Last Modified: 8/10/2015
Rated:
Environment
NOTES:
- File and Removable Media Protection (FRP) is the new name for Endpoint Encryption for Files and Folders (EEFF).
- Removable Media Protection (offsite access options) was formerly known as Endpoint Encryption Removable Media (EERM).
- For details of FRP 4.3 supported environments, see KB81149.
Summary
General Product information, including miscellaneous topics. Compatibility Interaction between other products and software: Microsoft EFS, Mac OS X, Removable Media Protection, Host DLP and EEPC/DE, Windows 8. Installation/Upgrade Information about installing, upgrading, and removing: Removable Media Protection and FIPS. Configuration Best practices, optimizing, configuring, and customizing: CD/DVD, Exempted Device IDs, New policy category changes, and Password, Recovery. Functionality Product features and functions: Audit logs, CD/DVD/ISO Media, email, events, Keys, Key Cache, Large Files, Mac OS X, McAfee Core Cryptographic Module, policies, Removable Media Protection, queries/reporting, self-extractor, VDI and Recovery.
What are the broad use cases that FRP addresses?
FRP protects data on local drives, network shares, and removable media devices. Specifically, it offers options to:What does persistent encryption feature mean?
- Encrypt files/folders on local drives.
- Encrypt files/folders on network shares.
- Encrypt removable media devices. This can restrict usage of encrypted removable media devices to just within the company’s environment (onsite access only) or allow encrypted devices to be read on systems without having to install the Intel Security Encryption software.
- Encrypt email attachments.
This feature ensures that an individual file remains encrypted even after the decrypt driver for Full Disk Encryption has been loaded. For operations performed through Windows File Explorer, the encryption state of files is maintained. The encryption remains transparent to a user with the encryption agent and proper keys loaded.
Is the process of encrypting files/folders on local machines or network shares policy-driven or user-driven?
It can be both. The administrator can take the policy-driven approach and configure policies to encrypt either:
-
Files of a certain type using the File Encryption policy
-
Folders in a specific location (can either be local drive or network share) using the Folder Encryption policy
The administrator can also allow end users to selectively encrypt/decrypt files and folders by enabling the Explicit Encrypt and Explicit Decrypt options.
Does FRP 4.3 support Windows 8.1 Update, 8.1, and 8.0?
Yes. For a list of supported operating systems, see KB81149.
Does FRP support USB 3.0 devices?
Yes.
Does FRP 4.3 support a Virtual Desktop Infrastructure (VDI) environment?
Yes. FRP 4.3 offers support for certain selected modes of Citrix XenDesktop 5.6 and 7.1. For more details, see the VDI section.
Is FRP supported on network shares?
Yes. For details see KB72276.
What versions of ePolicy Orchestrator (ePO) and McAfee Agent (MA) are required for FRP 4.3?
For a list of supported versions of ePO and MA, see KB81149.
Does FRP support the Advanced Format Drives that have a 4 KB hard disk sector size?
FRP does not currently support the 4 KB native drives because the current Microsoft operating systems do not support this format. However, FRP products do support Microsoft operating systems that support drives that use the Advanced Format (4 KB physical and 512-byte logical sector size). The drives in this mode emulate 512-byte sectors, so no issues are expected. For further details, see KB71582.
Does FRP support governmental regulations (for example, HIPAA or FISMA) for records retention or retrieval?
Intel Security encryption products can help address many of the compliance requirements. Note that use of Intel Security Endpoint Encryption solutions does not automatically guarantee compliancy or certify compliancy. IT departments should enlist the services of third-party compliancy auditing services for this.
Is FRP Common Criteria Evaluation Assurance level 4 (CC EAL4) certified?
No.
What burning software does FRP support with CD/DVD Encryption (Onsite Access Only)?
FRP supports Windows Burner (Mastered Format), Nero, and Roxio CD creator.
NOTES: FRP has been tested with the following:
- Nero 12 and Roxio CD creator 12.1
- Windows Burner (mastered format), Nero 9, and Roxio 10.3
Is FRP compatible with the Microsoft Encrypted File System (EFS)?
No. Because EFS and FRP are file encryption products and work at the same file system level, there would be a driver conflict. For more information about EFS, see http://windows.microsoft.com/en-US/windows-vista/What-is-Encrypting-File-System-EFS.
Is FRP compatible with the Microsoft Extended File Allocation Table (ExFAT)?
Yes. When the question is specifically for the container-based model of encrypting USB devices. The base file format does not matter because FRP creates a secure FAT32-based container on top of it and this is independent of the base file format.
NOTE: This is a Microsoft file system optimized for flash drives.
Does FRP encrypt the Windows system page file?
Yes. FRP will always encrypt the page file, which is why the page dump file is also encrypted. Not encrypting the Windows page file would be a security loophole.
Are the Microsoft Windows system files encrypted with FRP?
No. System files are excluded from encryption as a safety precaution.
Does FRP support encryption of files uploaded on a SharePoint server?
FRP cannot communicate directly with Microsoft SharePoint Portal Server because it is a web-based document management system. Because SharePoint uses socket communication for all file operations instead of Windows I/O file operations, the FRP file system filter driver is not invoked in SharePoint file operations and encrypted data is uploaded in plain text. Files encrypted with FRP are decrypted by default if they are uploaded directly to SharePoint Server; for details see KB70271.
What about third-party encryption compatibility?
Intel Security does not recommend installing or using any other third-party encryption product on systems running FRP because this could result in a driver conflict and loss of product functionality. If you require support for any specific third-party encryption product, Intel Security recommends that you submit a Product Enhancement Request (PER). For more information about submitting a PER, see the Related Information section.
