Agent Handler services.
6 Click Finish Migration to complete the certificate migration.

The certificate backup taken during activation is deleted.
For any issues during the migration, click Cancel Migration to revert to the previous certificates. If you
cancel the migration, stop the Agent Handler services, restart the McAfee ePO service, and start
the Agent Handler service again. You can start the certificate migration again after fixing the
issues.
Security keys and how they work

The McAfee ePO server relies on three security key pairs.
The three security pairs are used to:

Authenticate agent-server communication.
Verify the contents of local repositories.
Verify the contents of remote repositories.
Each pair's secret key signs messages or packages at their source, while the pair's public key verifies
the messages or packages at their target.
Agent-server secure communication (ASSC) keys

The first time the agent communicates with the server, it sends its public key to the server.
From then on, the server uses the agent public key to verify messages signed with the agent's
secret key.
The server uses its own secret key to sign its message to the agent.
The agent uses the server's public key to verify the server's message.
You can have multiple secure communication key pairs, but only one can be designated as the
master key.
When the client agent key updater task runs (McAfee ePO Agent Key Updater), agents using different
public keys receive the current public key.
When you upgrade, existing keys are migrated to your McAfee ePO server.

A
SSL certificates
Local master repository key pairs

The repository secret key signs the package before it is checked in to the repository.
The repository public key verifies repository package contents.
The agent retrieves available new content each time the client update task runs.
This key pair is unique to each server.
By exporting and importing keys among servers, you can use the same key pair in a multi-server
environment.
Other repository key pairs

The secret key of a trusted source signs its content when posting that content to its remote
repository. Trusted sources include the McAfee download site and the McAfee Security Innovation
Alliance (SIA) repository.
If this key is deleted, you cannot perform a pull, even if you import a key from another server.
Before you overwrite or delete this key, make sure to back it up in a secure location.
The McAfee Agent public key verifies content that is retrieved from the remote repository.
Master Repository key pair

The Master Repository private key signs all unsigned content in the Master Repository.
Agents use the public key to verify the repository content that originates from the Master Repository
on this McAfee ePO server. If the content is unsigned, or signed with an unknown repository private
key, the downloaded content is considered invalid and deleted.
This key pair is unique to each server installation. However, by exporting and importing keys, you can
use the same key pair in a multi-server environment. Doing so ensures that agents can always
connect to one of your Master Repositories, even when another repository is down.
Other repository public keys

Keys, other than the master key pair, are the public keys that agents use to verify content from other
Master Repositories in your environment or from McAfee source sites. Each agent reporting to this
server uses the keys in the Other repository public keys list to verify content that originates from other
McAfee ePO servers in your organization, or from McAfee sources.
If an agent downloads content that originated from a source where the agent does not have the
appropriate public key, the agent discards the content.
These keys are a new feature, and only agents 4.0 and later are able to use the new protocols.
Manage repository keys

You can manage repository keys using these tasks.
Tasks
Use one Master Repository key pair for all servers on page 399
You can ensure that all McAfee ePO servers and agents use the same Master Repository key
pair in a multi-server environment using Server Settings.
Use Master Repository keys in multi-server environments on page 399
Make sure that agents can use content originating from any McAfee ePO server in your
environment using Server Settings.

A
SSL certificates
Use one Master Repository key pair for all servers

You can ensure that all McAfee ePO servers and agents use the same Master Repository key pair in a
multi-server environment using Server Settings.
This process consists of first exporting the key pair you want all servers to use, then importing the key
pair into all other servers in your environment.
Task
1 Select Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click
Edit.
2 From the Edit Security Keys page next to Local master repository key pair, click Export Key Pair.
3 Click OK. The File Download dialog box appears.
4 Click Save, browse to a location that is accessible by the other servers, where you want to save
the .zip file containing the secure-communication key files, then click Save.
5 Next to Import and back up keys, click Import.
6 Browse to the .zip file containing the exported Master Repository key files, then click Next.
7 Verify that these are the keys you want to import, then click Save.
The imported Master Repository key pair replaces the existing key pair on this server. Agents begin
using the new key pair after the next agent update task runs. Once the Master Repository key pair is
changed, an ASSC must be performed before the agent can use the new key.
Use Master Repository keys in multi-server environments

Make sure that agents can use content originating from any McAfee ePO server in your environment
using Server Settings.
The server signs all unsigned content that is checked in to the repository with the Master Repository
private key. Agents use repository public keys to validate content that is retrieved from repositories in
your organization or from McAfee source sites.
The Master Repository key pair is unique for each installation of McAfee ePO. If you use multiple
servers, each uses a different key. If your agents can download content that originates from different
Master Repositories, you must make sure that agents recognize the content as valid.
You can complete this process in two ways:
Use the same Master Repository key pair for all servers and agents.
Make sure that agents are configured to recognize any repository public key that is used in your
environment.
This task exports the key pair from one McAfee ePO server to a target McAfee ePO server, then, at the
target McAfee ePO server, imports, and overwrites the existing key pair.
Task
1 On the McAfee ePO server with the Master Repository key pair, select Menu | Configuration | Server
Settings, select Security Keys from the Setting Categories list, then click Edit.
2 Next to Local master repository key pair, click Export Key Pair, then click OK.

A
SSL certificates
3 In the File Download dialog box, click Save.
4 Browse to a location on the target McAfee ePO server to save the .zip file. Change the name of the
file if needed, then click Save.
5 On the target McAfee ePO server where you want to load the Master Repository key pair, select
Menu | Configuration | Server Settings, select Security Keys from the Setting Categories list, then click Edit.
6 On the Edit Security Keys page:

a Next to Import and back up keys, click Import.
b Next to Select file, browse to and select the master key pair file you saved, then click Next.
c If the summary information appears correct, click Save. The new master key pair appears in the
list next to Agent-server secure communication keys.
7 From the list, select the file you imported in the previous steps, then click Make Master. This setting
changes the existing master key pair to the new key pair you imported.
8 Click Save to complete the process.
Agent-server secure communication (ASSC) keys

Agents use ASSC keys to communicate securely with the server.
You can make any ASSC key pair the master, which is the key pair currently assigned to all deployed
agents. Existing agents that use other keys in the Agent-server secure communication keys list do not change
to the new master key unless there is a client agent key updater task scheduled and run.
Make sure to wait until all agents have updated to the new master before deleting older keys.
Manage ASSC keys

Generate, export, import, or delete agent-server secure communication (ASSC) keys from the Server
Settings page.
Task
1 Select Menu | Configuration | Server Settings, select Security Keys, then click Edit.

A
SSL certificates
Action Steps
Generate and 1 Next to the Agent-server secure communication keys list, click New Key. In the dialog box,
use new type the name of the security key.
ASSC key
pairs 2 If you want existing agents to use the new key, select the key in the list, then
click Make Master. Agents begin using the new key after the next McAfee Agent
update task is complete.
Make sure that there is an Agent Key Updater package for each version of the
McAfee Agent managed by McAfee ePO.
In large installations, only generate and use new master key pairs when you
have specific reason to do so. We recommend performing this procedure in
phases so that you can more closely monitor progress.
3 After all agents have stopped using the old key, delete it.
In the list of keys, the number of agents currently using that key is displayed to
the right of every key.
4 Back up all keys.
Export ASSC Export ASSC keys from one McAfee ePO server to a different McAfee ePO server, to
keys allow agents to access the new McAfee ePO server.
1 In the Agent-server secure communication keys list, select a key, then click Export.
2 Click OK.
Your browser prompts you to download the sr<ServerName>.zip file to the
specified location.
If you specified a default location for all browser downloads, this file might be
automatically saved to that location.
Import ASSC Import ASSC keys that were exported from a different McAfee ePO server, allowing
keys agents from that server to access this McAfee ePO server.
1 Click Import.
2 Browse to and select the key from the location where you saved it (by default,
on the desktop), then click Open.
3 Click Next and review the information about the Import Keys page.
4 Click Save.

A
SSL certificates
Action Steps
Designate an Change which key pair is specified as the master. Specify a master key pair after
ASSC key importing or generating a new key pair.
pair as the
1 From the Agent-server secure communication keys list, select a key, then click Make Master.
master
2 Create an update task for the agents to run immediately, so that agents update
after the next agent-server communication.
Make sure that the Agent Key Updater package is checked in to the McAfee ePO
Master Repository. Agents begin using the new key pair after the next update
task for the McAfee Agent is complete. At any time, you can see which agents are
using any of the ASSC key pairs in the list.
3 Back up all keys.
Delete ASSC
keys Do not delete any keys that are being used by any agents. If you do, those agents
cannot communicate with the McAfee ePO server.
1 From the Agent-server secure communication keys list, select the key that you want to
remove, then click Delete.
2 Click OK to delete the key pair from this server.
View systems that use an ASSC key pair

You can view the systems whose agents use a specific agent-server secure communication key pair in
the Agent-server secure communication keys list.
After making a specific key pair the master, you might want to view the systems that are still using
the previous key pair. Do not delete a key pair until you know that no agents are still using it.
Task
Edit.
2 In the Agent-server secure communication keys list, select a key, then click View Agents.
This Systems using this key page lists all systems whose agents are using the selected key.
Use the same ASSC key pair for all servers and agents
Verify that all McAfee ePO servers and agents use the same agent-server secure communication
(ASSC) key pair.
If you have many managed systems in your environment, McAfee recommends performing this process
in phases so you can monitor agent updates.
Task
1 Create an agent update task.
2 Export the keys chosen from the selected McAfee ePO server.
3 Import the exported keys to all other servers.
4 Designate the imported key as the master on all servers.
5 Perform two agent wake-up calls.

