of 37
8/3/2019 Dlp 900 Install Epo45 en-us
1/37
McAfee Host Data Loss Prevention 9.0Installation Guide for ePolicy Orchestrator 4.5
8/3/2019 Dlp 900 Install Epo45 en-us
2/37
COPYRIGHT
Copyright 2010 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
McAfee Host Data Loss Prevention 9.0 Installation Guide2
8/3/2019 Dlp 900 Install Epo45 en-us
3/37
ContentsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Components and their relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Getting started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Pre-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configuring the server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Installing ePolicy Orchestrator 4.5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
WCF installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Installing the DLP WCF service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Troubleshooting the DLP WCF service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Installing or Upgrading McAfee Host Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . 20
First-time installation issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Creating and configuring repository folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installing the McAfee Host Data Loss Prevention extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Upgrading issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Upgrading McAfee Host Data Loss Prevention software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Post-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Initializing the Host DLP Policy Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Upgrading the license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Applying the policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Initializing the Host DLP Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Checking in the DLP Agent package to ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Deploying the DLP Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Defining a default rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Deploying the DLP Agent in ePolicy Orchestrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Verifying the installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Appendix I Deploying McAfee Host Data Loss Prevention with SMS. . . . . . . . . . . . . 32
Creating an installation package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Creating the advertisement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Creating the SMS uninstall package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
4/37
Appendix II Users and permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Creating and defining DLP administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Creating and defining permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
DLP permission set options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
McAfee Host Data Loss Prevention 9.0 Installation Guide4
Contents
8/3/2019 Dlp 900 Install Epo45 en-us
5/37
Introduction
This guide provides the necessary information for installing McAfee Host Data Loss Prevention
software version 9.0. It provides detailed steps and verification of the installation process. This
guide demonstrates how to configure the recommended architecture, and when completed the
user will have a fully functional McAfee Host Data Loss Prevention implementation that is properly
configured.
McAfee recognizes that many configuration possibilities exist and that McAfee Host Data Loss
Prevention is very flexible in meeting a variety of implementation architectures. The
recommended architecture represents only one path.
Contents
Components and their relationships
Getting started
Components and their relationshipsMcAfee Host Data Loss Prevention software version 9.0 is more tightly integrated with ePolicy
Orchestrator than version 2.x. As a result, the recommended installation is now on a single
server, and is in compliance with the FIPS 140-2 standard.
5McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
6/37
The DLPWCF Service can be installed on a separate server from the ePO database.
Figure 1: McAfee Host Data Loss Prevention components and relationships
Figure 1 depicts the elements that comprise McAfee Host Data Loss Prevention and the
communication patterns among the elements.
The recommended architecture includes:
ePO server Hosts the embedded user interfaces, (Host DLP Monitor and Host DLP Policy
Manager) and communicates with the McAfee Agents.
ePO Reports A list of Host DLP Events within the ePolicy Orchestrator reporting
service replaces DLP Reports.
DLP WCF (Windows Communication Foundation) Service Communicates
between ePolicy Orchestrator and the Host DLP Policy Manager to distribute policies, and
with the Host DLP Monitor to display events.
ePO Event Parser Communicates with the McAfee Agent and stores event information
in a database.
IntroductionComponents and their relationships
McAfee Host Data Loss Prevention 9.0 Installation Guide6
8/3/2019 Dlp 900 Install Epo45 en-us
7/37
DLP Event Parser Collects Host DLP events from the ePO Event Parser and stores
them in DLP tables in the SQL database.
ePO database Communicates with the ePO Policy Distributor to distribute policies,
and with the DLP Event Parser to collect events and evidence.
Administrator workstation Accesses ePolicy Orchestrator, the Host DLP Monitor, and
Host DLP Policy Manager in a browser through the DLP WCF Service. Client workstation Applies the security policies using the following software:
DLP Agent Provides the DLP processes. In McAfee Host Data Loss Prevention software
version 9.0 the DLP Agent communicates exclusively with the ePO Agent.
McAfee Agent Provides the communication channel between the ePolicy Orchestrator
server and the DLP Agent.
Backward compatible installation
To allow an orderly upgrade in large enterprises that have deployed previous versions of the
DLP Agent in their production environment, an option exists to deploy backward compatible
policies to computers still running the older agents. DLP Agent 2.2 Patch 2 is the earliest version
supported by this feature. Enterprises running earlier versions must upgrade to DLP Agent 2.2Patch 2 or later before upgrading to DLP Agent 9.x.
McAfee Host Data Loss Prevention software version 9.0 utilizes a standardized XML policy format.
The new format is more intuitive, and facilitates integration with other ePolicy Orchestrator
applications. As a result, the backward compatibility option that allows communication with
both old and new agents now has two levels: DLP Agent 3.0 or later, and DLP 2.2 Patch 2 or
later.
Compatibility with version 3.0 DLP Agents uses the standard installation. The agent compatibility
option is selected during the policy manager initialization.
For enterprises upgrading from DLP 2.2 Patch 2, old events in the Host DLP database are
converted to tables in the ePO database. The installation for backward compatibility contains
elements of both version 2.x and version 3.x. In particular, the DLP Event Collector is installedto collect events from the version 2.x DLP Agents. This means that the two server system
IntroductionComponents and their relationships
7McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
8/37
recommended in McAfee Host Data Loss Prevention version 2.x is maintained during the transition
phase. The backward-compatible architecture is as follows:
Figure 2: McAfee Host Data Loss Prevention components with backward compatibility
Getting started
Classifying corporate information into different data loss prevention categories is a key step indeploying and administering McAfee Host Data Loss Prevention software. While guidelines and
best practices exist, the ideal schema is dependent on your enterprise goals and needs, and is
unique for each installation.