Does FRP work in Microsoft Windows Safe Mode?
FRP works for Safe Mode with networking. FRP does not work for Safe Mode without networking.
Encrypted USB media can be read on Windows systems without having to install any FRP software - do I have the same flexibility with Mac OS X?
Yes. Offsite support on Mac OS X clients is a new feature introduced in FRP 4.3. For more details about MAC OS X clients, click here.
Back to Contents
Is FRP supported on the Mac?
Yes, for accessing encrypted removable media devices. For more details about support on Mac clients, click here.
How is an iPhone handled by Removable Media?
The iPhone does not present itself as a USB storage device when connected to a Windows operating system. Therefore, Removable Media does not attempt to create an encrypted container.
NOTE: You can exempt devices from Removable Media by using the Exempted Device IDs option. To find the DeviceID for a removable media device, see your FRP Product Guide.
Can I use 'User personal keys' in a Host DLP policy?
No. You can only use Regular FRP Keys.
Does FRP work with either Endpoint Encryption (EEPC) or Drive Encryption (DE)?
Yes. They are two different products that operate at a different level. EEPC/DE works at the sector level, and FRP works at the file level.
Back to Contents
Do I have to restart a client when I install FRP, as I did with EEFF?
Yes. You must restart the client after you install FRP.
Can I delay the required restart using switch like it is possible in Endpoint Encryption for PC?
No. This is currently hard-coded. To submit a Product Enhancement Request (PER), see the Related Information section below.
What is the recommended migration path from systems with BitLocker to FRP and dealing with already encrypted removable media?
Un-encrypt using BitLocker, and then encrypt with FRP.
Can I install FRP using a third-party deployment tool?
Yes. For details, see KB81433.
What will a user see if a non-Intel Security encrypted drive is plugged in to a Removable Media client? Will the user be prompted to encrypt?
You may be prompted to perform encryption because Removable Media Protection options (with offsite access) may not recognize the drive as being encrypted. Intel Security advises you to include non-Intel Security encrypted devices in the Exempted Device IDs list, because choosing to create an encrypted container on an already encrypted drive may result in unexpected behavior, and in some cases lead to loss of data.
NOTE: For a non-Intel Security encrypted drive to be exempted, the device must be added to the exemption list. To find the VID or PID of an Encrypted USB device in Windows, see KB81447.
Is Removable Media functionality installed as a separate package?
Removable Media functionality is automatically installed with FRP.
Can I install FRP in FIPS mode?
Yes. FRP makes use of the McAfee Core Cryptographic Module (MCCM) which has been submitted for FIPS 140-2 Level 1 certification. The current status of the FIPS certification is available on the NIST website. For more information about how to install FRP in FIPS mode via ePO, see the FRP Product Guide PD25074, or for details about installing via a command line, see KB78872.
Do I also have to run ePO in FIPS mode?
You should review your overall configuration with the appropriate auditor to determine whether you have to run ePO in FIPS mode. Discussions with your auditor should determine whether you have to operate client and server in FIPS mode or just the client. There are restrictions, such as ePO can only manage FIPS-certified products when operating in FIPS mode. For more information, see KB75739.
Do I have to run the Microsoft Windows system on which the FRP client is installed in FIPS mode?
You should review your overall configuration with the appropriate auditor to determine this.
Are there any differences in the installation processes for FRP for FIPS and non-FIPS mode?
Yes. See the FRP Product Guide PD25074.
Is upgrading from an existing version of Endpoint Encryption for Files Folders (EEFF) to FRP (FIPS mode) supported?
No. Only clean installations of FRP 4.3 in FIPS mode are supported.
Why is upgrading from an existing version of EEFF in FIPS mode to FRP not unsupported?
You cannot move from a non-FIPS installation of EEFF to a FIPS installation of FRP because the keys have previously been generated in a non-FIPS mode. This results in the inability to claim FIPS-certified status for your installation.
If I am running FRP in FIPS mode, can I read files/folders/removable media devices encrypted by the previous versions of EEFF installed in non-FIPS mode?
Yes.
If I install FRP in non-FIPS mode, will I still derive the performance benefits offered by MCCM?
Yes. FRP operating in non-FIPS mode also uses the MCCM cryptographic module and can utilize performance benefits available by MCCM leveraging AES-NI. For more details about MCCM, click here.
I want to upgrade the product extension to FRP, but some of my clients will still be on EEFF; can still I manage these clients with the FRP extension?Yes. The extension is backward-compatible, which allows the EEFF clients to still be managed by the FRP extension. However, any new FRP functionality will not work until the EEFF client has been upgraded.
Which policy categories had changes to the user interface (UI) introduced in EEFF 4.2?
CD/DVD and Removable Media Policy categories.
What is the rationale behind the UI policy changes introduced in EEFF 4.2? (EEFF 4.2 and later)
The changes were made to deliver the following benefits:
- Provide more commonality between the CD/DVD and Removable USB Media Protection policy categories
- Simplify the admin experience in evaluation and selection of policies
- Focus on behavior rather than underlying technicality
- Improve the configuration workflow
What are the encryption options available for Protected Area for FRP?
The following encryption options are available on FRP with 'Allow Encryption (with offsite access)' and 'Enforce Encryption (with offsite access)':
- Entire Device
- User Managed (this option allows you to choose the size of the encryption portion of the device)
What is the maximum recommended device size for 'Allow encryption (with offsite access)' or 'Enforce encryption (with offsite access)' options for USB Media?