A
SSL certificates
6 When all agents are using the new keys, delete any unused keys.
7 Back up all keys.
Use a different ASSC key pair for each McAfee ePO server
You can use a different ASSC key pair for each McAfee ePO server to ensure that all agents can
communicate with the required McAfee ePO servers in an environment where each server must have a
unique agent-server secure communication key pair.
Agents can communicate with only one server at a time. The McAfee ePO server can have multiple keys
to communicate with different agents, but the opposite is not true. Agents cannot have multiple keys to
communicate with multiple McAfee ePO servers.
Task
1 From each McAfee ePO server in your environment, export the master agent-server secure
communication key pair to a temporary location.
2 Import each of these key pairs into every McAfee ePO server.
Back up and restore keys

Periodically back up all security keys, and always create a backup before changing the key
management settings.
Store the backup in a secure network location, so that the keys can be restored easily in the
unexpected event any are lost from the McAfee ePO server.
Task
Edit.
2 From the Edit Security Keys page, select one of these actions.

A
Action Steps
Back up all 1 Click Back Up All near the bottom of the page.
security
keys. The Backup Keystore dialog box appears.
2 You can optionally enter a password to encrypt the Keystore .zip file or click OK to
save the files as unencrypted text.
3 From the File Download dialog box, click Save to create a .zip file of all security
keys.
The Save As dialog box appears.
4 Browse to a secure network location to store the .zip file, then click Save.
Restore 1 Click Restore All near the bottom of the page.

security
keys. The Restore Security Keys page appears.
2 Browse to the .zip file containing the security keys, select it, and click Next.
The Restore Security Keys wizard opens to the Summary page.
3 Browse to the keys you want to replace your existing key with, then click Next.
4 Click Restore.
The Edit Security Keys page reappears.
5 Browse to a secure network location to store the .zip file, then click Save.
Restore 1 Click Restore All near the bottom of the page.

security
keys from a The Restore Security Keys page appears.
backup file. 2 Browse to the .zip file containing the security keys, select it, and click Next.
The Restore Security Keys wizard opens to the Summary page.

3 Browse to and select the backup .zip file, then click Next.
4 Click Restore All at the bottom of the page.

The Restore Security Keys wizard opens.
5 Browse to and select the backup .zip file, then click Next.
6 Verify that the keys in this file are the ones you want to overwrite your existing
keys, then click Restore All.

The McAfee Product Improvement Program helps improve McAfee products. It collects data proactively
and periodically from the client systems managed by the McAfee ePO server.
McAfee Product Improvement Program collects the following types of data:
System environment (software and hardware details)
Effectiveness of installed McAfee product features
McAfee product errors and related Windows events

A
Task
1 Select Menu | Configuration | Server Setting, select Product Improvement Program from the Setting Categories, then
click Edit.
2 Select Yes to allow McAfee to collect anonymous diagnostic and usage data, then click Save.
To learn more about the McAfee Product Improvement Program, go to http://www.mcafee.com/us/
products/security-management/product-improvement-program.aspx.
Tasks
Uninstall McAfee Product Improvement Program on page 405
The McAfee Product Improvement Program can be uninstalled at any time.
Uninstall McAfee Product Improvement Program

The McAfee Product Improvement Program can be uninstalled at any time.
Task
1 Log on to the McAfee server as an administrator.
2 Select Menu | Policy | Client Task Catalog, select McAfee Agent | Product Deployment as Client Task Types, then
click Actions | New Task.
3 Create a task to uninstall the McAfee Product Improvement Program from the required client
systems.
4 Assign the task to the client systems and send an agent wake-up call.
5 Click Menu | Software | Master Repository, click Delete next to the McAfee Product Improvement Program package,
then click OK.
6 Click Menu | Software | Extensions, then select McAfee Product Improvement Program.
7 Click Remove, then click OK.

Create a temporary administrator account when you are locked out of the system and no other
administrator accounts are available.
Before you begin

You must be able to log on to your server directly and access McAfee ePO using the
localhost address.
You must have the current database credentials for McAfee ePO.
Task
1 From your server, open a browser to localhost:8080.
The McAfee Foundation Services logon page opens.

A
Ports overview
2 Click Restore Administrator Access.
The Restore Administrator Access page opens.
3 Under Database credentials, enter the current user name and password.
Database user name: the current user name for the database.
Database password: the current password for the database.
4 Under Administrator credentials, enter the user name and password for the new temporary administrator
account.
User name: the user name for the new account.
Password: the password for the new account.
Confirm password: re-enter the password for the new account to verify it.
5 Click Submit.
The system creates the new temporary account.
You can now access McAfee ePO using the new administrator account. Use the account to restore
access for your administrator users. After they have access, delete the temporary administrator
account.
Ports overview
Follow these guidelines when customizing the ports used by the McAfee ePO server.
Change console-to-application server communication port

If the McAfee ePO console-to-application server communication port is in use by another application,
follow these steps to specify a different port.
Before you begin

Back up your registry and understand the restore process. For more information, see
the Microsoft documentation.
Make sure that you run only .reg files that are not confirmed to be genuine registry
import files.
This topic contains information about opening or modifying the registry. This information is intended for
use by network and system administrators only. Registry modifications are irreversible and can cause
system failure if done incorrectly.
Task
1 Stop the McAfee ePO services:

a Close all McAfee ePO consoles.
b Click Start | Run, type services.msc, then click OK.

A
Ports overview
c Right-click each of these services and select Stop:

McAfee ePolicy Orchestrator Application Server
McAfee ePolicy Orchestrator Event Parser
McAfee ePolicy Orchestrator Server
2 In the registry editor, select this key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
\{53B73DFDAFBE471588A1777FE404B6AF}]
3 In the right pane, double-click TomcatSecurePort.SQL and change the value data to reflect the required
port number (default is 8443).
4 Open a text editor and paste this line into a blank document:
UPDATE EPOServerInfo SET rmdSecureHttpPort =8443
Change 8443 to the new port number.
5 Name the file TomcatSecurePort.sql and save it to a temporary location on the SQL Server.
6 Use Microsoft SQL Server Management Studio to install the TomcatSecurePort.SQL file that you
created.
a Click Start | All Programs | Microsoft SQL Server Management Studio.
b On the Connect to Server dialog box, click Connect.
c Expand Databases, then select ePO database.
d From the toolbar, select New Query.
e Click File | Open | File..., then browse to the TomcatSecurePort.sql file.
f Select the file, click Open | Execute.
7 In Windows Explorer, browse to this directory:

\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\
8 In Notepad, open Server.xml and replace all entries for port 8443 with the new port number.
9 Click Start | Run, type services.msc, then click OK.
10 Right-click each of these services and select Start:

Change agent-server communication port

Follow these steps to change the agent-server communication port.
Before you begin
This topic contains information about opening or modifying the registry. This information is
for network and system administrators only. Registry modifications are irreversible and can
cause system failure if done incorrectly.

A
Ports overview
We strongly recommend that you back up your registry and understand the restore
process. For more information, see the Microsoft documentation.
Make sure that you run only .REG files that are confirmed to be genuine registry import
files.
Modifying the agent-server communication port requires five steps and one optional step if you are
using remote Agent Handlers.
1 Stop the McAfee ePO services
2 Modify the port value in the registry
3 Modify the value in the McAfee ePO database
4 Modify the port value in the McAfee ePO configuration files
5 Restart the McAfee ePO services
6 (Optional) Modify settings on remote Agent Handlers
Task
1 Stop the McAfee ePO services:

a Close all McAfee ePO consoles.
b Click Start | Run, type services.msc, then click OK.
c Right-click each of these services and select Stop:

2 Modify the port value in the registry:

a Click Start | Run, type regedit, then click OK.
b Navigate to the key that corresponds to McAfee ePO:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
\Uninstall\{ 53B73DFD-AFBE-4715-88A1-777FE404B6AF}]
c Modify the string value AgentPort to reflect the appropriate port, then close the registry editor.
The default value for this port is 80.
3 Modify the value in the McAfee ePO database:

a Open a text editor, and add these lines to the blank document:
UPDATE EPOServerInfo
ServerHTTPPort=80
b Save the file as DefaultAgentPort.SQL in a temporary location on the SQL Server.
c Click Start | All Programs | Microsoft SQL Server Management Studio to use Microsoft SQL Server
Management Studio to install the DefaultAgentPort.sql file.
d On the Connect to Server dialog box, click Connect.
e Expand Databases, then select ePO database.

A
Ports overview
f From the toolbar, select New Query.
g Click File | Open | File, browse to and select the DefaultAgent.SQL file, then click Open | Execute.
h Paste this line into a blank document:
UPDATE EPOServerInfo SET ServerHTTPPort =80
Change 80 to the new port number.
i Name the file DefaultAgentPort.SQL and save it to a temporary location on the SQL Server.
j Use Microsoft SQL Server Management Studio to install the DefaultAgentPort.SQL file.
Click Start | All Programs | Microsoft SQL Server Management Studio.
On the Connect to Server dialog box, click Connect.
Expand Databases, then select ePO database.
From the toolbar, select New Query.
Click File | Open | File, browse to and select the DefaultAgentPort.SQL file, then click Open |
Execute.
4 Modify the port value in the McAfee ePO configuration files:

a Navigate to C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\....
b Using a text editor, open Server.ini and change the value for HTTPPort=80 to reflect the new
number, then save the file.
c Using a text editor, open Siteinfo.ini and change the value for HTTPPort=80 to reflect the new
number, then save the file.
d Navigate to C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\...,

open httpd.conf, then change these lines to reflect the new port number:
Listen 80
ServerName<YourServerName>: 80
If using VirtualHosts, change:

NameVirtualHost *:80
<VirtualHost *:80>
e Save the file and exit the text editor.
5 Restart the McAfee ePO services:

a Click Start | Run, type services.msc, then click OK.
b Right-click each of these services and select Start:


A
Ports overview
6 (Optional) Modify settings on remote Agent Handlers:

a Make sure that all McAfee ePO consoles are closed, then click Start | Run, type services.msc and
click OK.
b Right-click each of these services and select Start:

This server might be listed as MCAFEEAPACHESRV if the server wasn't restarted since the
Agent Handler was installed.
c Navigate to C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\...,

using a text editor open httpd.conf, then change these lines to reflect the new port number:
Listen 80
ServerName<YourServerName>: 80
If using VirtualHosts, change:

NameVirtualHost *:80
<VirtualHost *:80>
d Save the file and exit the text editor.
e Click Start | Run, type services.msc, then click OK.
f Right-click each of these services and select Start.