For this reason, McAfee recommends initial deployment to a sample group of 15 to 20 users
for a trial period of about a month.
During this trial, no data is classified, and a policy is created to monitor, not block, transactions.
The monitoring data helps the security officers make good decisions about where and how to
classify corporate data. The policies created from this information should be tested on a larger
IntroductionGetting started
McAfee Host Data Loss Prevention 9.0 Installation Guide8
8/3/2019 Dlp 900 Install Epo45 en-us
9/37
test group (or, in the case of very large companies, on a series of successively larger groups)
before being deployed to the entire enterprise.
McAfee Device Control vs McAfee Host Data Loss Prevention
McAfee Device Control prevents unauthorized use of removable media devices. McAfee Host
Data Loss Prevention gives you a fuller set of tools to inspect enterprise users actions concerningsensitive content anywhere on their computers. The following table compares the features.
McAfee Host Data Loss PreventionMcAfee Device ControlFeature
Applications
YesYesEnterprise Applications List
Database Administration
YesYesDatabase Administration
YesYesDatabase Statistics
Content Based Definitions
YesYesDictionaries
YesYesRegistered Documents Repositories
YesYesText Patterns
Definitions
YesYesApplication Definitions
YesYesDocument Properties
YesNoEmail Destinations
YesYesFile Extension Definitions
YesNoFile Server Definitions
YesNoNetwork Definitions
YesNoPrinter Definitions
Yes
Content categories, tags, and groups
Yes
Content categories and groups only
Tags and Categories
YesNoWeb Destinations
YesYesWhitelist Repository
Device Management
YesYesDevice Classes
YesYesDevice Definitions
YesYesDevice Rules
YesYesWhitelisted Applications
Policy Assignment
YesYesUser Assignment Groups
YesYesPrivileged Users
RM and Encryption
IntroductionGetting started
9McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
10/37
McAfee Host Data Loss PreventionMcAfee Device ControlFeature
YesNoRM Servers
YesNoRM Policies
YesYesEncryption Keys
Rules
YesYesClassification Rules
YesNoDiscovery Rules
YesYes
Removable Storage Protection only
Protection Rules
Application File Access Protection
Clipboard Protection
Email Destinations Protection
File System Protection
Network Communication
Protection
PDF/Imagewriter Protection
Printing Protection
Removable Storage Protection
Screen Capture Protection
Web Post Protection
YesNoTagging Rules
IntroductionGetting started
McAfee Host Data Loss Prevention 9.0 Installation Guide10
8/3/2019 Dlp 900 Install Epo45 en-us
11/37
Pre-Installation
This section contains information on required Microsoft system components, and ePolicy
Orchestrator installation requirements. Review this section completely before installing McAfee
Host Data Loss Prevention software version 9.0.
Contents
System requirements
Configuring the server
Installing ePolicy Orchestrator 4.5
WCF installation
System requirements
Hardware requirements
The following hardware is recommended for running McAfee Host Data Loss Prevention software
version 9.0.
SpecificationsHardware type
Servers CPU: Intel Pentium IV 2.8GHz or higher.
RAM:
512 MB minimum for McAfee Device Control only (1 GB recommended).
1 GB minimum for full McAfee Host Data Loss Prevention (2 GB
recommended).
Hard Disk: 80GB minimum.
Agent workstations CPU: Pentium III 1GHz or higher.
RAM:
256 MB minimum for McAfee Device Control (1 GB recommended).
512 MB minimum for full McAfee Host Data Loss Prevention (1 GB
recommended).
Hard Disk: 200 MB minimum free disk space.
100 Mbit LAN serving all workstations and the ePO sever.Network
Agents must be able to access port 8731 on the server running the WCF Service.
Administrators running the Event Monitor must be able to access TCP port 8731
on the server running the WCF Service.
The following operating system software is supported:
11McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
12/37
SoftwareComputer type
Servers Microsoft
Windows
2003 Server Standard (SE) SP1 or later
Microsoft Windows 2003 Enterprise (EE) SP1 or later
Microsoft Windows 2008 Server Standard
NOTE: For installation in ePolicy Orchestrator
4.5, SP2 or later and Internet
Microsoft Explorer
7 or later are required. These are requirements for ePolicyOrchestrator, not McAfee Host Data Loss Prevention.
Agent workstations Microsoft Windows 2000 SP 4 or later
Microsoft Windows XP Professional SP1 or later (32-bit only)
Microsoft Windows Vista SP1 or later (32-bit only)
Microsoft Windows 7 (32-bit only)
The user installing McAfee Host Data Loss Prevention software version 9.0 on the servers must
be a member of the local administrator group.
Because McAfee Host Data Loss Prevention software version 9.0 requires .NET 3.5, Windows
2000 server is no longer supported.
Server software requirements
The following software is required on the server running Host DPL Policy Manager and Monitor:
VersionSoftware
4.5McAfee ePolicy Orchestrator
4.0 Patch 1 or laterMcAfee Agent
download the HDLP 9.0 Help extension.McAfee ePolicy Orchestrator Help System
3.5 (Patch 1 recommended)
NOTE: All agent handlers on remote servers require the.NET Framework.