Intel Security has tested and supports devices up to 3 TB, starting with the FRP 4.3 release.
What is the basis on which the new policy pages for CD/DVD and Removable Media categories have been organized?
The original policy pages for both CD/DVD and Removable Media referred to the Encryption Options and Encryption Method respectively; they now both focus on the Protection Level. On selecting the Protection Level, the associated Protection Options are available to be configured.
The main difference in behavior between the file-based encryption technology and the container-based encryption technology (previously EERM) is that the former constrains the device usage to systems with FRP installed (onsite access only), while the latter allows for access on systems without Intel Security Encryption software installed via the offsite browser (with offsite access). This behavioral change is the main theme of the new UI for both policy categories.
What CD/DVD Protection Level options are available?
- Allow Unprotected Access
- Allow Encryption (with offsite access)
- Enforce Encryption (with offsite access)
- Enforce Encryption (onsite access only)
- Block Write Operations
What are the Protection Level options available for Removable Media?
The available options are:
- Removable Media Policy is organized into two tabs:
- USB Media
- Floppy Disk Media
- Options available for USB Media:
- Allow Unprotected Access
- Allow Encryption (with offsite access)
- Enforce Encryption (with offsite access)
- Enforce Encryption (onsite access only)
- BlockWrite Operations
NOTE: This option will restrict the USB devices to a read-only mode. (New FRP feature)- Options available for Floppy Disk Media:
- Allow Unprotected Access
- Block Write Operations
Will the new Block Write Operations protection level offered for USB Media block copy operations from the USB device as well?
No. Only copy operations to the USB device are restricted with this feature.
What is the default Protection Level option for CD/DVD, Removable USB Media and Floppy Disk Media?
These are:
- CD/DVD - Allow Unprotected Access
- Removable USB Media - Enforce Encryption (with offsite access)
- Floppy Disk Media - Block Write Operations
Do the preceding Protection Level options use a file-based encryption or container-based encryption approach?
- Allow Encryption (with offsite access) and Enforce Encryption (with offsite) use the container-based approach.
- Enforce Encryption (onsite access only) uses the file-based encryption approach.
What are the authentication options available with the preceding options selected?
Authentication can be password-based or certificate-based.
Can I force an end user to use a password as the authentication mechanism for Removable USB Media?
Yes. You can configure the authentication options available to the end user via the Removable Media policy.
Back to Contents
Where can I change the Removable Media password complexity?
It is possible to configure the FRP Removable Media password complexity via the Password Policy Rules page in ePO. An administrator is able to configure the minimum length of the password, minimum number of uppercase characters, minimum number of lowercase characters, minimum number of alphabetical characters, minimum number of numeric characters, and minimum number of special characters. The same password quality rules are applicable for FRP Removable Media, Self-extractors, and User Local Keys.
Can I use a wildcard with the FRP Removable Media option Exempted Device IDs?
No. You can only exempt a device by using the Device ID. To find the DeviceID for a removable media device, see KB81447 or refer to the FRP Product Guide.
Can I configure the FRP Removable Media to exempt devices by vendor?
Yes. For details see KB81519.
Can I customize the UI text that appears when a removable USB Media is inserted?
Yes. The administrator can configure this text via the Removable Media policy. The text can be up to 300 characters in length.
What location is used by FRP Removable Media to temporarily store the data when the encryption container is being created?
When FRP Removable Media encrypts a USB device, the original data is moved to your local hard disk under: %<Users temp folder>%McafeeEERMFormatFormat*
Can I modify the temporary location FRP Removable Media uses when encrypting a USB device?
No. To submit a PER, see the Related Information section.
When is FRP Removable Media configured to delete the files backed up on the local hard disk?
The data is not deleted until you respond to a dialog box either when you exit or re-open FRP Removable Media. This is done to protect the original data in case the encryption process is interrupted.
Can I configure FRP Removable Media to have a policy where only removable media devices under a certain size are encrypted?
Yes. You can only specify an upper limit for the USB stick size to initialize with FRP Removable Media. The following FRP Removable Media encryption options are available:
- Entire Device
- User Managed
NOTE: Selecting the option User Managed will give the end user the option to choose the size of the encryption portion of the device.
In FRP, can I mandate that a recovery option be enforced for FRP Removable Media?
Yes. You can enforce recovery options via a policy on the Removable Media policy page by selecting the Mandatory option. In this case, you cannot initialize the device without filling in the mandatory recovery input.
Back to Contents
What is the configurable Key Cache expiry feature?
The Key Cache expiry feature is a software-based, policy-driven, capability that enables the administrator to configure how long the Key Cache is available locally on the FRP client before it is removed because of non-connectivity to the ePO server.
What happens if the FRP client does not connect to the ePO server for the time period specified by the administrator?
The Key Cache (containing all the keys) is unloaded from the FRP client, and you cannot perform any operations which require the availability of keys, such as:
- Reading encrypted files/folders on the local machine/network share
- Initializing/encrypting removable USB media with the options Allow Encryption (with offsite access) or Enforce Encryption (with offsite access), where a key has been configured for recovery
- Key-based recovery of removable USB media
- Encrypting CD/DVDs or USB media with the option Enforce Encryption (with onsite access)
How can the Keys, which were unloaded because of non-connectivity to the ePO server, be made available on the FRP client?
The Key Cache (unloaded keys) is reloaded after communication with the ePO server.
Are all types of keys unloaded when the specified time period elapses?
Yes. All keys (Regular, User Personal Keys, and User Local Keys) are unloaded from the FRP client.