This server might be listed as MCAFEEAPACHESRV if the server has not been restarted since
the Agent Handler was installed.
If you previously deployed agents to clients, reinstall the agent on all clients using the /
forceinstall switch to overwrite the existing Sitelist.xml file. For more information about specific
McAfee Agent versions that allow the /forceinstall switch to work successfully, see McAfee
KnowledgeBase article KB60555.
Ports required for communicating through a firewall

Use these ports to configure a firewall to allow traffic to and from your McAfee ePO server.
Relevant terms
Bidirectional The remote or local system can initiate the connection.
Inbound The remote system initiates the connection.
Outbound The local system initiates the connection.

A
Ports overview
Table A-1 McAfee ePO server

Port Default Description Traffic direction
Agent-server 80 TCP port opened by the McAfee Bidirectional between the
communication port ePO server service to receive Agent Handler and the
requests from agents. McAfee ePO server and
inbound from McAfee Agent
to Agent Handlers and
McAfee ePO server.
Agent communicating over 443 By default, 4.5 agents must Inbound connection to the
SSL (4.5 and later agents communicate over SSL (443 by McAfee ePO server from
only) default). This port is also used agents or Agent Handlers to
for the Remote Agent Handler to the Master Repository.
communicate with the McAfee Inbound connection:
ePO Master Repository.
Agent to McAfee ePO
Agent Handler to Master
Repository
McAfee ePO to Master
Repository
Agent to Agent Handler
Agent wake-up 8081 TCP port opened by agents to Outbound connection from
communication port receive agent wake-up requests the McAfee ePO server and
SuperAgent repository port from the McAfee ePO server. Agent Handler to the McAfee
TCP port opened to replicate Agent.
repository content to a
SuperAgent repository.
Agent broadcast 8082 UDP port opened by SuperAgent Outbound connection from
communication port to forward messages from the the SuperAgent to other
McAfee ePO server and Agent agents.
Handler.
Console-to-application 8443 HTTPS port opened by the Inbound connection to the
server communication port McAfee ePO Application Server McAfee ePO server from the
service to allow web browser McAfee ePO console.
console access.
Client-to-server 8444 Used by the Agent Handler to Outbound connection from
authenticated communicate with the McAfee remote Agent Handlers to
communication port ePO server to get required the McAfee ePO server.
information (for example, LDAP
servers).
SQL Server TCP port 1433 TCP port used to communicate Outbound connection from
with the SQL Server. This port is the McAfee ePO server and
specified or determined Agent Handler to the SQL
automatically during the setup Server.
process.
SQL Server UDP port 1434 UDP port used to request the Outbound connection from
TCP port that the SQL instance the McAfee ePO server and
hosting the McAfee ePO Agent Handler to the SQL
database is using. Server.
Default LDAP server port 389 LDAP connection to look up Outbound connection from
computers, users, groups, and the McAfee ePO server and
Organizational Units for Agent Handler to an LDAP
User-Based Policies. server.
Default SSL LDAP server 636 User-Based Policies use the Outbound connection from
port LDAP connection to look up the McAfee ePO server and
users, groups, and Agent Handler to an LDAP
Organizational Units. server.

A
Ports overview
Traffic quick reference

Use this port and traffic direction information to configure a firewall to allow traffic to and from your
McAfee ePO server.
Relevant terms
Bidirectional A local or remote system can initiate the connection.
Inbound A remote system can initiate the connection.
Outbound A local system can initiate the connection.
Table A-2 Agent Handler

Default port Protocol Traffic direction on McAfee ePO Traffic direction on Agent
server Handler
80 TCP Bidirectional connection to and from Bidirectional connection to and
McAfee ePO server. from Agent Handler.
389 TCP Outbound connection from McAfee ePO Outbound connection from Agent
server. Handler.
443 TCP Inbound connection to McAfee ePO Inbound connection to the Agent
server. Handler.
server. Handler.
server. Handler.
1434 UDP Outbound connection from McAfee ePO Outbound connection from Agent
server. Handler.
8081 TCP Outbound connection from McAfee ePO
server.
8443 TCP Inbound connection to McAfee ePO Outbound connection from Agent
server. Handler.
8444 TCP Inbound connection to McAfee ePO Outbound connection from Agent
server. Handler.
Table A-3 McAfee Agent

Default port Protocol Traffic direction
80 TCP Outbound connection to McAfee ePO server and Agent Handler.
443 TCP Outbound connection to the McAfee ePO server and Agent Handler.
8081 TCP Inbound connection from the McAfee ePO server and Agent Handler.
If the agent is a SuperAgent repository, the inbound connection is from

other agents.
8082 UDP Inbound connection to agents.
Inbound and outbound connection is from or to a SuperAgent.
Table A-4 SQL Server

Default port Protocol Traffic direction
1433 TCP Inbound connection from McAfee ePO server and Agent Handler.
1434 UDP Inbound connection from McAfee ePO server and Agent Handler.

B Adding systems connected over a VPN
When systems connect to McAfee ePO using a VPN server, they use the MAC address of the VPN server
for all connecting systems. This causes some of the VPN connected systems to disappear from the
System Tree because they appear as duplicate MAC addresses.
This diagram and its description explain why some systems connecting to McAfee ePO over a VPN
disappear from the System Tree because they have the same MAC address.
Client A connects to McAfee ePO over the VPN connection.
McAfee ePO associates the MAC address of the VPN server, 00:12:3F:11:11:11, to Client A
rather than the client's actual MAC address.
Client B connects to McAfee ePO over the VPN connection.
McAfee ePO associates the MAC address of the VPN server, also 00:12:3F:11:11:11, to Client B.
Now two clients have the same VPN server MAC address.
Client A is deleted from the System Tree because both clients appear to have the same MAC
address.
To stop McAfee ePO from using the VPN server MAC addresses as valid matching criteria and deleting
the systems, you must:

B
Adding systems connected over a VPN
Determining connected VPN server's OUI
1 Find the VPN server MAC address to learn the Organizationally Unique Identifier (OUI), or vendor
identifier. The OUI is the first six digits of the VPN server MAC address.
2 Use SQL Server Management Studio to insert the VPN server OUI in the McAfee ePO virtual MAC
vendor values to stop that OUI being used as the first valid matching criteria. This change causes
McAfee ePO to use the client GUID as valid matching criteria instead of the MAC address for all
systems connecting with the VPN server OUI.
Contents
Use the System Tree to find VPN server MAC address
Create report to find VPN server MAC address best practice
Best practice: Use SQL Server Management Studio to add virtual MAC vendor ID value

You must determine the OUI for the VPN server to stop McAfee ePO from using the server's MAC
addresses as valid matching criteria.
The Organizationally Unique Identifier (OUI) is the first six digits of the VPN server MAC address.
These are two ways to determine the OUI of the VPN server.
Use the System Tree to find VPN server MAC address

The best way to find the VPN server MAC address is to find a system connecting to McAfee ePO
through that VPN server.
Before you begin

You must have a remote connection to the system connecting to McAfee ePO through that
VPN server.
Task
1 Remotely connect to a system connecting to McAfee ePO through that VPN server.
2 Use one of these processes to display the McAfee Agent Status Monitor:
If the McAfee Agent icon appears in the system tray, click the icon.
If the McAfee Agent Icon does not appear in the notification area, use the following
command-line steps to display the McAfee Agent Status Monitor:
1 From the command prompt, change directories to this default folder:
C:\Program Files\McAfee\Common Framework\
2 To display the McAfee Agent Status Monitor, type this command:

CmdAgent.exe /s
3 From the McAfee Agent Status Monitor, click Collect and Send Props.
This process collects the system properties and sends them to the McAfee ePO server.
4 From the McAfee ePO console, select Menu | Systems | System Tree.

B
5 To display the system information, locate the system that connects to McAfee ePO over the VPN
connection and double-click the system name.
6 Click the System Properties tab, then click Customize on the right of the display.
7 From the Properties list, find MAC Address, click Move to Top, then click Save.
The VPN connected system's MAC address appears at the top of the list of the system information
display.
8 Make a note of the first six digits of the system MAC address, which is the OUI for the VPN server.

You can create a report to list systems with the same MAC address.
Task
1 Select Menu | Reporting | Queries & Reports.
2 Click New Query to display the Result Type tab, configure these settings, then click Next.
In the Feature Group list, select System Management.
In Result Types pane, select Managed Systems.
3 From the Chart tab, configure these settings, then click Next.
In the Display Results As list, select Single Group Summary Table.
In the Labels are list, under Computer Properties, select MAC Address.
4 In the Columns tab, from the Available Columns list under Computer Properties, select MAC Address,
then click Next
5 In the Filters tab, configure these settings, then click Run.

In the Available Properties list, expand Managed Systems and click Managed State.
In the Managed State settings, select Equals from the Comparison drop-down list and Managed
from the Values drop-down list.
In the Available Properties list, expand Computer Properties and click MAC Address.
In the MAC Address settings, select Value is not Blank from the Comparison drop-down list.
6 In the output of the query, find any two systems with the same MAC address.
This MAC address probably belongs to the VPN server connecting the systems to McAfee ePO.
7 Make a note of the first six digits of the system MAC address, which is the OUI of the VPN server.