Microsoft .NET
2005 compatibility mode 90 or laterMicrosoft SQL Server
The McAfee Host Data Loss Prevention software version 9.0 package includes the following:
DLP Agent
DLP Windows Communication Foundation (DLPWCF)
DLP Migration Tool (used to import events from the version 2.2 database to the 9.0 database)
DLP Extension (contains the components installed through ePolicy Orchestrator)
Configuring the serverUse this task for the basic configuration of the server.
Before you begin
Verify that the server meets the minimum system requirements.
Pre-InstallationConfiguring the server
McAfee Host Data Loss Prevention 9.0 Installation Guide12
8/3/2019 Dlp 900 Install Epo45 en-us
13/37
Task
1 Install Microsoft Windows 2003 SE SP1 with the role of file server (configured on the Server
Role page of the Configure Your Server wizard.)
2 Install Windows Installer 3.0 and restart the system. Install the Microsoft Windows 2003
service packs.
3 Run Windows Update and install all updates.4 Disable Microsoft Internet Explorers Enhanced Security Configuration Window Component
using the Windows Control Panel Add/Remove Windows Components option.
NOTE: This Microsoft product can hinder proper installation of Host DLP components.
Disable it before installation, then reconfigure it after installation if it is required.
5 Install Microsoft .NET Framework 3.5 SP1.
6 Set the server to a static IP address.
NOTE: McAfee recommends using a subnet separate from your company's production
network for initial testing. If you are setting up a production environment, set the servers
static IP address within that range.
Installing ePolicy Orchestrator 4.5Use this task to install ePolicy Orchestrator 4.5.
Before you begin
Read the ePolicy Orchestrator 4.5 Installation Guide and Release Notes to familiarize yourself
with all installation issues.
CAUTION: Some of the installation scripts require the NETWORK SERVICE account to have
write permission for the C:\Windows\Temp folder. In secure systems, this folder might be lockeddown. In that case, you must temporarily change the permissions for this folder. Otherwise,
the installation fails. McAfee recommends completing all software installations before resetting
the permissions.
Pay attention to the following points when installing ePolicy Orchestrator:
1 In the ePolicy Orchestrator installation wizard, use the following settings:
SettingInstallation wizard screen
Select Install Server and ConsoleInstallation Options
Install SQL Server 2005 Express. Another configuration
option is to create an ePolicy Orchestrator instance on
an existing SQL Server 2005 server and select it.
CAUTION: After verification that you want to install the
software, the SQL installation continues without user
Setup Requirements
input. If prompted to install SQL Server 2005 Backward
Compatibility, you must install it.
McAfee recommends using a SQL Server account. If
preferred, an NT account can also be used.
Database Server Account
Do not use the default setting for the Agent-to-Server
communication port. Instead, set the port to 1080.
HTTP Configuration
Pre-InstallationInstalling ePolicy Orchestrator 4.5
13McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
14/37
2 During the installation, you might see a warning about trusted sites. Write down the
recommended additions to the Microsoft Internet Explorer trusted sites list before clicking
OK. You will need to add them later.
WCF installationThere are two basic options for installing the Windows Communication Foundation (WCF)
service: on the same server as the ePO (SQL) database (local installation) or on a separate
server (remote installation). Where ePolicy Orchestrator is installed, together with its database
or on a separate server, is not relevant to this discussion; only the relative locations of WCF
and the database.
Figure 3: WCF installation options
Web access authorized groups
When installing the WCF service, you are asked to specify the Web Access Authorized Groups
(WAAG). McAfee recommends setting up a group or groups in Windows Active Directory with
the names of users authorized to log on to the database.
When the HDLP Policy Manager attempts to connect to WCF, it impersonates the logged on
user. After the user name is authenticated, WCF checks to see if the user is a member of the
WAAG before connecting to the database.
Pre-InstallationWCF installation
McAfee Host Data Loss Prevention 9.0 Installation Guide14
8/3/2019 Dlp 900 Install Epo45 en-us
15/37
Option 1: Installing WCF locally
When installing WCF on the same server as the ePO database, you can use Windows
authentication or SQL authentication. The option is selected on the WCF service installation
wizard. The selected authentication applies only to the connection between WCF and the
database. The connection between the administration workstation and WCF always uses Windows
authentication. If you have selected Windows authentication, and the logged on user is a
member of the WAAG, connection to the database proceeds without further checking.
The user must be defined in the SQL database. See Adding a user in SQL Server.
Option 2: Installing WCF remotely
When installing WCF on a separate server from the ePO database, you can now use Windows
authentication or SQL authentication. The former limitation to only SQL authentication has been
eliminated. The description of the connection details are the same as in local installation.
Installing the DLP WCF service
Use these tasks to prepare the SQL database for WCF and to install the DLP WCF service. Bothof these tasks are required and should be performed in the order given.
Tasks
Adding a user in SQL Server
Running the DLP WCF installer
Adding a user in SQL Server
To use either Windows or SQL authentication with WCF and the ePO database, an authorized
user must be defined in the SQL database. The authorized user can be a Windows user or a
SQL user. Typically, an account with the minimal permissions to run WCF is created. Use thistask to create such an account.
Before you begin
To perform this task, you must have Microsoft SQL Server Management Studio installed. If you
are using SQL Server Express, you should install the Express version of Management Studio.
The administrator performing the task should have system administrator rights on the server(s)
involved.