Is there a minimum requirement of either ePO or MA for this Key Cache feature to be available?
To enable this feature, the FRP client must be running:
- MA 4.8 Patch 1 or later
- Any supported version of ePO (ePO 4.6 Patch 6 and later)
What happens with the Key Cache feature if the FRP client is running a version earlier than 4.8 Patch 1?
The configurable Key Cache expiry feature is not available. In this case, the Key Cache is not unloaded from the FRP client.
Where is this Key Cache policy option available to the administrator?
This option is available to the administrator under the FRP Encryption Options policy.
What are the options available with Key Cache policy?NOTES:
- Enable Key Cache expiry - when selected, enables the automatic removal of keys from the Key Cache if the client system fails to connect to the ePO server within the configured period.
- Key Cache expiry period - specifies the number of days after which Key Cache is unloaded when Enable Key Cache expiry is selected and the client system has not connected to the ePO server.
- The default Key Cache value is 90 days.
- By default, the Key Cache expiry period feature is disabled.
What is the minimum value that can be configured for Key Cache expiry period?
One day.
Is the Key Cache feature configurable for both System and Users?
No. This feature is available only as a System-based policy.
Are large files (> 4 GB) now supported with 'Allow/Enforce Encryption with offsite access' options (formerly EERM)?
Yes. You can copy files larger than 4 GB to USB devices in a secure manner and access them on systems without having to install any Intel Security encryption software.
Why were files > 4 GB not supported previously with offsite access options?
A FAT 32 file system was used for the secure encrypted container, which places a maximum file size restriction of 4 GB.
How are files > 4 GB now supported?
Intel Security has made improvements to the existing FAT32 container implementation to support files of size > 4 GB.
What is the max file size supported now?
Theoretically, files of size up to 256 GB can be placed in the encrypted container.
Why not use a file system such as NTFS for the container?
NTFS is proprietary to Microsoft and is not natively supported on platforms such as OS X.
My device file format is NTFS - do I have to format the USB stick to FAT before using with the Removable Media Protection solution?
No. The base file format of the USB device can be either FAT or NTFS. Removable Media Protection solution creates a secure FAT32-based container on top of it.
Can files of size > 4 GB be read/copied even on systems without FRP installed (offsite access)?
Yes. This applies to both Windows and Mac OS X.
I have devices initialized with previous versions of FRP (EEFF) and I want to leverage the new functionality and be able to place files of size > 4 GB - how do I do it?
You do not need to format/reinitialize the USB sticks. With the new FRP option Allow large file support (> 4 GB) policy option enabled, the container format is automatically updated to support large files on the first occasion that the older format USB device is inserted into an FRP 4.3 client.
What happens to smaller devices in my environment (devices <= 4 GB in size)?
Those devices will continue to retain the old container format. Updating the container format does not serve any purpose in this case because you cannot copy files > 4 GB to these USB devices.
What if the device was initialized through the User Managed mode and the container size is < 4 GB?
The device continues to retain the old container format.
Is there an event generated for the container upgrade process?
Yes. An event is captured on the client and sent back to ePO for Audit and Reporting purposes. This event helps the administrator track upgrade trends and hot spots for remediation.
How much time does the container upgrade process take to complete?
The upgrade process takes only a few seconds to complete.
Do I have to move the data out of the device before the container upgrade process?
No. It is a seamless in-place upgrade process with zero user interaction requirements.
Is there any sort of user feedback during the container upgrade process?
Yes. You see a pop-up message advising you not to eject the device or perform any operations during the upgrade process.
Why do I sometimes see the upgrade message twice during the container upgrade process?
Sometimes you might have to resize the container in addition to changing its format. In this scenario, you are notified that the container upgrade procedure is a two-step process.
What happens when a device, initialized with a previous version, is inserted in a computer running FRP 4.3 and I have not selected the option to allow large file support (> 4 GB)?
The container format remains the same as before, and users are not able to copy files of size > 4 GB.
If I have not selected the option to allow large file support (> 4 GB), what about devices newly initialized with v4.3 - do they have the new container format or the older one?
Devices have the older container format, which will place the file size restriction of 4 GB.
If I do not select the policy option to allow large file support (> 4 GB), why do I still see an upgrade message?
The USB device is being upgraded to provision the Mac offsite application. If you select the Allow large file support (> 4 GB) option, the container upgrade and Mac offsite application provisioning occur simultaneously.
What happens if I have a mixture of FRP 4.3 and earlier versions of clients in my environment - can I read the USB devices having the new container format on computers running previous versions of FRP (EEFF)?
Computers running the previous versions of FRP (EEFF) do not have the capability to detect the new container format. Files on the encrypted device can be read on these computers using the offsite application, but this is not advisable.
What is the recommended approach for upgrading FRP clients in my environment?
Start upgrading clients to FRP 4.3, with the Allow large file support (> 4 GB) option disabled. After you have upgraded a critical number of clients to FRP v4.3, enable the new container format by enabling the policy option.
Is the 'Allow large file support (>4 GB)' option enabled by default?
For new installs, it is enabled by default. For upgrades, it is disabled.
Back to Contents
What is McAfee Core Cryptographic Module (MCCM)?
MCCM is a cross-platform, cross-product, cryptographic module developed by Intel Security which will be utilized in upcoming releases of all Intel Security Endpoint Encryption products. MCCM provides performance benefits and, in particular, leverages Intel Advanced Encryption Standard Instructions (AES-NI), resulting in additional performance improvements on systems with AES-NI support.