B
Best practice: Use SQL Server Management Studio to add

virtual MAC vendor ID value
To stop the McAfee ePO server from deleting systems that connect over a VPN server, you must add
the VPN server OUI to the McAfee ePO Virtual MAC Vendor values using SQL Server Management
Studio.
Before you begin

You must know the first six-digit OUI.
You need permission to access SQL Server Management Studio.
Task
1 Type this command in your browser to learn your McAfee ePO server and database name.
https://<ServerName>:8443/core/config-auth
Replace <ServerName> with the name of your McAfee ePO server and your server communication
port number, if it is not the default 8443.
2 Open SQL Server Management Studio and connect to the McAfee ePO SQL database server using
your database authentication method.
Typically the McAfee ePO SQL database server name is <McAfee_ePO_server_name>\EPOSERVER.
3 In Object Explorer, click these objects:

<McAfee_ePO_server_name>\EPOSERVER
Databases
ePO_<McAfee_ePO_server_name>
Tables
4 Scroll down the list to the dbo.EPOVirtualMacVendor table, right-click the table name, and select
Script Table as | INSERT to | New Query Editor Window.
An SQLQuery1.sql file opens in the right pane of the display with the ePOVirtualMacVendor table default
value.

B
5 The default query value, listed between parentheses, is <VendorID, nvarchar(8),>. Change that value to
the VPN server vendor ID.
Enclose the six-digit hexadecimal value in single quotes.
This is an example of the default table value and the changed '00123F' table value.
6 To run the query and add the VPN server OUI value to the EPOVirtualMacVendor table, click Query |
Execute in the menu bar.
7 Confirm that this status appears in the Messages pane below the query that you updated:
(1 Row(s) affected)
Now McAfee ePO uses the client GUID as valid matching criteria instead of the MAC address for all
systems connecting with the VPN server OUI.
See also
Determining connected VPN server's OUI on page 414

B

C Installing McAfee ePO on an AWS server
Installing McAfee ePO on an Amazon Web Services (AWS) virtual server allows you to resize your
server as your network grows and can eliminate the chance of hardware failure.
Contents
Using an AWS server with McAfee ePO
Create the AWS server
Connect to the AWS server
Install McAfee ePO on an AWS server
Create a virtual Agent Handler
Using an AWS server with McAfee ePO

An Amazon Web Services (AWS) virtual server provides the same features and performance as locally
configured hardware.
This diagram shows the basic steps to create an AWS server to manage your clients with McAfee ePO.
Figure C-1 AWS server with McAfee ePO basic configuration steps

C
Installing McAfee ePO on an AWS server
Get an AWS account from http://aws.amazon.com/.
Log on to the AWS Management Console and configure your AWS virtul server.
1 Select and configure the virtual server with software, hard disk storage, and memory.
Select the AWS geographical region for your virtual server nearest to most of your McAfee ePO
managed systems.
2 Configure a Security Group at AWS.
In AWS, a firewall is called a Security Group and must be created to allow a McAfee Agent to
connect to the McAfee ePO server.
3 Capture the AWS instance public DNS name, or IP address, that AWS created.
Use Remote Desktop Connection and the DNS name, or public IP address, to connect to the AWS
server.
Install McAfee ePO using software provided by McAfee and information from the AWS SQL
database server.
Create a virtual Agent Handler in the McAfee ePO console.
A virtual Agent Handler allows your managed systems to communicate with the McAfee ePO server
that is installed on the AWS server.
Create a McAfee Agent URL or McAfee Agent installation package.
The McAfee ePO server is managing your systems.
The McAfee ePO server is managing your systems.

Before you can install McAfee ePO on an AWS server, you must create the server with the proper
settings and create a connection to your enterprise network.
Before you begin

You must have an Amazon Web Services account to complete this process.
This example, and the selected values, describe creating a McAfee ePO server to manage about
30,000 client systems. The values you select might be different. See the McAfee ePolicy Orchestrator
Installation Guide for CPU, storage, and memory requirements.

C
Task
1 Log on to the AWS console to display the AWS Console page.
Figure C-2 AWS Console page
2 Set the AWS data center region to the location closest to most of the client systems you manage
with McAfee ePO. To select the region, click the list on the right side of the navigation bar on the
AWS Console page.

C
3 Under Compute, double-click EC2 (Amazon Elastic Compute Cloud) to open Step 1: Choose an
Amazon Machine Image (AMI).
Figure C-3 Step 1: Choose an Amazon Machine Image (AMI)
In this example, the server instance is a 64-bit server with a Microsoft Server 2012 with SQL
Standard Edition already installed.
Always select an AMI with a SQL database included.

C
4 Scroll to the image you want, then click Select, to open Step 2: Choose an Instance Type.
Figure C-4 Step 2: Choose an Instance Type
5 In this example, to manage 30,000 clients, in the Family column, select the instance type General
purpose, and configure these settings:
Type m3.2xlarge Instance Storage (GB) 2 x 80 (SSD)
vCPUs 8 EBS Optimized Available Yes
Memory (GiB) 30 Network Performance High
The instance type you choose depends on many factors in your managed network. For example,
the number of managed clients, network geography, and connectivity between locations. Use the
McAfee ePO server CPU cores, RAM, and hard drive suggestions to select you comparable instance
type.

C
6 Click Next: Configure Instance Details to open Step 3: Configure Instance Details.
Figure C-5 Step 3: Configure Instance Details
7 For this example, configure these instance details settings:
Number of Instances Type 1.
Purchasing option Deselect Request Spot instances.
Network Select Launch into EC2-Classic.
Availability Zone Select No Preference.
IAM role Select None from the list.
Shutdown behavior Select Stop.
Do not select Terminate. If you do, when you stop your AWS server, the server instance is
deleted and you must completely reconfigure it to start again.
Enable termination protection Click Protect from accidental termination.

Termination protection is another way to keep you from accidentally terminating your AWS
server.
Monitoring Deselect Enable CloudWatch detailed monitoring.
EBS-optimized instance Click Launch as EBS-optimized instance.

C
8 Click Next: Add Storage to open Step 4: Add Storage page.
Figure C-6 Step 4: Add Storage page
9 In this example, configure these storage settings:

a Type Root For the server operating system partition, configure these settings:
Device Leave the default.
Snapshot Leave the default.
Size (GiB) Type 100.
Volume type Select General Purpose (SSD).
IOPS (Input/Output Operations Per Second) Accept the default.
Delete on Termination Deselect.
b Type For theMcAfee ePO server partition, select EBS (Elastic Block Store) and configure these
settings:
Device Select an individual device name from the list.
Snapshot Leave blank.
Size (GiB) Type 300.
Volume type Select General Purpose (SSD).
IOPS Leave the default.
Delete on Termination Deselect.

C
10 Click Next: Tag Instance to open Step 5: Tag Instance page.
Figure C-7 Step 5: Tag Instance page

C
11 Configure a specific tag and value used to identify this AWS server, then click Next: Configure Security
Group to open Step 6: Configure Security Group page.
Tags don't have any semantic meaning to Amazon EC2 and are interpreted strictly as a string of
characters. Also, tags are not automatically assigned to your resources.
Figure C-8 Step 6: Configure Security Group
12 In this example, configure these security group settings:
Assign a security group Click Create a new security group.
Security group name Type a name for the security group.
Description Type a description for the security group.
Using Add Rule, configure this list of ports and matching protocols.

C
13 Click Review and Launch to open Step 7: Review Instance Launch.
Figure C-9 Step 7: Review Instance Launch
14 Confirm your settings, then click Launch to Create a new key pair.

C
15 Create a security key pair, with these settings, to generate an encrypted password when you first
log on to this AWS server.
Figure C-10 Create a new key pair
Select Create a new key pair from the list.
Type a name for the key pair .pem file.

C
Click Download Key Pair to copy the .pem file to your local computer.
Click Launch Instances after the .pem file is saved to your local computer.
Figure C-11 Launch Status
16 On the Launch Status page, click View Instances to confirm the status of the AWS server.
Figure C-12 Launch instance status page
Once you click Launch instance, it might take 2030 minutes before your instance is ready to access.
During that time, Initializing displays under Status Checks.

C
You have created your AWS server. Continue with the connection process and create a static IP
address for your AWS server.
See also
Ports required for communicating through a firewall on page 410

After you create an AWS server, connect to it, decrypt the key pair password, and create a static IP
address.
Before you begin

You must have created a valid AWS server before you can configure its static IP address.
By default, AWS creates a non-routeable IP address (10.x.x.x) and a virtual IP address (56.x.x.x).
Create a static IP address, using AWS Elastic IPs, to allow your managed systems to connect to the
McAfee ePO server and use your DNS to create a DNS name.
Task
1 Log on to the AWS console.
2 In the left pane, select Instances, then in the details pane right-click the AWS server instance that
you created, and select Connect to open Connect To Your Instance.
3 Click Get Password to open Connect To Your Instance > Get Password dialog box.
4 Click Choose File to select and load the .pem file.
5 Navigate to the .pem password encryption file, and click Open.
The RSA Private Key file you selected is loaded into the dialog box.
6 Click Decrypt Password.
7 Type the user name Administrator, the decrypted password, and click OK to open your AWS
server.
8 In the left pane, click Elastic IPs, then in the details pane, right-click your instance name, and select
Associate Address to create a static IP address and open the Associate Address dialog box.
9 Select the AWS instance name from the Instance list.
10 Click Associate to release the non-routeable IP address assigned by AWS to your server.
Note the public IP address assigned to your AWS server and ask your IT group to create a fully
qualified DNS name for this AWS server.
In the future, if you must replace your McAfee ePO server, you can redirect that DNS name to a
different IP address without losing the connections from your managed systems.
You have created a static IP address to use with Microsoft Remote Desktop Connection to log on to the
AWS server and install McAfee ePO.
See also
Create the AWS server on page 420

C

Installing McAfee ePO on an AWS server is similar to installing the software on a physical server.
Before you begin

You must have created the AWS server and connected to the server before you start this
process.
You must know this information before you start the McAfee ePO installation:
SQL database name configured on your AWS server
Paths to the McAfee ePO server and SQL database disk space
Task
1 Connect to the AWS server using Remote Desktop Connection and the configured static IP address
or DNS name.
2 Start the McAfee ePO installation process using the McAfee ePolicy Orchestrator Installation Guide
and the Perform Custom installation process.
3 In the Database Information, configure the Microsoft SQL Server using the AWS server name.
By default, the McAfee ePO SQL Server name is <AwsServerName>\EPOSERVER.
4 Complete the McAfee ePO server installation.
5 Create a backup image of your AWS server.

a Log on to the AWS console.
b Click Instances to see a list of your AWS servers.
c Right-click the AWS server that you created, then from the lists that appears, click Image, and
Create Image.
You have a McAfee ePO server installed and configured that you can connect to from a remote browser
using this format:
https://<AwsServerName>:<port>
See also
Create the AWS server on page 420
Connect to the AWS server on page 431

Configure a virtual Agent Handler on your McAfee ePO server for your managed systems to connect
back to the AWS server.
Before you begin

You must have installed McAfee ePO on your AWS server, before you can complete this
task.
Because McAfee ePO cannot use an Elastic IP address, it needs a virtual Agent Handler configured to
publish its private IP address to the McAfee Agent. But, the McAfee Agent cannot connect back to the
Agent Handler on this private IP address over the Internet.