Task
1 Open Microsoft SQL Server Management Studio (Express) and connect to the EPOSERVER
instance.
Pre-InstallationWCF installation
15McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
16/37
2 In the Object Explorer, right-click the database name and select Properties.
3 On the Security page, select either Window Authentication mode or SQL Server andWindows Authentication mode, according to which type of authentication you want to
use.
4 Navigate to Security | Logins. Right-click in the Logins page, and select New Login.
Pre-InstallationWCF installation
McAfee Host Data Loss Prevention 9.0 Installation Guide16
8/3/2019 Dlp 900 Install Epo45 en-us
17/37
5 On the General page of the Login Properties dialog box, select SQL Server authentication
or Windows authentication and type a login name. Set the default database to
ePO4_SERVER. Enforcing a password policy is optional.
6 On the User Mapping page of the Login Properties dialog box, in the Users mapped to
this login section, select ePO4_SERVER and verify that the new login user is listed under
User. ClickOK.
7 Navigate to Databases | ePO4_SERVER | Security | Users. Double-click the login
user name.
8 On the Securables page, clickAdd. Select Specific objects, and click OK.
9 In the Select Objects dialog box, click Object Types and select Databases. Click OK.
10 Click Browse. Select [ePO4_SERVER] and click OK twice.
Pre-InstallationWCF installation
17McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
18/37
11 Click Effective Permissions, and verify the following permissions:
Figure 4: Setting database user permissions
12 Click OK.
Running the DLP WCF installer
Use this task to install and configure the Windows Communication Foundation (WCF) service.
McAfee Host Data Loss Prevention software version 2.x used the DLP Web Service, which ran
under IIS, to communicate between components. In response to client requests for a non-IIS
dependent communication service, McAfee Host Data Loss Prevention implemented a self-hosted
WCF service with version 3.0. The new service is faster, lighter, and more secure than the
IIS-based service.
Before you begin
Add the login user to the SQL database as a Windows or SQL user, according to which form of
authorization you plan to use. Log out of ePolicy Orchestrator.
Task
1 Browse to and run the DLPWCFServiceInstaller.msi installer.
2 In step 4 of the installation wizard (WCF Service Settings), do the following:
a You should notchange the WCF Server Port value without first consulting your McAfee
representative.
b McAfee recommends setting up a group or groups in Windows Active Directory with the
names of users authorized to login to the database. You must change the default Web
Access Authorized Groups entry from Everyone to a group or user with authorized
access, as described in WCF installation options.c If you are using the confidential data redaction feature, select Obfuscate Sensitive
Data in RSS Feed.
3 In step 5 of of the installation wizard (SQL Database) do the following:
a Review the defaults for Database Server and Database Name. Type other values
if necessary.
b Select Windows Authentication or SQL Authentication and fill in the associated
fields.
Pre-InstallationWCF installation
McAfee Host Data Loss Prevention 9.0 Installation Guide18
8/3/2019 Dlp 900 Install Epo45 en-us
19/37
This change in the installer fixes the problem of installing the DLP WCF Service on a
remote server using Windows authentication. You can now use either form of
authentication for local or remote installations. Named users must be defined in the
SQL database.
4 Click Finish to complete the installation.
Troubleshooting the DLP WCF serviceTo troubleshoot the DLP WCF service, use the browser page
http://localhost:8731/DLPWCF/Admin/Testing.
Figure 5: The DLP WCF service testing page
Pre-InstallationTroubleshooting the DLP WCF service
19McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
20/37
Installing or Upgrading McAfee Host Data LossPrevention
This section covers a clean installation and upgrading from an earlier version. In both cases,
the default installation is a 90-day license for McAfee Device Control. If you purchased a license
for full McAfee Host Data Loss Prevention, you must upgrade the license after you complete
the installation.
Contents
First-time installation issuesInstalling the McAfee Host Data Loss Prevention extension
Upgrading issues
First-time installation issuesThe McAfee Host Data Loss Prevention installation wizard requires certain inputs for proper
completion. To assure an uninterrupted installation, do the following before installing.
Evidence and whitelist folder
Two folders and network shares must be created, and their properties and security settings
must be configured appropriately. The folders do not need to be on the same computer as the
Host DLP/Database server, but it is usually convenient to put them there.
McAfee suggests the following folder paths, folder names, and share names, but you can create
others as appropriate for your environment.
c:\dlp_resources\
c:\dlp_resources\evidence
c:\dlp_resources\whitelist
Evidence folder
Certain protection rules allow for storing evidence, so you must designate, in advance, a placeto put it. If, for example, an email is blocked, a copy of the email is placed in the Evidence
folder.
Whitelist folder
Text fingerprints to be ignored by the DLP Agent are placed in a whitelist repository folder. An
example is boilerplate text such as disclaimers or copyright. McAfee Host Data Loss Prevention
saves time by skipping these chunks of text that are known to not include sensitive content.
McAfee Host Data Loss Prevention 9.0 Installation Guide20
8/3/2019 Dlp 900 Install Epo45 en-us
21/37
Roles and permissions
Consider the administrator roles you need to manage the system, and create the necessary
user profiles. Roles such as Host DLP administrators, policy makers, monitor viewers, manual
taggers, and others may be necessary, depending on the size of the system and how centralized
you want control to be. The system can be modified at any time, so the list does not have to
be comprehensive.
Creating and configuring repository folders
Use these tasks to configure the repository folders.
