Beruflich Dokumente
Kultur Dokumente
0
Installation Guide for ePolicy Orchestrator 4.5
COPYRIGHT Copyright 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes.
Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Components and their relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Getting started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Pre-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Configuring the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Installing ePolicy Orchestrator 4.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 WCF installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Installing the DLP WCF service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Troubleshooting the DLP WCF service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Post-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Initializing the Host DLP Policy Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Upgrading the license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Applying the policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Initializing the Host DLP Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Checking in the DLP Agent package to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Deploying the DLP Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Defining a default rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Deploying the DLP Agent in ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Verifying the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Contents
Introduction
This guide provides the necessary information for installing McAfee Host Data Loss Prevention software version 9.0. It provides detailed steps and verification of the installation process. This guide demonstrates how to configure the recommended architecture, and when completed the user will have a fully functional McAfee Host Data Loss Prevention implementation that is properly configured. McAfee recognizes that many configuration possibilities exist and that McAfee Host Data Loss Prevention is very flexible in meeting a variety of implementation architectures. The recommended architecture represents only one path. Contents Components and their relationships Getting started
The DLPWCF Service can be installed on a separate server from the ePO database.
Figure 1: McAfee Host Data Loss Prevention components and relationships Figure 1 depicts the elements that comprise McAfee Host Data Loss Prevention and the communication patterns among the elements. The recommended architecture includes: ePO server Hosts the embedded user interfaces, (Host DLP Monitor and Host DLP Policy Manager) and communicates with the McAfee Agents. ePO Reports A list of Host DLP Events within the ePolicy Orchestrator reporting service replaces DLP Reports. DLP WCF (Windows Communication Foundation) Service Communicates between ePolicy Orchestrator and the Host DLP Policy Manager to distribute policies, and with the Host DLP Monitor to display events. ePO Event Parser Communicates with the McAfee Agent and stores event information in a database.
DLP Event Parser Collects Host DLP events from the ePO Event Parser and stores them in DLP tables in the SQL database. ePO database Communicates with the ePO Policy Distributor to distribute policies, and with the DLP Event Parser to collect events and evidence. Administrator workstation Accesses ePolicy Orchestrator, the Host DLP Monitor, and Host DLP Policy Manager in a browser through the DLP WCF Service. Client workstation Applies the security policies using the following software: DLP Agent Provides the DLP processes. In McAfee Host Data Loss Prevention software version 9.0 the DLP Agent communicates exclusively with the ePO Agent. McAfee Agent Provides the communication channel between the ePolicy Orchestrator server and the DLP Agent. Backward compatible installation To allow an orderly upgrade in large enterprises that have deployed previous versions of the DLP Agent in their production environment, an option exists to deploy backward compatible policies to computers still running the older agents. DLP Agent 2.2 Patch 2 is the earliest version supported by this feature. Enterprises running earlier versions must upgrade to DLP Agent 2.2 Patch 2 or later before upgrading to DLP Agent 9.x. McAfee Host Data Loss Prevention software version 9.0 utilizes a standardized XML policy format. The new format is more intuitive, and facilitates integration with other ePolicy Orchestrator applications. As a result, the backward compatibility option that allows communication with both old and new agents now has two levels: DLP Agent 3.0 or later, and DLP 2.2 Patch 2 or later. Compatibility with version 3.0 DLP Agents uses the standard installation. The agent compatibility option is selected during the policy manager initialization. For enterprises upgrading from DLP 2.2 Patch 2, old events in the Host DLP database are converted to tables in the ePO database. The installation for backward compatibility contains elements of both version 2.x and version 3.x. In particular, the DLP Event Collector is installed to collect events from the version 2.x DLP Agents. This means that the two server system
recommended in McAfee Host Data Loss Prevention version 2.x is maintained during the transition phase. The backward-compatible architecture is as follows:
Figure 2: McAfee Host Data Loss Prevention components with backward compatibility
Getting started
Classifying corporate information into different data loss prevention categories is a key step in deploying and administering McAfee Host Data Loss Prevention software. While guidelines and best practices exist, the ideal schema is dependent on your enterprise goals and needs, and is unique for each installation. For this reason, McAfee recommends initial deployment to a sample group of 15 to 20 users for a trial period of about a month. During this trial, no data is classified, and a policy is created to monitor, not block, transactions. The monitoring data helps the security officers make good decisions about where and how to classify corporate data. The policies created from this information should be tested on a larger
test group (or, in the case of very large companies, on a series of successively larger groups) before being deployed to the entire enterprise. McAfee Device Control vs McAfee Host Data Loss Prevention McAfee Device Control prevents unauthorized use of removable media devices. McAfee Host Data Loss Prevention gives you a fuller set of tools to inspect enterprise users actions concerning sensitive content anywhere on their computers. The following table compares the features.