C
Task
1 Select Menu | Configuration | Agent Handlers.
2 Click New Group, configure these settings for your virtual Agent Handler, then click Save.
Group Name Type a virtual Agent Handler group name.
In Included Handlers, click Use load balancer and type the virtual DNS name and virtual IP address.
Virtual DNS Name Type the DNS name assigned to the static public IP address that is associated
with this AWS server.
Virtual IP Address Type the static public IP address that is associated with this AWS server.
3 Enable the new virtual Agent Handler: on the Handler Groups page, find the new virtual Agent Handler
that you created, then click Enable in the Actions column.
Agent Handlers are disabled by default and must be enabled to work.
4 From the Agent Handlers page, click New Assignment, configure these settings, then click Save.
Assignment Name Type a name.
In Agent Criteria, under System Tree location, click ..., select My Organization from the dialog box, then
click OK.
In Handler Priority, click Use custom handler list, click + to add the virtual Agent Handler, and move it to
the top of the list.
5 Confirm that the virtual Agent Handler has the following configuration on the Agent Handlers page:
Handler Groups 1
Handler Assignment Rules The virtual Agent Handler rule that you created is at the top of the
list.
You have everything needed to create a McAfee Agent URL and start connecting your managed
systems to your AWS McAfee ePO server.
See also
Install McAfee ePO on an AWS server on page 432

C

Index
A agent (continued)
deployment credentials 241
about this guide 13
first call to server 117
access requirements for System Tree 111
grouping 318
accounts
grouping by assignment rules 319
user 141
GUID and System Tree location 117
actions
maintenance 239
Apply Tag 137
traffic direction and ports 412
Check IP Integrity 117
agent communication port 241
Run Tag Criteria 133
Agent Handlers
Sort Now 124
about 295
Test Sort 124
assigning agents 316
used with Product Deployment 181
assignment priority 319
Active Directory
assignments 310
applying permission sets 144
authentication modes 295
configuring Windows authorization 146
behind a DMZ 303
containers, mapping to System Tree groups 124
component in McAfee ePO 17
implementation strategies 144
configure priority 309
synchronization 55
configure virtual groups 308
systems only synchronization 115
deployment 306
eliminates multiple McAfee ePO servers 299
borders and 112
enable and disable from Handlers List 308
deleting systems 114
failover protection 300
duplicate entry handling 114
frequently asked questions 320
Synchronize Now action 114
hardware, software, and port requirements 311
systems and structure 115
how they work 295
tasks 114
LDAP access 386
to System Tree structure 124
managing assignments 317
types 114
moving agents between 318
AD, See Active Directory
multiple 295
adding comments to issues 390
node count 32
administrators
ports used to communicate through firewall 410
about 152
priority in sitelist file 315
access through the System Tree 57
required for Amazon Web Services server 432
contacted automatically to stop DAT release 172
software installation 312
contacted automatically with compliance report 256
traffic direction and ports 412
creating groups 58
used with Amazon Web Services 419
managing user accounts 141
user interface 306
permission needed for Disaster Recovery 102
virtual settings 308
permissions 152
why use them 297
recommended monthly task to review IDs 335
Agent Status Monitor, to collect and send properties 414
source sites, configuring 276
agent-server communication
agent
interval reduced with LDAP mirroring 386
configuring policies to use repositories 280
managing 241
configuring proxy settings for 279

Index
agent-server communication (continued) API, reports (continued)

secure communication keys (ASSC) 400 using the web URL Help 362
System Tree sorting 116 Applied Policies, creating queries 210
agent-server communication interval Apply Tag action 133
adjusting 240 ASCI, See agent-server communication interval
change default 240 ASSC
agent-server communication port, change 407 agent-server secure communication 17
agent-server secure communication ASSC keys, See agent-server secure communication keys
about 17 assigning issues 390
agent-server secure communication (ASSC) assignment rules
about 397 agents and handlers 319
using different key pairs for servers 403 Audit Log
using one key pair 402 about 147
viewing systems that use a key pair 402 deleting old entries 148
working with keys 400 purge automatically 244
agent-server secure communication keys recommended monthly task 335
export and import keys 130 used with Product Deployment 180
with Transfer Systems 129 viewing user actions 147
agents authentication
adding the software to your image file 55 certificate-based 148
and SuperAgent repositories 267 configuring for Windows 145
assignment to Agent Handlers 310 authentication, certificate-based 148
deploying with third-party tools 53 authentication, configuring for Windows 142
finding inactive agents 251 Authority Information Access, defined 148
finding older versions 248 authorization strategies 144
functionality 51 automatic responses
GUID 55 about 228
missing from shell systems 55 actions 237
path to executable file 51 component in McAfee ePO 17
updating using Product Deployment 249 configuring 237
AIA, See Authority Information Access interaction with System Tree 133
Amazon VPC, See Virtual Private Cloud configuration notification intervals 235
Amazon Web Services 419, 420 planning 229
about 419 rule defaults 229
account link 419 rules 229
Amazon Elastic Compute Cloud (EC2) 420 setup 227
creating a server snapshot 432 used to automate DAT file testing 172
creating a virtual server 420 automation
initial connection 431 copy files from Evaluation branch to Current 168
installing ePolicy Orchestrator 432 create compliance query and report 254
Management Console 419 pull and copy DAT updates from McAfee 167
Security Group or firewall 420 pulling content into repositories 246
AMI, See Amazon Web Services and Amazon Machine Image purge events server task 244
(AMI) Amazon Machine Image (AMI) AWS, See Amazon Web Services
Apache server 265
API, reports B
run with the web API 361
back up and restore process for SQL database 339
run with web API 361
backups
using API ID number example report 370
database 327
using API table objects, commands, and arguments
example report 373 required with spare database 379
using API XML data example report 371 with Disaster Recovery feature 378
using parsed query export data to create web URL queries bandwidth
368 calculate for client updates 344
using S-Expressions in web URL queries 364 calculation for repository updates 270
using the McAfee command framework 362 considerations for event forwarding 230

Index
bandwidth (continued) client events (continued)

considerations for pull tasks 291 creating summary queries 353
distributed repositories and 260 purge automatically 244
recommendations for repositories 345 client tasks
replication tasks and 292 about 216
best practices compared with product deployment projects 177
duplicating policies before assigning 190 comparing 226
importing Active Directory containers 124 creating 225
policy assignment locking 190 defaults 66
product deployment 217 editing settings for 225
System Tree creation 119 part of product deployment 175
BMC Client Automation third-party tool 53 view 222
borders, See System Tree organization viewing assignment on a specific system 226
branches working with 66, 224
Change Branch action 224 clients
Current 165 calculating update bandwidth 344
deleting DAT and engine packages 164 converting to SuperAgents 267
Evaluation 224 disappear from System Tree 413
manually moving packages between 164 test virus protection 72
Previous 163 compare client tasks 226
types of, and repositories 262 compare policies 196
Broken Inheritance compliance
creating queries 210 automate query and report processes 254
create server task to run compliance queries 255
C creating a query for 359
ensure with agent in image 55
CA, See certification authority
generating events 359
catch-all groups 117
report part of daily tasks 329
certificate authentication
reports 256
convert PVK to PEM file 395
running task to deliver report 257
creating a self-signed certificate 392
components
signed by third-party certificate authority 392
Disaster Recovery 102
using OpenSSL commands 394
repositories, about 260
certificate revocation list 151
configuration
certificate-based authentication
agent-server communication interval 240
about 148
automatic updates of DAT and product files 246
configuring 148
client event summary queries 353
configuring users 150
custom queries 350
disabling 150
disabling 1051 and 1059 events 247
troubleshooting 152
event purging 244
updating the certificate revocation list 151
event purging with a query 245
certificates
Global Updating limitations 275
authenticating with 148
overview 37
CA 148
queries with tables 357
client 148
system list on tag groups 136
replacing 148
threat event summary queries 355
revoking client 151
console
server 148
McAfee ePO 17
certification authority 148
contacts
Change Branch action 224
responses and 237
charts (See queries) 89
conventions and icons used in this guide 13
Check IP Integrity action 117
CPUs
client certificates 148
needed for node count 271
client events
over-utilized 323, 325
create custom queries 357
creating issues 389