Tasks
Configuring the evidence folder
Configuring the whitelist folder
Configuring the evidence folder
Use this task to configure the evidence folder with its specific security settings.
Before you begin
Create the evidence folder, as described in First-time installation issues.
Task
1 Right-click the evidence folder icon and select Sharing and Security.
2 In the dialog box that appears, select Share this folder, then modify Share name to
evidence$.
NOTE: The $ ensures that the share is hidden.
3 Click Permissions. With the default user name Everyone selected, allow Full Control,
then click OK.
4 Click the Security tab, then click Advanced.
5 On the Permissions tab of the Advanced Security Settings for evidence dialog box,
deselect Allow inheritable permissions. A confirmation box explains the effect this
change will have on the folder.
6 Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows
all permissions eliminated except administrators.
NOTE: As a security precaution, you can set the permissions to only those administrators
who deploy policies.
7 Double-clickAdministrators entry to open the Permission Entry dialog box. Change
the Apply onto option to This folder, subfolders and files. ClickOK.
8 Click Add to select an object type.
9 In the Enter the object name to select text box, type Domain Computers, then click OK
to display the Permission Entry dialog box.
10 In the Allow column, select Create Files/Write Data and Create Folders/Append
Data. Verify that the Apply onto option says This folder, subfolders and files, then
click OK. The Advanced Security Settings dialog box now includes Domain Computers.
Installing or Upgrading McAfee Host Data Loss PreventionFirst-time installation issues
21McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
22/37
11 Click OK twice to close the dialog box.
First-time installation issues
Configuring the whitelist folder
Use this task to configure the whitelist folder with its specific security settings.
Before you begin
Create the whitelist folder, as described in First-time installation issues.
Task
1 Right-click the whitelist folder icon and select Sharing and Security.
2 In the dialog box that appears, select Share this folder, then modify Share name to
whitelist$.
NOTE: The $ ensures that the share is hidden.
3 Click the Security tab, then click Advanced.4 On the Permissions tab of the Advanced Security Settings for evidence dialog box,
deselect Allow inheritable permissions. A confirmation box explains the effect this
change will have on the folder.
5 Click Remove. The Permissions tab on the Advanced Security Settings dialog box shows
all permissions eliminated except administrators.
NOTE: As a security precaution, you can set the permissions to only those administrators
who deploy policies.
6 Double-click theAdministrators entry to open the Permission Entry dialog box. Change
the Apply onto option to This folder, subfolders and files. ClickOK.
7 Click Add to select an object type.8 In the Enter the object name to select text box, type Domain Computers, then click OK
to display the Permission Entry dialog box.
9 In the Allow column, select List Folder/Read Data. Verify that the Apply onto option
says This folder, subfolders and files, then click OK. The Advanced Security Settings
dialog box now includes Domain Computers.
10 Click OK twice to close the dialog box.
First-time installation issues
Installing the McAfee Host Data Loss Preventionextension
Use this task for a clean installation of the McAfee Host Data Loss Prevention software version 9.0
extension in ePolicy Orchestrator.
Before you begin
Verify that the ePolicy Orchestrator server name is listed under Trusted Sites in the Internet
Explorer security settings.
Installing or Upgrading McAfee Host Data Loss PreventionInstalling the McAfee Host Data Loss Prevention extension
McAfee Host Data Loss Prevention 9.0 Installation Guide22
8/3/2019 Dlp 900 Install Epo45 en-us
23/37
Task
1 In ePolicy Orchestrator, click Menu | Software | Extensions, then click Install
Extension.
2 Browse to and select the policy manager zip file (..\HDLP_9_0_0_xxx.zip). ClickOpen,
then OK. The installation dialog box displays the file parameters to verify that you are
installing the correct extension.3 Click OK. The extension is installed.
The following applications are installed:
Host DLP Policy Manager (in ePolicy Orchestrator | Data Protection)
Host DLP Event Monitor (in ePolicy Orchestrator | Data Protection)
DLP Event Parser
4 ClickInstall Extension again, Browse to and select the Help zip file (...help_dlp_900.zip).
Click Open, then OK.
NOTE: This file contains the HDLP extension to the ePO Help system.
5 Click OK.
Upgrading issuesUpgrade installation is similar to first-time installation, but the following points must be
considered.
Backward compatibility
The Host DLP Policy Manager version 9.0 initialization has a backward compatibility option that,
when selected, allows communication with both old and new agents. Backward compatibility
can be set to Version 3.0 and later or Version 2.2 Patch 2 and later
Unsupported items
If the policy contains any of the following when backward compatibility mode is selected, the
policy will fail to be applied to ePolicy Orchestrator.
Items unsupported in McAfee Host Data Loss Prevention 3.0 and abovebackward compatibility
mode:
An application file access, email, file system, removable storage, or web post protection rule
contains a document property definition.
A discovery rule contains a document property definition with unsupported properties. Version
3.0 only supports the Date Created and Date Modified properties.
An email or web post protection rule, or a discovery rule, contains an Adobe RM encryptiondefinition.
A discovery rule contains an Apply RM Policy action.
Removable storage file access rules are enabled.
Hit-highlighting is selected on the Evidence tab in the Agent Configuration .
Installing or Upgrading McAfee Host Data Loss PreventionUpgrading issues
23McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
24/37
Queries and computer assignments
Queries and Dashboards are saved when you upgrade McAfee Host Data Loss Prevention, as
long as you use the recommended procedure. If you remove the existing Data Loss Prevention
extension before installing the new one, all queries and Dashboards are lost.