Feature Applications Enterprise Applications List Database Administration Database Administration Database Statistics Content Based Definitions Dictionaries Registered Documents Repositories Text Patterns Definitions Application Definitions Document Properties Email Destinations File Extension Definitions File Server Definitions Network Definitions Printer Definitions Tags and Categories Yes Yes No Yes No No No Yes Content categories and groups only Web Destinations Whitelist Repository Device Management Device Classes Device Definitions Device Rules Whitelisted Applications Policy Assignment User Assignment Groups Privileged Users RM and Encryption Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Content categories, tags, and groups Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes McAfee Device Control McAfee Host Data Loss Prevention
Feature RM Servers RM Policies Encryption Keys Rules Classification Rules Discovery Rules Protection Rules
Yes Yes Yes Application File Access Protection Clipboard Protection Email Destinations Protection File System Protection Network Communication Protection PDF/Imagewriter Protection Printing Protection Removable Storage Protection Screen Capture Protection Web Post Protection
Tagging Rules
No
Yes
10
Pre-Installation
This section contains information on required Microsoft system components, and ePolicy Orchestrator installation requirements. Review this section completely before installing McAfee Host Data Loss Prevention software version 9.0. Contents System requirements Configuring the server Installing ePolicy Orchestrator 4.5 WCF installation
System requirements
Hardware requirements The following hardware is recommended for running McAfee Host Data Loss Prevention software version 9.0.
Hardware type Servers Specifications CPU: Intel Pentium IV 2.8GHz or higher. RAM: Agent workstations 512 MB minimum for McAfee Device Control only (1 GB recommended). 1 GB minimum for full McAfee Host Data Loss Prevention (2 GB recommended).
Hard Disk: 80GB minimum. CPU: Pentium III 1GHz or higher. RAM: 256 MB minimum for McAfee Device Control (1 GB recommended). 512 MB minimum for full McAfee Host Data Loss Prevention (1 GB recommended).
Network
100 Mbit LAN serving all workstations and the ePO sever. Agents must be able to access port 8731 on the server running the WCF Service. Administrators running the Event Monitor must be able to access TCP port 8731 on the server running the WCF Service.
11
Software Microsoft
Windows
Microsoft Windows 2003 Enterprise (EE) SP1 or later Microsoft Windows 2008 Server Standard
NOTE: For installation in ePolicy Orchestrator 4.5, SP2 or later and Internet Microsoft Explorer 7 or later are required. These are requirements for ePolicy Orchestrator, not McAfee Host Data Loss Prevention. Agent workstations Microsoft Windows 2000 SP 4 or later Microsoft Windows XP Professional SP1 or later (32-bit only) Microsoft Windows Vista SP1 or later (32-bit only) Microsoft Windows 7 (32-bit only)
The user installing McAfee Host Data Loss Prevention software version 9.0 on the servers must be a member of the local administrator group. Because McAfee Host Data Loss Prevention software version 9.0 requires .NET 3.5, Windows 2000 server is no longer supported. Server software requirements The following software is required on the server running Host DPL Policy Manager and Monitor:
Software McAfee ePolicy Orchestrator McAfee Agent
Version 4.5 4.0 Patch 1 or later download the HDLP 9.0 Help extension. 3.5 (Patch 1 recommended) NOTE: All agent handlers on remote servers require the .NET Framework.