Index
credentials DAT files

caching deployment 241 See also detection definition files
changing, on distributed repositories 291 (continued)
modifying database registrations 383 repository branches 164
criteria-based tags test before deployment 169
applying 138 update with Global Updating 275
sorting 122 updating automatically 245
CRL, See certificate revocation list using repositories 265
Cron syntax used with server tasks 215 Data Migration Tool, used for product compatibility check 159
Current branch Data Rollup server task 358
checking in update packages 165 database servers
defined 262 editing registrations 383
custom logon messages 146 registering 382
removing 383
D traffic direction and ports 412
using 382
dashboard monitors
databases
configuring 83
32-bit and 64-bit operating systems 32
moving and resizing 84
back up and restore process 339
dashboards 387
backup weekly tasks 333
configuring for exported reports 99
component in McAfee ePO 17
configuring monitors 83
determining server and name 338
create Snapshot 107
Disaster Recovery 102
first-time 82
maintaining 327
granting permissions to 80
multi-server querying 358
import and export 81
overview of back up 104
introduction 79
overview of recovery 105
managing 80
purge events automatically 244
McAfee 79
queries and retrieving data 88
moving and resizing monitors 84
recommended hardware 32
private 79
reindex 327
public 79
restoring the SQL 338
server settings 82, 85
scheduling Snapshot 339
dashboards tasks
script to add virtual MAC vendor ID value 416
defaults 70
server clusters for disaster recovery 379
working with 70
spares on physical sites 379
DAT file updating
test connection 328
checking in manually 165
deleting issues 390
considerations for creating tasks 222
deployment
daily task 223
Agent Handler considerations 306
deployment 219
agents with third-party tools 53
from source sites 276
calculating repository bandwidth 344
in master repository 262
checking in packages manually 163
scheduling a task 223
global updating 186
DAT files
See also detection definition files installing products 220, 221
new product example 183
automate DAT file testing 167, 170 package security 217
average size 344 products and updates 219
creating a compliance query 254 supported packages 217
deleting from repository 164 tasks 217
deploying to repositories 270 tasks, for managed systems 219
evaluating 224 to repositories 270
overview of automatic testing process 165 view 180
pull server task 167 view assigned client task 222
replicating and repositories 347

Index
detection definition files 15 editing database server registrations 383

DAT files 265 editing issues 390
Directory (See System Tree) 124 EICAR anti-malware test file 73
disaster recovery email servers
using cold and hot spares 379 configuring responses 232
using server clusters 379 enforcement, See policy enforcement
using the Disaster Recovery feature 378 engine updating
Disaster Recovery checking in manually 165
components 102 deployment packages 219
configuring snapshots 338 from source sites 276
information needed for 340 in master repository 262
Keystore encryption passphrase 102 scheduling a task 223
overview 104 engines
server settings 109 deleting from repository 164
server task 339 repository branches 164
Snapshot 101 ePolicy Orchestrator
what it is 101 disable server as repository 271
distributed repositories disaster recovery 378
about 260 essential features 43
adding to ePolicy Orchestrator 284 event processing 326
automatically pull and copy DAT updates from McAfee 167 installing on Amazon Web Services server 432
changing credentials on 291 multiple server alternative 299
component in McAfee ePO 17 Performance Monitor 324
configuring agent policies 280 remote console connection 377
creating and configuring 283 server best practices 328
creating in SuperAgents 268 server clusters for disaster recovery 379
deleting 287 spares on physical sites 379
deleting SuperAgent repositories 282 traffic direction and ports 412
different types 265 Evaluation branch
editing existing 286 defined 262
enabling folder sharing 286 using for new DATs and engine 224
folder, creating 284 evaluation mode 46
how agents select 292 event log, purging 342
limited bandwidth and 260 events
part of weekly tasks 333 1051 and 1059 filtering 246
replicated with an automatic content pull 245 aggregation 228
replicating packages to SuperAgent repositories 282 automatic purge 244
SuperAgent, tasks 281 causing ePolicy Orchestrator performance problems 323
unmanaged, copying content to 288 causing performance problems 325
DNS compliance events 359
name associated with Amazon Web Services server 431 configure SQL Server 231
used to find the ePolicy Orchestrator server 52, 311, 379 creating client event summary queries 353
documentation creating custom queries 350
audience for this guide 13 creating queries 357
product-specific, finding 14 determining which are forwarded 230
typographical conventions and icons 13 disabling 1051 and 1059 events 247
domain synchronization 112 forwarding and notifications 230
duplicate entries in the System Tree 126 grouping 228
duplicate GUID measuring malware events 252
recommended monthly task 335 notification intervals 235
run server task 243 per subnet counted using a query 254
processing 326
E purge with a query 245
purging from database 327
EC2, See Amazon Web Services and Amazon Elastic Compute
Cloud responses to 227

Index
events (continued) G
show threat event 73
geographic borders, advantages of 112
global unique identifier, See GUID
threat event summary queries 355
global unique identifier (GUID) 117
thresholds 228
global updating
throttling 228
contents 280
executables, managing 234
enabling 186
exporting
process description 185
dashboards 81
requirements 185
permission sets 154
Global Updating, about 275
policies 387
groups
exporting and importing
Agent Handlers 306
client task objects 387
catch-all 117
dashboards 387
configuring criteria for sorting 122
permission sets 387
controlling access 152
policy assignments 387
creating manually 120
queries 387
criteria-based 117
repositories 387
defined 58
responses 387
importing NT domains 126
systems 387
in the System Tree 60
tags 387
moving systems manually 128
tasks 387
My Group 58
exporting systems 121
of SuperAgents 267
extension files, installing 163
operating systems and 113
pasting policy assignments to 207
F policies, inheritance of 59
failback to your original server 105 policy enforcement for a product 194
failover protection using Agent Handlers 300 sorting criteria 122
fallback sites sorting, automated 113
about 260 updating manually with NT domains 128
configuring 276 using IP address to define 113
deleting 278 viewing policy assignment 209
edit existing 278 GTI, See McAfee Global Threat Intelligence
switching to source 277 GUIDs
features, McAfee ePO 16 deleting from the image file 55
filters finding duplicates 243
creating 26
custom 26 H
list 26
handler assignment
overview 25
editing priority 319
query results 89
managing 317
setting for response rules 236
handler groups
used with Policy Assignment Rules 199
about 315
used with Product Deployment 182
creating 317
firewall
deleting 318
ports used to communicate through to server 410
editing settings 318
fragmentation in the database 327
handlers
FramePkg.exe, agent installation application 53
creating groups 317
frequently asked questions about Agent Handlers 320
grouping agents 320
FTP repositories 266
moving agents between 318
creating and configuring 283
priority 315
editing 286
Handlers List, enable, and disable Agent Handlers 308
enabling folder sharing 286
hardware
recommend for McAfee ePO and database 32

Index
hardware (continued) issues

used for Agent Handlers 32 about 388
used for repositories 271 adding comments 390
HIPS, See Host Intrusion Prevention assigning 390
Host Intrusion Prevention, example product 32 creating 389
HTTP repositories creating automatically from responses 390
about 266 deleting 390
creating and configuring 283 editing 390
editing 286 managing 389
enabling folder sharing 286 removing outdated 389
viewing 389
I viewing details 390
IBM Tivoli third-party tool 53

IIS K
Microsoft IIS server 265 key pair
image file, adding the agent 55 connect to Amazon Web Services server 431
importing create for Amazon Web Services server 420
basics 388 keys, See security keys
dashboards 81 Keystore encryption passphrase
permission sets 154 Disaster Recovery 102
inactive agent setting 109
finding 250
query 251 L
removed as part of weekly tasks 333
LAN connections and geographical borders 112
inheritance
language packages, See agent
and policy settings 190
lazy caching, SuperAgent configuration 267
broken, resetting 210
LDAP servers
defined 59
authentication strategies 144
viewing for policies 210
McAfee ePO component 17
installation
mirroring overview 386
Agent Handler software 312
registering 385
ePolicy Orchestrator on Amazon Web Services server 432
license key 46
planning 31
lists
use Disaster Recovery after installation 378
filtering 26
interface
searching 26
main menu 21
lists, working with 25
navigation 21
load balancing Agent Handlers 300
shortcut bar 21
local distributed repositories 288
Internet Explorer
log on and log off 21
configuring proxy settings 279
logon messages 146
intervals
Lost and Found group 58
between notifications 235
IP address
M
as grouping criteria 113
default used with Amazon Web Services server 431 main menu
IPv6 35 navigating in the interface 21, 23
range, as sorting criteria 122 maintenance
restricting user sessions to a single 146 periodic tasks 336
sorting and checking overlap 117 recommended daily 329
sorting criteria 119, 122 Maintenance Plan, See database maintaining
subnet mask, as sorting criteria 122 malware events
used to find the ePolicy Orchestrator server 52 count systems cleaned per week 253
used to sort the System Tree 60 create query to find malware events per subnet 254
used with Amazon Web Services 419 measuring 252
per subnet 254

Index
malware events (continued) McAfee recommendations (continued)

send Automatic Response 172 phased rollout for Product Deployment 217
managed systems schedule replication tasks 292
deployment tasks for 220 System Tree planning 111
global updating and 260 use global updating 185
installing products on 221 use IP addresses for sorting 113
policy management on 189 use tag-based sorting criteria 113
rollup querying 358 McAfee ServicePortal, accessing 14
sorting, criteria-based 115 menu, See main menu
tasks for 220 menu-based navigation 21
test virus protection 72 message
viewing policy assignment 210 custom logon 146
Management Console, Amazon Web Services 419 Microsoft
Master Repository System Center Configuration Manager 53
about 260 Windows Reliability and Performance Monitor 323
checking in packages manually 165 Windows Task Manager 323
communicating with source sites 278 Microsoft IIS server 265
configuring proxy settings 278 Microsoft SQL database
default 271 database 17
key pair for unsigned content 398 Microsoft Windows Resource Kit 121
on ePolicy Orchestrator 265 monitors
part of product deployment 175 configuring 83
security keys in multi-server environments 399 default refresh interval 85
updating with pull tasks 291 Disaster Recovery Snapshot status 102
using replication tasks 292 using 79
McAfee Agent Status Monitor, to collect and send properties 414 multiple McAfee ePO servers
McAfee Agents policy sharing 198
agents 17 My Group 58
McAfee Endpoint Security My Organization group of System Tree 58
deployment example 183
example product 32 N
restriction for Global Updating 275 navigation
McAfee ePO main menu 21
about 15 menu-based 21
components 17 shortcut bar 23
console 17 NETDOM.EXE utility, creating a text file 121
differences from McAfee ePO Cloud 15 network bandwidth, See System Tree organization
functions 17 New Group wizard, creating new groups 92
how it works 17 node counts
key features 16 Agent Handlers 32
recommended hardware 32 and repositories 267
server 17 recommended hardware 32
what affects performance 35 repository hardware 271
McAfee ePO Cloud notification interval 235
differences from McAfee ePO 15 notification rules, importing .MIB files 234
McAfee Global Threat Intelligence suggested daily task 329 notifications
McAfee Product Improvement Program assigning permissions 232
configuring 404 event forwarding 230
removing the program 405 how they work 133
McAfee recommendations recipients 133
confirming system protection 72 registered executables, managing 234
create a Rollup Data server task 358 SNMP servers 383
deploy agents when importing large domains 126 Novell Zenworks third-party tool 53
duplicate policies before assignment 190 NT domains
evaluate borders for organization 112 importing to manually created groups 126