To customize a sample query, McAfee recommends using the Duplicate option, to rename the
query before changing it. To use the new sample queries in My Queries in a Dashboard, usethe Make Public option. If a public query exists with the same name, remove or rename the
public query first.
ePolicy Orchestrator requires all query names to be unique. The first time you install McAfee
Host Data Loss Prevention in ePolicy Orchestrator, the sample queries are installed as Public
Queries. To view this, go to Reporting | Queries, and scroll down the queries on the left
side of the screen. When you upgrade Host DLP, ePolicy Orchestrator notices that the names
of the sample queries are already used, and installs the samples in My Queries instead.
However, to use a query in a Dashboard, it must be a public query.
Upgrading McAfee Host Data Loss Prevention software
Use this task to upgrade an earlier version of McAfee Host Data Loss Prevention software to
version 9.0 in ePolicy Orchestrator.
CAUTION: If you want to be able to view previous events in the Host DLP Monitor, do not delete
the existing McAfee Host Data Loss Prevention extension in ePolicy Orchestrator. Removing the
extension removes all events from the Host DLP Database.
Before you begin
When downloading the files from the McAfee download site for McAfee Host Data Loss
Prevention, follow the link to the download page for ePolicy Orchestrator Help, and download
the latest Help zip file.
Log out of ePolicy Orchestrator and close the browser window.
Task
1 From the Windows Control Panel, using Add or Remove Programs, uninstall the DLP
Management Tools.
2 In ePolicy Orchestrator, go to Software | Extensions. ClickInstall Extension, then
click Browse and select the McAfee Host Data Loss Prevention policy manager zip file
(..\HDLP_Extension_9_0_0_xxx.zip). ClickOpen, then OKtwice. The extension is installed,
and appears in the extension list.
If you are installing without removing the previous extension, you see a warning that the
new extension will replace the existing one. ClickOK.
3 Install Extension again, Browse and select the Help zip file (..\help_dlp_900.zip). Click
Open, then clickOK. The installation dialog box warns you that you will replace the existing
Help system. Click OK.
NOTE: This file contains the HDLP extension to the ePO Help system.
Installing or Upgrading McAfee Host Data Loss PreventionUpgrading issues
McAfee Host Data Loss Prevention 9.0 Installation Guide24
8/3/2019 Dlp 900 Install Epo45 en-us
25/37
Post-Installation
Several steps are needed to complete the McAfee Host Data Loss Prevention software installation.
You must configure the Host DLP Policy Manager and Monitor, install an agent, deploy a test
policy, and verify the installation.
Contents
Initializing the Host DLP Policy Manager
Upgrading the license
Applying the policy
Initializing the Host DLP Monitor
Checking in the DLP Agent package to ePolicy Orchestrator
Deploying the DLP Agent
Initializing the Host DLP Policy ManagerThe first time you open the Host DLP Policy Manager, a wizard runs for first-time initialization.
NOTE: The wizard can be run at any time by selecting Initialization Wizard from the Tools
menu in the Host DLP Policy Manager console.
Before you begin
The DLP Management Tools installer and policy manager initialization wizard use ActiveX
technology. To prevent the installer from being blocked, verify that the following are enabled
in Internet Explorer Tools | Internet Options | Security | Custom level:
Automatic prompting for ActiveX controls
Download signed ActiveX controls
Task
1 In ePolicy Orchestrator 4.5, click Menu | Data Protection | DLP Policy.
The DLP Management Tools installer runs and, after a brief delay, the Welcome screen
of the DLP Management Tools Setup wizard appears. Complete the steps in the wizard.
2 After the DLP Management Tools installation has completed, the Host DLP Policy Manager
console begins loading. If you have an existing policy, you are prompted to convert it to
the new standard XML format. Click Convert and skip to step 4.
3 If no previous policy exists, the message DLP global policy is unavailable. Loading
default policy appears. Click OK to continue.
4 When the message, Agent configuration is unavailable. Loading a default agent.
appears, click OK.
25McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
26/37
5 When the Host DLP Policy Manager First Time Initialization wizard appears, complete
the following steps:
ActionPageStep
ClickNext.Welcome1 of 8
By default, the discovery crawler places sensitive files in quarantine. Though
McAfee does not recommend it, you can delete these files instead by selecting
General
configuration
2 of 8
the Support discovery delete option. This option is not available until you
update to full McAfee Host Data Loss Prevention.
For troubleshooting, when you need to review an easily readable version of the
policy, select Generate verbose policy. For most installations, McAfee
recommends leaving these checkboxes unselected.
In very large organizations where the roll-out of DLP Agent 9.0 is staged over
time, earlier versions of the DLP Agent need to coexist. Select the appropriate
Backward compatibility mode:
No compatibility (all agents are version 9.0)
DLP Agent 3.0 and later
DLP Agent 2.2 patch 2 and later
In very large organizations where search times could be excessive, selectRestrict AD searches to default domain.
Deselect Deploy policy to reporting database if you want prevent deploying
the policy to the DLP tables in the ePO database. This option does not require
WCF being installed on the server, but might result in the DLP Monitor not
working as expected.
Configure the Policy Manager WCF service path. For the standard installation,
accept the default. Click Test Connection to verify. Click Next.
Type user names, or clickAdd to search for user names (optional). ClickNext.