The McAfee Host Data Loss Prevention software version 9.0 package includes the following: DLP Agent DLP Windows Communication Foundation (DLPWCF) DLP Migration Tool (used to import events from the version 2.2 database to the 9.0 database) DLP Extension (contains the components installed through ePolicy Orchestrator)
12
Task 1 2 3 4 Install Microsoft Windows 2003 SE SP1 with the role of file server (configured on the Server Role page of the Configure Your Server wizard.) Install Windows Installer 3.0 and restart the system. Install the Microsoft Windows 2003 service packs. Run Windows Update and install all updates. Disable Microsoft Internet Explorers Enhanced Security Configuration Window Component using the Windows Control Panel Add/Remove Windows Components option. NOTE: This Microsoft product can hinder proper installation of Host DLP components. Disable it before installation, then reconfigure it after installation if it is required. 5 6 Install Microsoft .NET Framework 3.5 SP1. Set the server to a static IP address. NOTE: McAfee recommends using a subnet separate from your company's production network for initial testing. If you are setting up a production environment, set the servers static IP address within that range.
HTTP Configuration
13
During the installation, you might see a warning about trusted sites. Write down the recommended additions to the Microsoft Internet Explorer trusted sites list before clicking OK. You will need to add them later.
WCF installation
There are two basic options for installing the Windows Communication Foundation (WCF) service: on the same server as the ePO (SQL) database (local installation) or on a separate server (remote installation). Where ePolicy Orchestrator is installed, together with its database or on a separate server, is not relevant to this discussion; only the relative locations of WCF and the database.
Figure 3: WCF installation options Web access authorized groups When installing the WCF service, you are asked to specify the Web Access Authorized Groups (WAAG). McAfee recommends setting up a group or groups in Windows Active Directory with the names of users authorized to log on to the database. When the HDLP Policy Manager attempts to connect to WCF, it impersonates the logged on user. After the user name is authenticated, WCF checks to see if the user is a member of the WAAG before connecting to the database.
14
Option 1: Installing WCF locally When installing WCF on the same server as the ePO database, you can use Windows authentication or SQL authentication. The option is selected on the WCF service installation wizard. The selected authentication applies only to the connection between WCF and the database. The connection between the administration workstation and WCF always uses Windows authentication. If you have selected Windows authentication, and the logged on user is a member of the WAAG, connection to the database proceeds without further checking. The user must be defined in the SQL database. See Adding a user in SQL Server. Option 2: Installing WCF remotely When installing WCF on a separate server from the ePO database, you can now use Windows authentication or SQL authentication. The former limitation to only SQL authentication has been eliminated. The description of the connection details are the same as in local installation.
15
In the Object Explorer, right-click the database name and select Properties.
On the Security page, select either Window Authentication mode or SQL Server and Windows Authentication mode, according to which type of authentication you want to use.
Navigate to Security | Logins. Right-click in the Logins page, and select New Login.
16
On the General page of the Login Properties dialog box, select SQL Server authentication or Windows authentication and type a login name. Set the default database to ePO4_SERVER. Enforcing a password policy is optional.
On the User Mapping page of the Login Properties dialog box, in the Users mapped to this login section, select ePO4_SERVER and verify that the new login user is listed under User. Click OK. Navigate to Databases | ePO4_SERVER | Security | Users. Double-click the login user name.
8 9
On the Securables page, click Add. Select Specific objects, and click OK. In the Select Objects dialog box, click Object Types and select Databases. Click OK.
17
18
This change in the installer fixes the problem of installing the DLP WCF Service on a remote server using Windows authentication. You can now use either form of authentication for local or remote installations. Named users must be defined in the SQL database. 4 Click Finish to complete the installation.
19
20
Installing or Upgrading McAfee Host Data Loss Prevention First-time installation issues
Roles and permissions Consider the administrator roles you need to manage the system, and create the necessary user profiles. Roles such as Host DLP administrators, policy makers, monitor viewers, manual taggers, and others may be necessary, depending on the size of the system and how centralized you want control to be. The system can be modified at any time, so the list does not have to be comprehensive.
10 In the Allow column, select Create Files/Write Data and Create Folders/Append Data. Verify that the Apply onto option says This folder, subfolders and files, then click OK. The Advanced Security Settings dialog box now includes Domain Computers.