Does FRP 4.3 leverage MCCM?
Yes. MCCM (user) and MCCM (kernel).
What is the current certification status of MCCM module?
FIPS 140-2 cryptographic modules are now in Block 2 of the validation process. You can find the current status at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf.
Back to Contents
Can I read encrypted USB sticks on Mac OS X?
Yes. Offsite support on Mac OS X clients is a new feature introduced in FRP 4.3. You can now access any encrypted device using the offsite access options (formerly known as EERM) on supported Mac OS X clients.
What OS X platforms are supported with this offsite application?
- OS X Yosemite 10.10.0 or later
- OS X Mavericks 10.9.0 or later
- OS X Mountain Lion 10.8.0 or later
Is the support on Mac OS X clients restricted to just reading the data on the encrypted USB device?
No. In addition to reading files on the device, you can also perform in-place edits and copy files to and from the encrypted USB device. In essence, all the operations that you can perform with the Windows offsite application you can also perform on Mac OS X client.
Can I perform the initial provisioning (secure container creation) on a Mac OS X computer?
The initial provisioning to create the secure container is a one-time activity and still must be performed on an ePO-managed Windows computer.
Do I have to install any software on the Mac OS X client to access the content on the encrypted USB devices?
No. The offsite access application for Mac OS X is carried on the encrypted USB device.
I have devices initialized with previous versions of FRP (EEFF) and I want to leverage this new functionality and be able to read these encrypted devices on Mac OS X - how do I do it?
You do not have to format or reinitialize the USB sticks in your environment because the devices are automatically provisioned with the Mac offsite application when the USB devices are inserted into an FRP 4.3 client. You see an upgrade message when the Mac offsite application is being provisioned on the device.
How do I access the content of the secure container on the USB device on a Mac OS X client?
The process is identical to that on Windows. You must type the password for the encrypted media and after successful authentication, you can view the contents of the secure container.
How do I copy files on a Mac to and from the encrypted container on the USB device?
You can perform the standard drag-and-drop operations. In addition, power users can use keyboard shortcuts.
Why don’t I see any context menu options from within the encrypted container on a Mac OS X client?
Context menu options are not available with the current version of the offsite application for Mac OS X.
NOTE: A context menu is a user interface that appears upon user interaction, such as a right-click mouse operation.
Can I recover a USB device on a Mac OS X client?
This version of the OS X client is primarily designed for offsite access of data. As a result, you must perform all password recovery/reset operations on a Windows system.
Can I change password credentials for the encrypted device on a Mac OS X client?
This version of the OS X client is primarily designed for offsite access of data. As a result, you must perform all password recovery/reset operations on a Windows system.
The base file format of my USB device is FAT and if I provision the container (encrypted the USB device) on a Windows computer, can I place files of size > 4 GB on the device?
Yes. A new FRP 4.3 feature allows you to copy files of size greater than 4 GB to the encrypted portion of the USB device. For more details about large file support, click here.
Back to Contents
What cryptographic algorithms does FRP use?
FRP uses AES-NI AES256.
Which FRP encryption rule takes precedence?
For example, if a file extension encryption policy is set to encrypt, (for example, PDF files with Key A and a Folder Encryption policy is set to encrypt files in folder X with Key B), which key is used to encrypt a PDF file put into folder X?
It is encrypted with Key B because Folder Encryption always overrides File Extension Encryption.
Can I block a process?
Yes. The main purpose of blocking a process is to prevent encrypted data being unintentionally exposed in plain text; this feature is not designed to share encrypted data via, for example, web mail or the Internet. For FRP best practices, see PD25077.
Processes that are OK to block:
- FTP processes
- File-sharing processes
- File backup processes
Processes that are risky to block:
- Internet browser processes
- E-mail client processes
Processes that must never be blocked:
- Data compression applications like WinZip
- Windows Explorer
- Windows processes
- EEFF client processes
- Virus scanning processes or processes for other Intel Security products
Can I use a command line or script to decrypt a file that has been encrypted on a network share?
No. Decryption can only take place via the UI.
Can I read an FRP Removable Media-encrypted USB device on a Windows computer that does not have FRP?
Yes. This is a key point of using FRP Removable Media because it has an explorer application residing on the USB stick, which negates the need for any computer to have FRP Removable Media installed to authenticate and access the data within the FRP Removable Media container.
Can I decrypt the data encrypted on a Removable Media device on the fly?
No. First back up the data on the encrypted removable media device, then format the device to remove the encrypted container(s). To request enhancement of this feature in a future release of the product, you can submit a Product Enhancement Request (PER). To submit a PER, see the Related Information section.
NOTE: For Offsite Access, first you will need to authenticate the removable media device before following the steps above.
Is there a way to stop the password prompt for encrypted removable media devices on computers where the device was originally initialized?
No. To request enhancement of this feature in a future release of the product, you can submit a Product Enhancement Request (PER). To submit a PER, see the Related Information section.
Are files > 4 GB now supported with the 'Allow/Enforce Encryption with offsite access' options (formerly EERM)?
Yes. Support for large files is a new feature introduced in FRP 4.3. For more details about large file support, click here.
Can I make a flash drive bootable after installing FRP Removable Media?
Yes. When you use FRP Removable Media, there is both a private and public area. You can set up the flash drive as a bootable device if the files required to boot the system are in the public area and are not encrypted.
Can I use NTFS instead of FAT32 for the FRP Removable Media encrypted container?