NOTE: McAfee recommends creating a role-based group in Active Directory, such
as DLP Manual Tagging Users, and using the group when configuring Access
Control.
Configure the
manual tagging
authorization list
3 of 8
Type a password and confirmation (required). If you don't want agent key
generation events reported to the database, deselect the checkbox. See the
Configure the
Agent override key
password
4 of 8
McAfee Host Data Loss Prevention Product Guide for more information on Agent
bypass. ClickNext.
Browse to the Whitelist storage share, then click Next. The UNC whitelist path
is required to apply the policy to ePolicy Orchestrator. Size limits are displayed,
but cannot be changed in the Initialization wizard.
Whitelist
configuration
5 of 8
Modify the default Agent notification messages (optional). Select each event
type in turn, and type the message in the text box. Click Next.
Agent popup
service
configuration
6 of 8
Browse to the Evidence storage share and clickNext. The evidence storage
path is required to apply the policy to ePolicy Orchestrator. Set the required
Event collector and
replication servers
configuration
7 of 8
Evidence Replication option. See the Readme: New Featuresfor more information.
ClickNext.
ClickFinish.Configuration
completed
8 of 8
6 The Initialization Wizard dialog box appears with the message,Apply McAfee DLP initial
configuration? If you have not skipped any required steps, you can click Yes and apply
the initial policy. If you have skipped required steps, click No to complete the initialization.
NOTE: A password is required to complete initialization. The other steps indicated as
required are necessary to complete the policy. They can be skipped during initialization
Post-InstallationInitializing the Host DLP Policy Manager
McAfee Host Data Loss Prevention 9.0 Installation Guide26
8/3/2019 Dlp 900 Install Epo45 en-us
27/37
and completed at a later time. If you did not apply the policy, select File | Save to save
the policy to a file.
Upgrading the licenseMcAfee Host Data Loss Prevention software comes in two versions, McAfee Device Control andMcAfee Host Data Loss Prevention with two licensing options for each, 90-day trial and unlimited.
The default installation is McAfee Device Control with a 90-day trial license.
If you purchased a different licensing option, use this task to change the licensing of your
software.
Before you begin
Before starting this task, purchase your upgrade license and get an activation key from your
McAfee sales representative.
Task
1 On the Host DLP Policy Manager menu bar, select Help | Update License. The View
and Update License window displays the current (default) activation key and expiration
date.
2 Click Update.
3 Type or paste the Activation Key in the text box and clickApply. A warning that you must
log on again for the change to take effect appears.
4 Click OK to close the message box, and click Close to close the Update License window,
then log off ePolicy Orchestrator.
5 Log on to ePolicy Orchestrator to complete the upgrade.
6 From the Agent Configuration menu, select Edit Global Agent Configuration.
7 Go to the File Tracking tab and select Enable file tracking.
8 Go to the Miscellaneous tab. Only the Device Control, Agent Popup service, Replicating,
and Reporting modules are selected. Select the remaining modules to enable them and
click OK.
NOTE: Do not enable modules you don't use. They increase the agent size and slow its
operation unnecessarily.
9 On the Toolbar, click . The policy changes are applied to ePolicy Orchestrator.
10 In ePolicy Orchestrator, issue a wake-up call to deploy the policy change to the workstations.
Applying the policyUse this task to apply the default policy. You are automatically prompted after the initialization
wizard closes.
Before you begin
Post-InstallationUpgrading the license
27McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
28/37
If you are upgrading from a previous version of McAfee Host Data Loss Prevention, and have
backed up the policy, open the saved policy and run the conversion wizard before applying the
policy.
NOTE: If the old policy is from full McAfee Host Data Loss Prevention, you must upgrade the
default license before proceeding.
Task
1 Click Yes to apply the policy. The Applying to ePO window appears.
Figure 6: Verifying the application to ePolicy Orchestrator
2 Click Close when the task is complete.
Initializing the Host DLP Monitor
Use this task to initialize the Host DLP Monitor.
Task
1 In ePolicy Orchestrator 4.5, click Menu | Data Protection | DLP Monitor.
NOTE: The first time you select Host DLP Monitor, a warning window requests the WCF
server path.
2 Click OK.
Post-InstallationInitializing the Host DLP Monitor
McAfee Host Data Loss Prevention 9.0 Installation Guide28
8/3/2019 Dlp 900 Install Epo45 en-us
29/37
3 For a standard installation, accept the default. For a backward-compatible installation, type
the WCF service address in the dialog box, then click OK. The Host DLP Monitor opens.
Figure 7: Initializing the Host DLP Monitor
Checking in the DLP Agent package to ePolicyOrchestrator
Any client computer with data protected by McAfee software must have the McAfee and DLP
Agents installed, making it a managed computer. The DLP Agent installation can be performed
using the ePolicy Orchestrator infrastructure.
Use this task to install the DLP Agent in ePolicy Orchestrator.
Task
1 On the ePolicy Orchestrator 4.5 console, click Menu | Software | Master Repository.
2 In the Master Repository, click Actions | Check In Package.
3 Select package type Product or Update (.ZIP), browse to
..\HDLPAgentPackage_9_0_0_xxx.zip, then clickNext. The Check in Package page appears.
NOTE: If you are upgrading, you are prompted that the product already exists. Click OK.
The new agent package replaces the old one.
4 Review the details on the screen, then click Save. The package is added to the master
repository.