21
Installing or Upgrading McAfee Host Data Loss Prevention Installing the McAfee Host Data Loss Prevention extension
22
Task 1 2 In ePolicy Orchestrator, click Menu | Software | Extensions, then click Install Extension. Browse to and select the policy manager zip file (..\HDLP_9_0_0_xxx.zip). Click Open, then OK. The installation dialog box displays the file parameters to verify that you are installing the correct extension. Click OK. The extension is installed. The following applications are installed: Host DLP Policy Manager (in ePolicy Orchestrator | Data Protection) Host DLP Event Monitor (in ePolicy Orchestrator | Data Protection) DLP Event Parser 4 Click Install Extension again, Browse to and select the Help zip file (...help_dlp_900.zip). Click Open, then OK. NOTE: This file contains the HDLP extension to the ePO Help system. 5 Click OK.
Upgrading issues
Upgrade installation is similar to first-time installation, but the following points must be considered. Backward compatibility The Host DLP Policy Manager version 9.0 initialization has a backward compatibility option that, when selected, allows communication with both old and new agents. Backward compatibility can be set to Version 3.0 and later or Version 2.2 Patch 2 and later Unsupported items If the policy contains any of the following when backward compatibility mode is selected, the policy will fail to be applied to ePolicy Orchestrator. Items unsupported in McAfee Host Data Loss Prevention 3.0 and above backward compatibility mode: An application file access, email, file system, removable storage, or web post protection rule contains a document property definition. A discovery rule contains a document property definition with unsupported properties. Version 3.0 only supports the Date Created and Date Modified properties. An email or web post protection rule, or a discovery rule, contains an Adobe RM encryption definition. A discovery rule contains an Apply RM Policy action. Removable storage file access rules are enabled. Hit-highlighting is selected on the Evidence tab in the Agent Configuration .
23
Queries and computer assignments Queries and Dashboards are saved when you upgrade McAfee Host Data Loss Prevention, as long as you use the recommended procedure. If you remove the existing Data Loss Prevention extension before installing the new one, all queries and Dashboards are lost. To customize a sample query, McAfee recommends using the Duplicate option, to rename the query before changing it. To use the new sample queries in My Queries in a Dashboard, use the Make Public option. If a public query exists with the same name, remove or rename the public query first. ePolicy Orchestrator requires all query names to be unique. The first time you install McAfee Host Data Loss Prevention in ePolicy Orchestrator, the sample queries are installed as Public Queries. To view this, go to Reporting | Queries, and scroll down the queries on the left side of the screen. When you upgrade Host DLP, ePolicy Orchestrator notices that the names of the sample queries are already used, and installs the samples in My Queries instead. However, to use a query in a Dashboard, it must be a public query.
24
Post-Installation
Several steps are needed to complete the McAfee Host Data Loss Prevention software installation. You must configure the Host DLP Policy Manager and Monitor, install an agent, deploy a test policy, and verify the installation. Contents Initializing the Host DLP Policy Manager Upgrading the license Applying the policy Initializing the Host DLP Monitor Checking in the DLP Agent package to ePolicy Orchestrator Deploying the DLP Agent
3 4
25
When the Host DLP Policy Manager First Time Initialization wizard appears, complete the following steps:
Step 1 of 8 2 of 8 Page Welcome General configuration Action Click Next. By default, the discovery crawler places sensitive files in quarantine. Though McAfee does not recommend it, you can delete these files instead by selecting the Support discovery delete option. This option is not available until you update to full McAfee Host Data Loss Prevention. For troubleshooting, when you need to review an easily readable version of the policy, select Generate verbose policy. For most installations, McAfee recommends leaving these checkboxes unselected. In very large organizations where the roll-out of DLP Agent 9.0 is staged over time, earlier versions of the DLP Agent need to coexist. Select the appropriate Backward compatibility mode: No compatibility (all agents are version 9.0) DLP Agent 3.0 and later DLP Agent 2.2 patch 2 and later
In very large organizations where search times could be excessive, select Restrict AD searches to default domain. Deselect Deploy policy to reporting database if you want prevent deploying the policy to the DLP tables in the ePO database. This option does not require WCF being installed on the server, but might result in the DLP Monitor not working as expected. Configure the Policy Manager WCF service path. For the standard installation, accept the default. Click Test Connection to verify. Click Next. 3 of 8 Configure the manual tagging authorization list Type user names, or click Add to search for user names (optional). Click Next. NOTE: McAfee recommends creating a role-based group in Active Directory, such as DLP Manual Tagging Users, and using the group when configuring Access Control.