No. There are no NTFS public driver implementations available for FRP Removable Media to create the FRP Removable Media encrypted container in NTFS. Additionally, you must install a driver on the host platform, which also requires local administrator permissions, which defeats the whole purpose of FRP Removable Media. Intel Security could use NTFS for the encrypted containers if we were allowed to install a driver or had some rights, but without this, it is impossible to install an NTFS file system. Instead, FRP Removable Media containers have to use FAT32.
NOTE: The file system of the USB device can be either FAT or NTFS, but the file system of the FRP Removable Media encrypted containers can only be FAT32. Thus, the storage area that is not assigned to be an encrypted container can be NTFS.
Can users stop the FRP Removable Media services to disable the encryption policy?
No. You can only disable the encryption policy via the FRP Removable Media policy at the ePO server.
Do I have to enable the Autorun option for the FRP Removable Media password/encryption prompt to be displayed?
Yes. However, even with Autorun disabled, you can still log into the FRP Removable Media drive by opening the drive and running the FRP Removable Media application.
Does FRP Removable Media install any software on the computer?
No. Nothing is installed on the local computer. MfeEERM.exe, which resides on the USB device, decrypts the encrypted container (.dsk). This is a stand-alone application that prompts you for a password before decrypting.
Can an encrypted FRP file be emailed (either inside or outside of the company)?
Yes. However, this might be constrained or prohibited by other IT or security policies that are applied by your company.
Do I have to take any manual actions to decrypt the file prior to emailing?
Encrypted files are automatically decrypted (provided the user has access to the right encryption key) when attaching to an email. When an email application sends a file, it does not send the mail via Windows file I/O and the FRP filter driver, so the mail and the attachment leave via a socket connection in plain text. In brief, encrypted files are attached in plain text when sent as email attachments.
NOTE: You can allow encrypted attachments with FRP in Windows Explorer by right-clicking the file to be attached and selecting one of the Attach Encrypted options:
Context Menu Option Description Attach encrypted to E-mail This requires the FRP client be installed to be able to read it. Therefore, use this for internal emailing. Attach as Self-Extractor to E-mail This only requires the encryption password to open it. Therefore, use this for external emailing.
NOTE: Both these right-click options are subject to policy control. If used, a call is made to the default email application and an email opens with the encrypted attachment, based on what the user selected.
Can I block encrypted files from being attached in plain text?
Yes. Use the FRP Blocked processes feature.
NOTE: This renders encrypted files being attached as encrypted and, therefore, unreadable outside the organization. However, this is not the way to share encrypted attachments via email. Blocked Processes is just a method to prevent encrypted files from being accessed in plain text.
Are User Local Keys backed up on the ePO server similar to User Personal Keys?
No. The reason for User Local Keys is to keep them local.
Do User Local Keys move with the user if the user has two computers?
Yes. If you are using Roaming Profiles, or if you create the keys on a removable drive, the keys move with the user.
Which key applies when a policy encrypts a subfolder with a different key from its parent folder?
If you encrypt a sub-folder with a different key from its parent folder, you only require the key for the sub-folder to access the contents of that folder. Example scenario:You only require the key for Folder B to access the contents of Folder B. Any other items in Folder A remain encrypted.
- A policy exists that encrypts Folder A in the path C:FolderA with a specific key.
- A newer policy is created that encrypts Folder B in the path C:FolderAFolderB with a different key.
Should I delete or remove the User Local Keys created on the client?
No. These keys are not automatically deleted because they can be accessed again if you reinstall the FRP client. You can only manually delete User Local Keys.
Does FRP encrypt the file or folder with a symmetric or an asymmetric key?
Symmetric.
Can I share FRP encryption keys between ePO servers?
No. The only way to share the keys between the ePO servers is to export the keys from one ePO server and import them to another.
If a user has multiple USB drives, do the drives share the recovery key on both the same or different computers?
Yes. Multiple USB drives share the same recovery key on multiple computers.
IMPORTANT: If you are using two USB devices on two different computers, you can have a different recovery key if the FRP administrator has set a different recovery key for different computers.
When users receive a new computer, will the Recovery Key option still work on an existing Encrypted USB drive that was initialized and encrypted on the retired computer?
Yes. However, the user should ensure that the recovery key is pushed to the new computer from ePO.
Are machine-based policies manageable via an Active Directory (AD) Group Membership and/or Organization Unit affiliation?
You can manage user-based policies via AD Group Membership.
Can I manage a CD/DVD encryption policy as a user-based policy instead of machine-based policy?
Yes. You can manage CD/DVD encryption policy as a user-based policy.
Can I apply multiple policies to a user account and if so, how does policy precedence work?
There are two ways in which a user account can have multiple policies:
- If no Policy Assignment Rule is set for the user account (for the required policy), the user would get the policies depending on the applied policies for the logged in computer. For example, if a user logs into Computer1 they would get the Explicit Encryption context menu option as it might have been enabled for Computer1 FRP General Policy. In case the same user logs into Computer2, then the user might not have the Explicit Encryption context menu option, as it might have been disabled in the Computer2 FRP General Policy.
- If a Policy Assignment Rule has been set for the user account, then the precedence is determined according to the priority set for the Policy Assignment Rules.
When a user with FRP Removable Media chooses to encrypt a USB Drive, is an event sent back to ePO showing the encryption status of the media and the system/username that did the encryption?