Index
NT domains (continued) permissions (continued)

synchronization 115, 126 assigning for responses 233
updating synchronized groups 128 for queries 87
to dashboards 80
O personal settings,categories 23
policies 387
OAS, See on-access scan
about 189
OCSP, See Online Certificate Status Protocol
broken inheritance, resetting 210
ODS, See on-demand scan
categories 189
on-access scan, recommended daily task 329
changing the owner 196
on-demand scan
comparing 196
recommended daily task 329
controlling on Policy Catalog page 193
recommended weekly task 333
create SuperAgent policy 268
schedule for the test group 171
creating SuperAgent 267
used to automate DAT file testing 170
disabling the Master Repository 273
Online Certificate Status Protocol, another method to check a
certificate's authenticity 148 edit policy history permission sets 196
operating systems group inheritance, viewing 210
Agent Handlers 311 how they are applied to systems 190
for repositories 265 importing and exporting 189
grouping 113 inheritance 190
legacy systems (Windows 95, Windows 98) 113 manage policies using policy history entries 195
OUI, See Organizationally Unique Identifier McAfee Agent policy for a DAT test group 170
ownership 190, 209
P set the ASCI 240
settings, viewing 209
packages
viewing 189, 208
working with Policy Catalog 192
configuring deployment task 221
policy assignment
managing 163
copying and pasting 206, 207
moving between branches in repository 164
disabled enforcement, viewing 209
part of product deployment 175
group, assigning to 205
security for 217
locking 190
passwords
Policy Catalog 190
changing on user accounts 141
systems, assigning to 205, 206
log on and log off 21
viewing 208210
patches
policy assignment rules
deployment packages for products and updates 217
about 190, 191
McAfee Agent updates 51
and multi-slot policies 191
using repositories 265
creating 198
perfmon, See Performance Monitor
deleting and editing 199
Performance Monitor
editing priority 199
finding performance problems 325
importing and exporting 199
using 324
priority 191
what affects performance 35
rule criteria 190
permission sets 387
system-based 190
applying to Active Directory groups 144
system-based policies 192
assigning to reports 100
user-based 190
example 152
user-based policies 192
interaction with users and groups 152
viewing summary 199
managing 154
Policy Catalog
mapping to Active Directory groups 142
manage policies using policy history entries 195
System Tree 111
manage policy history permissions 196
permissions
page, viewing 189
administrator 152
working with 192
assigning for notifications 232

Index
policy enforcement product updates (continued)

enabling and disabling 194 deploying 219
viewing assignments where disabled 209 package signing and security 217
when policies are enforced 189 process description 219
policy management product deployment overview 175
assigning policies 189 source sites and 260
creating queries 210 supported package types 217
using groups 58 products, updating automatically 245
working with client tasks 224 proxy settings
policy sharing agent 279
designating 197 configuring for master repository 278
multiple McAfee ePO servers 197 server settings 45
using registered server 197 pull tasks
using server tasks 198 considerations for scheduling 291
ports updating master repository 291
agent communication 241 purge events
AWS Security Group port settings 420 automatically 244
console-to-application server 406 recommended monthly task 335
customizing 406
used and traffic direction 412 Q
used for Agent Handlers 311
queries 387
used to communicate through firewall to server 410
actions on results 88
used with Agent Handler behind DMZ 303
chart types 89
Previous branch
creating a compliance query 359
defined 262
custom, managing 90
moving DAT and engine packages to 164
defaults 71
saving package versions 163
exported as reports 88
Product Compatibility List
exporting to other formats 360
configuring download source 161
filters 89
overview 159
permissions 87
product deployment
personal query group 92
about monitoring and changing 179
report formats 88
compared with client task deployment method 177
result type 358
create project to update McAfee Agents 249
results as dashboard monitors 88
creating 181
results as tables 89
methods 175, 176
rollup, from multiple servers 358
monitoring and modifying 182
scheduled 92
overview 175
sub-action 92
projects 177
view 180
using in a server task 359
view assigned client task 222
using results to exclude tags on systems 135
product deployment packages
working with 71, 90
checking in 163
queries, using API
example created with ID number 370
security and package signing 217
example created with table objects, commands, and
supported packages 217 arguments 373
updates 217 example created with XML data 371
Product Improvement Program exporting data with web URL queries 368
configuring 404 running 361
removing the program 405 using S-Expressions in web URL queries 364
product installation using the McAfee command framework 362
configuring deployment tasks 220, 221 using the web URL Help 362
installing extension files 163 queries, using user interface
product updates client event summary 353
checking in packages manually 163 creating custom 350

Index
queries, using user interface (continued) reports (continued)

creating reports 349 configuring table elements 96
DAT file compliance 254 configuring template and location for 99
event summary overview 353 configuring text elements 96
find Agent Version Summary 248 creating 87, 94
Inactive Agents 251 creating custom queries 350
malware events 252 defaults 71
threat event summary 355 editing existing 94
to count systems cleaned per week 253 exported query results 88
to display compliance 255 formats 88
to find malware events per subnet 254 running with a server task 99
use report input 256 scheduling 99
used to purge events 245 structure and page size 93
using tables 357 to find VPN server MAC address 415
Query Builder viewing output 99
about 89 working with 71
creating custom queries 87, 90 reports, using API
result types 89 created using S-Expressions in web URL queries 364
Quick Find 26 example created with ID number 370
example created with table objects, commands, and
R arguments 373
example created with XML data 371
RAM
parsing query with web URL queries 368
affects performance 35
running 361
AWS servers 420
using the McAfee command framework 362
repository servers 271
using the web URL Help 362
registered servers
reports, using user interface
adding SNMP servers 383
creating 349
enabling policy sharing 197
creating custom queries 350
LDAP servers, adding 385
include query output 256
registering 380
repositories 387
supported 380
about 270
syslog 384
automatically pull and copy DAT updates from McAfee 167
registering database servers 382
bandwidth recommendations 345
remote commands
branches 164, 224, 262
determining SQL database server and server name 338
calculating bandwidth use 270
remote console connection 377
calculating update bandwidth 344
removing database server registrations 383
concept 259
replication
creating SuperAgent repository 281
avoiding for selected packages 285
DAT file replication 347
disabling of selected packages 286
determine how many and location 270, 271
replication tasks
disabling the Master Repository 273
full vs. incremental 292
FTP servers 266
updating master repository 292
global updating 275
Report Builder, creating custom reports 87
HTTP servers 266
report elements
importing from repository list files 290
configuring charts 97
master, configuring proxy settings for 278
configuring images 95
pull content automatically 246
configuring tables 96
replication and selection of 292
configuring text 96
security keys 397, 399
reports
source site 260
about 93
SuperAgent 267
adding elements 95
types of 260
adding to a group 100
UNC 287
configuring chart elements 97
UNC shares 266
configuring image elements 95

Index
repositories 387 (continued) security certificate (continued)

unmanaged, copying content to 288 creating a self-signed certificate 392
update with Global Updating 275 installing 47, 48
used to automate DAT file testing 170 security keys
what they do 259 agent-server secure communication (ASSC) 397, 400
repository list files ASSC, working with 400
about 270 for content from other repositories 398
adding distributed repository to 284 general 397
exporting to 289, 290 managing 398
importing from 290 master keys in multi-server environments 399
priority of Agent Handlers 315 private and public 398
SiteList.xml, uses for 270 using one master key 399
working with 289 security management 77
Response Builder 237 selected packages
response rules avoid replication of 285
creating and editing 236 disabling replication of 286
Description page 236 server certificates
setting filters for 236 migrate certificates to hash algorithm 396
setting thresholds 237 path to files 104
responses 387 replacing 46
actions 237 server clusters for disaster recovery 379
assigning permissions 233 server settings
configuring 232, 234, 237 agent deployment credentials 241
configuring to automatically create issues 390 certificate-based authentication 148, 150, 151
contacts for 237 dashboards 82, 85
event forwarding 230 Disaster Recovery 109
rules 229 email server 229
SNMP servers 234 event filtering 230
responses, automatic event notifications 230
about 227 example setting 25
rules global updating 186, 280
configuring contacts for responses 237 Internet Explorer 279
defaults for automatic responses 229 logon message 146
setting up for notifications, SNMP servers 234 notifications 235
Run Tag Criteria action 133 overview 23
ports 241
S printing and exporting 99
scalability Product Compatibility List 161
about 31 Product Improvement Program 404
horizontal 31 proxy settings 45, 278
planning 31 security keys 399, 400, 402, 403
vertical 31 server certificate 46
scaling McAfee ePO source sites 276278, 290
using Agent Handlers 297, 299 SSL certificates 46
using repositories 259, 299 System Tree sorting 123
scheduling User Session 146
applying criteria-based tags 138 Server Task Builder 138
automatic updates of DAT and product files 246 Server Task Log
Disaster Recovery Snapshot 339 removing outdated tasks 214
event purging 244, 245 Status column 213
purging the event log 342 viewing server tasks 213
server task for policy sharing 198 server tasks
server tasks with Cron syntax 215 about 213
security certificate creating 214
certificate authority (CA) 46 Data Rollup 358