4 of 8
Configure the Type a password and confirmation (required). If you don't want agent key Agent override key generation events reported to the database, deselect the checkbox. See the password McAfee Host Data Loss Prevention Product Guide for more information on Agent bypass. Click Next. Whitelist configuration Browse to the Whitelist storage share, then click Next. The UNC whitelist path is required to apply the policy to ePolicy Orchestrator. Size limits are displayed, but cannot be changed in the Initialization wizard. Modify the default Agent notification messages (optional). Select each event type in turn, and type the message in the text box. Click Next.
5 of 8
6 of 8
7 of 8
Event collector and Browse to the Evidence storage share and click Next. The evidence storage replication servers path is required to apply the policy to ePolicy Orchestrator. Set the required configuration Evidence Replication option. See the Readme: New Features for more information. Click Next. Configuration completed Click Finish.
8 of 8
The Initialization Wizard dialog box appears with the message, Apply McAfee DLP initial configuration? If you have not skipped any required steps, you can click Yes and apply the initial policy. If you have skipped required steps, click No to complete the initialization. NOTE: A password is required to complete initialization. The other steps indicated as required are necessary to complete the policy. They can be skipped during initialization
26
and completed at a later time. If you did not apply the policy, select File | Save to save the policy to a file.
2 3 4 5 6 7 8
10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.
27
If you are upgrading from a previous version of McAfee Host Data Loss Prevention, and have backed up the policy, open the saved policy and run the conversion wizard before applying the policy. NOTE: If the old policy is from full McAfee Host Data Loss Prevention, you must upgrade the default license before proceeding. Task 1 Click Yes to apply the policy. The Applying to ePO window appears.
Figure 6: Verifying the application to ePolicy Orchestrator 2 Click Close when the task is complete.
28
For a standard installation, accept the default. For a backward-compatible installation, type the WCF service address in the dialog box, then click OK. The Host DLP Monitor opens.
29
30
10 After the DLP Agent has been deployed, restart the agent computers.
31
5 6 7 8
32
Appendix I Deploying McAfee Host Data Loss Prevention with SMS Creating the advertisement
In the Command Line text box, type the DLP command line executable, for example: msiexec /I DLPAgentInstall.msi /qn /forcerestart. NOTE: McAfee recommends restarting the managed computer after DLP Agent package installation. To enable this option use the /forcerestart parameter. To enable the installation log use /log <LogFile>.
10 On the Environment tab select Whether or not a user is logged on from the Program can run drop-down menu. Click OK. NOTE: Verify that Run with Administrative Rights is selected. McAfee Host Data Loss Prevention setup requires administrative rights to complete installation successfully.
5 6 7 8
33
Appendix I Deploying McAfee Host Data Loss Prevention with SMS Creating the SMS uninstall package
In the Command Line text box, type the DLP command line executable, for example:
msiexec /x DLPAgentInstall.msi /qn /forcerestart
10 On the Environment tab select Whether or not a user is logged on from the Program can run drop-down menu. Click OK.
34
35
Appendix II Users and permission sets Creating and defining permission sets
Figure 8: Editing a permission set for HDLP NOTE: To turn off the sensitive data redaction feature, select User can view DLP Monitor in the monitor section.
36
Option User can only generate Agent Override, Agent Uninstall, and Agent Quarantine Release keys. User can only view policies. User can view and save policies. User cannot view DLP Monitor
Definition User administrator role is limited to override, uninstall, and release keys. User can review but not edit policies. User has full policy administrator permissions. User is not a monitor administrator
User can partially view DLP Monitor (cannot view private New in McAfee Host Data Loss Prevention software fields) version 9.0 one of the required roles for sensitive data redaction. User can reveal sensitive data but cannot view DLP Monitor. User can only reveal sensitive data with the presence of a user with view permissions. User can view DLP Monitor New in McAfee Host Data Loss Prevention software version 9.0 one of the required roles for sensitive data redaction. User has full policy administrator permissions. Use this option if you are not using the sensitive data redaction feature.
37