The following end user decisions are captured, and events sent to ePO:
- Removable Media Device Insert Event - triggered whenever any removable media device is inserted
- Removable Media User Response Event - triggered whenever a user makes a decision YES/NO to initialize/create an encrypted container on the removable media device
- Removable Media Start Event - triggered when a user selects Initialize/Cancel in EERM initialization window
- Removable Media Initialization End Event - triggered when the initialization process ends
- Removable Media Device Ejection Event - generated whenever a Removable media device is ejected from the client computer
The following information may be captured when events for FRP Removable Media are generated:
- Event ID (Event Description)
- System Information
- User Info (DomainNameUserName)
- Time Stamp
- Agent GUID
- Initialization
- Initialization State (FAILED, CANCELLED, SUCCESSFUL)
- Backup State (NONE, FAILED, CANCELLED, SUCCESSFUL)
- Time taken for initialization
- Time taken for backup
- Backup Size
- Size of protected part (Valid only when initialization has completed successfully)
- User Response {ACCEPTED, REJECTED (when user selects Yes/No at EERM initialization prompt)}
- Device Information
- Size (BYTES)
- File System of device (FAT, NTFS, EERM: in case EERM protected devices)
- Vendor Name
- Product Name
- Exempted (YES, NO, UNKNOWN)
- Protected (only EERM protected devices are considered protected) (YES, NO, UNKNOWN)
NOTE: Only relevant information is captured in each event. For example, Device Insert Event will not contain Initialization State field.
Yes. The events are currently restricted to the FRP Removable Media functionality. To request enhancement of this feature in a future release of the product, you can submit a Product Enhancement Request (PER). To submit a PER, see the Related Information section.
Can I purge events related to FRP Removable Media?
Yes. The administrator is given provision to purge the events based on age by choosing the action to Purge Client Events after running any of the FRP Removable Media queries. The administrator can purge the events by days, weeks, months, or years.
Where do I find FRP Removable Media queries/reports on ePO?
These are located under the ePO Queries & Reports, Shared Groups section.
The following are available:
- Protection Status: Removable Media - displays the Protection Status of Removable Media in the company’s environment, and lists the latest status (event) specific to each removable media device.
- Removable Media Device Events - lists all events related to removable media.
This is a canned query that provides information on the 'Device compliance' in the company (how many removable media devices are in a protected state and how many are not).
Can I run custom queries on the generated FRP Removable Media queries/reports on ePO?
Yes. You can use the ePO infrastructure to run custom queries (for example, Device Tracking, User Tracking, and so on). The Removable Media Device Events query/report exposes the entire database of events related to FRP Removable Media and can be used for this purpose.
Back to Contents
Are there any audit logs which capture (FRP-related) ePO administrator actions?
ePO administrator actions are captured in ePO Audit logs. Actions related to FRP Role Creations, Key Management, and Policy Assignment are logged.
Where do I find these audit logs on ePO?
The logs are located in the ePO console under Menu, User Management, Audit Log.
What is the purpose of the Self-Extractor?
To share encrypted data with users that do not have FRP installed on their computers. For example, if you want to hand over the input material for your financial statements to a third party.
What algorithm is used when creating an FRP Self-Extractor file?
If you select Save to disk, the Self-Extractor is saved to the user-specified location (for example, to a USB flash memory drive). When you are prompted to select the password to be used to encrypt the Self-Extractor, the key is based on Password-Based Cryptography Standard (PKCS) PKCS#5. The encryption key is derived from the password and then that key is used to encrypt the Self-Extractor. The encryption used is the AES 256 algorithm.
What is the largest recommended input data size when creating a self-extractor file?
The recommended upper input data size is 10 MB because it is optimized for email attachments. You might be able to use a larger input data size, but Intel Security does not recommend this. Any issues found when using larger files are not supported.
Does FRP provide a file compression option?
No. FRP does not compress files that are encrypted with regular encryption. Compression is only performed on FRP self-extracting files.
Can an FRP Self-Extractor file be read by a Mac OS?
No. The FRP Self-Extractor creates a Windows executable. To request enhancement of this feature in a future version of the product, you can submit a Product Enhancement Request (PER). To submit a PER, see the Related Information section.
Back to Contents
What is Encryption for CD/DVD/ISO Media?
This is an additional option available to encrypt and share information on optical media (CD/DVDs) and ISO container files. The advantage of this option is that it provides the capability to read encrypted optical media on systems without any Intel Security encryption software installed.
What is the main benefit of the CD/DVD/ISO Media feature?
It enables you to share information with third parties (partners, customers, and so on) who might not have FRP Removable Media technology deployed to read the encrypted content. Customers can share large amounts of data securely with partners/customers via low cost optical media (CD/DVDs) or ISO files. This feature also allows you to force users to burn CD/DVDs using this option, ensuring that all CD/DVDs burned on that system are encrypted.
Is the CD/DVD/ISO Media feature similar to the currently available FRP Removable Media capability for USB devices?
Yes. FRP Removable Media functionality for Removable Media USB devices has been extended to CD/DVDs and ISO files, although the Write Once nature of optical media means that you have to define the data to be protected before you complete the process.
If I choose to create an encrypted CD/DVD/ISO, is an event sent back to ePO showing the encryption status of the media and the system/user name that initiated the encryption?
Yes. The following user decisions are captured and events are sent to ePO:
- CD/ DVD/ISO Initialization Start Event - generated during the start of creation of an encrypted CD/DVD/ISO
- CD/ DVD/ISO Initialization End Event - generated when creation of an encrypted CD/DVD/ISO ends (either through successful completion, terminal error or user cancelation)
- CD/DVD/ISO Insertion Event - generated on inserting a CD or other optical disk (whether or not it is a protected disk), or mounting of an ISO onto a volume (drive letter)
- CD/DVD/ISO Ejection Event - generated on ejecting a CD or other optical disk (or dismounting an ISO from its volume)
NOTE: CD/DVD/ISO Initialization Start Event and CD/DVD/ISO Initialization End Event are related to Allow/Enforce Encryption with offsite access Protection level (formerly known as Encryption for CD/DVD/ISO).