Index
server tasks (continued) Snapshot (continued)

defaults 68 create from Web API 107
Disaster Recovery 339 creating 107
pull DAT files 167 Dashboard monitor 102
purge the logs 244 overview 104
query with a sub-action 92 part of Disaster Recovery 101
removing outdated 214 records saved to database 104
removing outdated log items 215 scheduling defaults 339
running reports 99 Server Task Log Details 107
scheduling a query 92 snapshot, with Disaster Recovery feature 378
scheduling with Cron syntax 215 snapshots
status of 213 configuring 338
Synchronize Domain/AD 114 SNMP servers
viewing 213 registering 383
working with 68 responses 234
servers software manager 157
Amazon Web Services 419 about 157
back up and restore process 339 contents 157
configuration overview 37 product compatibility 159
database 382 Software Manager
disabling the Master Repository 273 checking in extensions 158
disaster recovery 378 checking in packages 158
Disaster Recovery 102, 340 evaluation software 158
finding performance problems 323, 325 licensed software 158
hardware upgrade using Disaster Recovery 101 part of weekly tasks 333
master repository key pair 398 recommended weekly task 333
overview of back up 104 removing extensions 158
overview of recovery 105 removing packages 158
recommended best practices 328 Sort Now action 115
recommended hardware 32 sorting criteria
registering additional servers 380 configuring 122
registering LDAP servers 385 for groups 122
settings and controlling behavior 23 groups, automated 113
sharing objects between 387 IP address 117, 122
SNMP, and responses 234 sorting systems into groups 115
SQL Server to archive events 231 tag 122
supported server types 380 tag-based 113, 117
traffic direction and ports 412 source sites
transferring systems 132 about 260
types you can register 380 configuring 276
ServicePortal, finding product documentation 14 creating 276
setup 29 deleting 278
shell systems, about 55 editing existing 278
shortcut bar fallback 260
customizing 23 importing from SiteMgr.xml 290
using 21 product updates and 260
sitelist files 315 switching to fallback 277
sites update packages and 219
deleting source or fallback 278 SQL database
editing existing 278 back up and restore process 339
fallback 260, 276 databases 17
switching source and fallback 277 Disaster Recovery 102
SMS, See Microsoft System Center Configuration Manager maintaining 338
Snapshot managing 338
create from Dashboard 107 overview of back up 104

Index
SQL database (continued) System Tree (continued)

overview of recovery 105 create SuperAgents group 269
ports used to communicate through firewall 410 creation, automated 113
restoring the database 338 criteria-based sorting 115
scheduling Snapshot 339 defined 58
SQL replication, required with spare database 379 deleting inactive systems 251
SQL Server deleting systems from 58
determining database server and name 338 find system to test virus protection 73
SQL Server Management Studio grouping agents 320
add virtual VPN server MAC vendor ID value 416 inheritance 59
Disaster Recovery 378 Lost and Found group 58
SQL servers, See databases My Group 58
SSL certificates My Organization level 58
about 46 organization 111
Status Monitor, to collect and send properties 414 organizing with Active Directory 57
subgroups permission sets 111
and policy management 126 populating groups 119
criteria-based 117 showing shell systems 55
subnets, as grouping criteria 113 structure 57
SuperAgent repositories system information details 118
creating 281 System Tree organization
deleting 282 add systems tp groups 120
global updating requirements 185 borders in your network 112
replicating packages to 282 creating groups 119
tasks 281 duplicate entries 126
SuperAgent systems importing Active Directory containers 124
assign SuperAgent policy to SuperAgent group 269 importing systems and groups 122
SuperAgents mapping groups to Active Directory containers 124
configuring 267 moving systems to groups manually 128
convert client systems into SuperAgents 269 network bandwidth 112
create group in System Tree 269 operating systems 113
create policy 268 planning considerations 111
lazy caching 267 selecting multiple items 27
ports used to communicate through firewall 410 using subgroups 126
sharing hardware 271 System Tree sorting
synchronization default settings 117
Active Directory and 115 enabling 123
defaults 117 IP address 117
deploying agents automatically 114 ordering subgroups 117
excluding Active Directory containers 114 server and system settings 116
NT domains 115 tag-based criteria 117
preventing duplicate entries 115 System Tree synchronization
scheduling 127 scheduling 127
Synchronize Now action 114 to Active Directory structure 124
systems and structures 115 system-based policies
systems only, with Active Directory 115 about 192
synchronization, Active Directory 55 criteria 192
syslog server systems 387
registering 384 assigning policies to 205, 206
System Tree exporting from the Systems Tree 121
access requirements 111 pasting policy assignments to 207
assigning policies to a group 205 policy enforcement for a product 194
clients disappear 414 sorting into groups 124
configuring SuperAgent group 267 viewing detailed information 118
create group for DAT file testing 169 viewing policy assignment 210

Index
T troubleshooting (continued)
SQL database connectivity 328
table row, select checkboxes 27
VPN system connection problem 413
tables, working with 25
Tag Builder wizard 133
Tag Catalog 133 U
tag-based sorting criteria 113, 117 UBP, See user-based policies
tags 387 UNC share repositories 266
applying 138 creating and configuring 283
create, delete, and modify subgroups 135 editing 286
creating with Tag Builder wizard 133 enabling folder sharing 286
criteria-based 115 using
criteria-based sorting 122 recommendations 287
edit, delete, export, and move 134 Universal Naming Convention, See UNC share repositories
excluding systems from automatic tagging 135 unmanaged repositories 265
group sorting criteria 113 updates
manual application of 137 calculating required bandwidth 344
policy assignment based on 192 checking in manually 163
tags, subgroups client tasks 222
create, delete, and modify 135 considerations for creating tasks 222
selecting multiple items 27 DAT files and products automatically 245
tasks 387 deployment packages 219
automatically pull and copy DAT updates from McAfee 167 package signing and security 217
copying files from Evaluation branch into Current 168 packages and dependencies 217
find inactive agents 250 scheduling an update task 223
Inactive Agents task 251 source sites and 260
periodic 336 updating
pull content automatically 246 automatically, with global updating 186
purge events 335 DATs and Engine 219
purge events automatically 244 deployment tasks 217
purge events with a query 245 global, process 185
recommended daily 329 process description 219
recommended monthly 335 user accounts 141
recommended weekly 333 user actions
running compliance queries 255 removing outdated 148
scheduling on-demand scan of test group 171 viewing 147
test virus protection 73 user menu, navigating in the interface 21
to run and deliver a report 257 user-based policies 386
technical support, finding product information 14 about 192
Test Sort action 115 criteria 192
Threat Event Log users
common event format 340 about 141
viewing and purging 342 permission sets and 152
ticketing server 17 restricting to a single IP address 146
Ticketing with McAfee ePO 391 utilities
tools, third party NETDOM.EXE, creating a text file 121
used to deploy agents 53
Windows Performance Monitor 324
V
tools, third-party
use Windows Explorer to check ePolicy Orchestrator events VDI, See Virtual Desktop Infrastructure
326 viewing issue details 390
used to deploy agents 52 Virtual Desktop Infrastructure mode 55
troubleshooting virtual machine
client certificate authentication 152 used as McAfee ePO server 32
finding inactive systems 250 virtual machines
product deployment 217 Amazon Web Services 419

Index
virtual machines (continued) Windows (continued)

used for automatic DAT file testing 169 Authorization, configuring 146
VirusScan Enterprise Windows authentication
on-demand scan as part of suggested weekly tasks 333 enabling 144
VM, See virtual machine strategies 144
VPN Windows Reliability and Performance Monitor 323, 325
server OUI 415 Windows Task Manager 323
system connection problem 413, 414
VPN connections and geographical borders 112
W
WAN connections and geographical borders 112
Windows
authentication, configuring 142, 145

0-00

Epo 590 PG 0-00 En-Us - PDF Gda 1490161200 &ext

Uploaded by

Copyright:

Available Formats

Epo 590 PG 0-00 En-Us - PDF Gda 1490161200 &ext

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Epo 590 PG 0-00 En-Us - PDF Gda 1490161200 &ext

Uploaded by

Copyright:

Available Formats

Product Guide

McAfee ePolicy Orchestrator 5.9.0

2 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

2 Monitoring the health of your network 21

4 Setting up your McAfee ePO server 37

McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 3

What installing the McAfee Agent does . . . . . . . . . . . . . . . . . . . . . . 50

6 Generating queries and reports 87

7 Disaster Recovery 101

4 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

How Disaster Recovery works . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

8 Using the System Tree and Tags 111

9 User accounts and permission sets 141

McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 5

Update the certificate revocation list . . . . . . . . . . . . . . . . . . . . . . 151

10 Software Manager 157

11 Manual package and update management 163

12 Deploying products 175

13 Assigning policies 189

6 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

Compare policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

14 Server and client tasks 213

15 Setting up automatic responses 227

McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 7

Determine which events are forwarded immediately . . . . . . . . . . . . . . . . 230

16 Agent-server communication 239

17 Automating and optimizing McAfee ePO workflow 243

8 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

How many repositories do you need? . . . . . . . . . . . . . . . . . . . . . . 271

19 Agent Handlers 295

McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 9

Assign McAfee agents to Agent Handlers . . . . . . . . . . . . . . . . . . . . . . . . 316

21 Reporting with queries 349

A Additional information 377

10 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

Register SNMP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

B Adding systems connected over a VPN 413

C Installing McAfee ePO on an AWS server 419

McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 11

12 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

About this guide

Italic Title of a book, chapter, or topic; a new term; emphasis

Caution: Important advice to protect your computer system, software installation,

McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 13

Find product documentation

14 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

Types of management platforms

What is McAfee ePO?

Simplify risk and security management.

McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 15

16 McAfee ePolicy Orchestrator 5.9.0 Software Product Guide

How McAfee ePO works

How McAfee software responds to an attack.

Malware attacks a computer in your McAfee ePO managed network.

McAfee ePO stores the attack information.

McAfee ePO components

The McAfee ePO server provides these major functions:

McAfee ePolicy Orchestrator 5.9.0 Software Product Guide 17

Manages and deploys products