Does the CD/DVD/ISO feature require burning software?
This feature uses the native Windows API (Microsoft Windows Image Mastering API v2.0) to burn a CD/DVD. This is available by default on Windows Vista and later, but for Windows XP SP3, you must download the API. For details, see KB77267.
Does CD/DVD/ISO provide an option to use other burning software (Nero, Roxio) to burn CD/DVDs?
No. The feature uses the native Windows API and does not support other burning software.
Is multi-session burning of CD/DVDs supported with this CD/DVD/ISO feature?
No. Currently the feature is limited to single session burning only.
Is there a limit to the size of encrypted ISO files when using the CD/DVD/ISO feature?
Yes. Currently this is limited to the capacity of DVD-DL media, although Windows XP SP3 only supports media up to DVD-SL.
What is the maximum file size supported by the CD/DVD/ISO feature?
Because this feature utilizes the FAT32 file system to manage the encrypted files, the maximum file size is 4 GB. This is a limitation of FAT32.
Can I force users to burn CD/DVDs or can I block CD/DVD write operations?
Yes. In the CD/DVD encryption policy, select the option Encryption for CD/DVD/ISO and also check the sub-option Disable normal CD/DVD write operations.
Can I create password protected encrypted ISO files using the CD/DVD/ISO feature and burn them or share the ISO later?
Yes. During the creation process there is an option to either burn the data on a CD/DVD or just create an encrypted ISO image.
Can I read the encrypted ISO image on a computer without FRP software?
Yes.
What is the authentication mechanism for accessing the encrypted CD/DVD/ISO?
Password-based authentication is currently supported to unlock the encrypted CD/DVD/ISO.
Can I configure the password complexity rules for this CD/DVD/ISO feature?
Yes. This is achieved via the Password Policy Rules page in ePO. The administrator can configure the following minimum values:
- Password length
- Number of uppercase characters
- Number of lowercase characters
- Number of alphabetical characters
- Number of numeric characters
- Number of special characters
Can I assign a CD/DVD encryption policy to a user instead of a computer?
Yes. CD/DVD encryption policy can also be managed as a user-based policy.
Does the CD/DVD/ISO feature only work with files and folders located on my local client?
No. You can include files and folders from any location accessible via your Windows browser, including network locations. However, if at the time the media is written any files are not accessible, they will be omitted.
What is the temporary location for the encrypted container that holds the selected data to be burned to CD/DVD or streamed out as an ISO image?
The Windows API is used to return the temporary path where FRP then creates a sub-folder. For Windows 7 and later, the temporary path by default is C:Program Data. You can reconfigure this path from within Windows.
Do I have to select the files and folders to be written to CD/DVD/ISO each time?
No. The feature allows the user to define and save a project file (.emo extension) that contains metadata about the source location(s) and content. If changes have been made to the source structure or content since the project was last saved, the changes are highlighted by the tool.
What if I want to use this CD/DVD/ISO project file to back up the same source content on a periodic basis?
The project file saves metadata about the source folders and content. You can set up a project file to capture the files and folders to be included in the backup. You can then open the project file and use it to define the content to be archived to CD/DVD/ISO.
Does the structure on the CD/DVD/ISO have to be the same as in the source location?
No. The project file provides a mapping between the source files and folders and the structure used in the CD/DVD/ISO image. You can move, rename, and create folders within the project file, and you can move and rename files. The structure created on the CD/DVD/ISO reflects the structure defined.
Back to Contents
What are the supported VDI modes that FRP 4.3 supports?
FRP 4.3 offers support for the following selected modes of Citrix XenDesktop:
- For Citrix XenDesktop 5.6: Existing and Physical Modes
- For Citrix XenDesktop 7.1: Remote PC Access option (Existing VMs and Physical Machines) under Operating System and Hardware (Create Machine Catalog)
I have a VDI environment which is not covered in the above list - how do I request support for it?
If you require support for additional platforms in a VDI environment, submit a Product Enhancement Request (PER). For details to log a PER, see the Related Information section. Support for additional versions/platforms of VDI environments will be considered for future releases.
Why is there a minimum requirement of McAfee Agent (MA) of 4.8 Patch 1 for leveraging support for Citrix XenDesktop with FRP 4.3?
MA supports user-based policies in a VDI environment starting with MA 4.8 Patch 1. Therefore, MA 4.8 Patch 1 is the minimum version of MA required for use with FRP in a Citrix XenDesktop environment.
Is the support for selected modes for Citrix XenDesktop 5.6 and 7.1 with FRP 4.3 applicable to the entire product functionality?
Yes. File/folder encryption and also the Removable Media Encryption functionality are supported in a VDI environment.
Is there anything different that I have to do if I provision FRP in a Citrix XenDesktop environment?
No. The workflow remains the same.
Where can I find the latest information on support for VDI environments?
See KB81478.
Is it possible for an internal forensics team to be able to retrieve data from an encrypted media when needed?
Yes. When using the On-site access encryption option with the keys stored in ePO (Centrally Managed or User Personal).
Related Information
To register as a new user, click McAfee Customers Register Here at the top of the page. For additional information, see KB60021.
Affected Products
File and Removable Media Protection 4.3.x
Getting Started
Beta Translate with
Select a desired language below to translate this page.