Post-InstallationChecking in the DLP Agent package to ePolicy Orchestrator
29McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
30/37
Deploying the DLP AgentUse these tasks to deploy the DLP Agent to the workstations.
Tasks
Defining a default ruleDeploying the DLP Agent in ePolicy Orchestrator
Verifying the installation
Defining a default rule
To verify that the DLP Agent has been deployed properly, McAfee recommends defining a default
rule before deploying the agent.
Use this task to define a default rule. The rule described is an example of a simple rule that
can be used to test the system.
Task
1 Create a classification rule:
a In the Host DLP Policy Manager navigation bar under Content Protection, select
Classification Rules.
b Right-click in the Classification Rules window and select Add New | Content
Classification Rule. Rename the rule "Email Classification Rule".
c Double-click the rule icon to modify the rule.
d In step 1 of the rule creation wizard, scroll down the text patterns and select Email
Address. ClickNext twice, skipping step 2.
e In step 3 of the rule creation wizard, click Add New to create a new category. Name
it Email Category, click OK to accept the new category, then click Finish.f Right-click the rule icon and select Enable.
2 Create a protection rule:
a In the Host DLP Policy Manager navigation bar under Content Protection, select
Protection Rules.
b Right-click in the Protection Rules window and select Add New | Removable
Storage Protection Rule.
c Double-click the rule icon to modify the rule.
d Click through to step 2 of the rule creation wizard and add the Email Category created
when creating the classification rule in the Included column.
e Click through to step 6 of the rule creation wizard. Select Monitor, then click Finish.f Right-click the rule icon and select Enable.
3 On the Tools menu, select Run Policy Analyzer. You should receive warnings, but no
errors.
4 On the Toolbar, click . The policy is applied to ePolicy Orchestrator.
Post-InstallationDeploying the DLP Agent
McAfee Host Data Loss Prevention 9.0 Installation Guide30
8/3/2019 Dlp 900 Install Epo45 en-us
31/37
Deploying the DLP Agent in ePolicy Orchestrator
Use this task to deploy the DLP Agent when working in ePolicy Orchestrator.
Before you begin
McAfee Agent 4.0 must be installed in ePolicy Orchestrator and deployed to the target computers
before the DLP Agent is deployed. Consult the ePolicy Orchestrator documentation on how toverify this, and how to install it if necessary.
Task
1 In ePolicy Orchestrator 4.5, click System Tree.
2 In the System Tree, select the level at which to deploy the DLP Agents.
TIP: Leaving the level at My Organization deploys to all workstations managed by ePolicy
Orchestrator.
If you select a level under My Organization, the right-hand pane displays the available
workstations. You can also deploy the DLP Agent to individual workstations.
3 Click the Client Tasks tab. Under Actions, clickNew Task. The Client Task Builder wizardopens.
4 In the Name field, type a suitable name, for (McAfee Agent)example, Install DLP Agent.
5 In the Type field, select Product Deployment . Click Next.
6 In the Products and Components field, select Data Loss Prevention 9.0.0.x. The Action
field automatically resets to Install.
7 Click Next.
8 Change the Schedule type to Run immediately. Click Next.
9 Review the task summary. When you are satisfied that it is correct, click Save. The task
is scheduled for the next time the McAfee Agent updates the policy. To force the installation
to take place immediately, issue an agent wake-up call.
10 After the DLP Agent has been deployed, restart the agent computers.
Verifying the installation
Use this task to verify the Host DLP Monitor installation.
Task
1 Click Menu | Data Protection | DLP Monitor. The Host DLP Monitor opens with a list
of events, which should include Agent Installation Events.
2 Verify the agent installation and apply the policy enforcement by using the cmdagent.exe /s
command. Refer to the ePolicy Orchestrator/McAfee Agent documentation for information.
Post-InstallationDeploying the DLP Agent
31McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
32/37
Appendix I Deploying McAfee Host Data LossPrevention with SMS
This appendix reviews the creation of Microsoft System Management Server packages for
deployment of the DLP Agent without using ePolicy Orchestrator.
Microsoft Systems Management Server (SMS) provides a comprehensive solution for deploying
and managing applications and operating systems on Windows desktops and servers. The
following tasks assume working in the Microsoft SMS 2003 environment.
ContentsCreating an installation package
Creating the advertisement
Creating the SMS uninstall package
Creating an installation packageUse this task to create an installation package for deploying DLP Agents using SMS.
Before you begin
Install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). The package can be
downloaded from:
http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647.
Task
1 In the Systems Management Server console, right-click Packages and select New |
Package.
2 On the General tab, type the Package Name (required), and the Version, Publisher
and Language (optional).
3 On the Data Source tab, select This Package Contains Source Files, then click Set.
4 In the Set Source Directory window under Source Directory Location, select the typeof connection to the set-up files in the source directory. Type the source directory path in
the text box and clickOK.
5 On the Distribution Settings tab, select High from the Sending Priority drop-down menu,
and click OK. The package appears under the Packages node of the site tree.
6 Expand the new package under the Packages node.
7 Right-clickDistribution Points and select New | Distribution Point. Select the server
or servers you want to be the distribution points for this package, then click Finish.
8 Right-clickPrograms and select New | Program. Type the program name.
McAfee Host Data Loss Prevention 9.0 Installation Guide32
http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F85647http://www.microsoft.com/downloads/details.aspx?familyid=200B2FD9-AE1A-4A14-984D-389C36F856478/3/2019 Dlp 900 Install Epo45 en-us
33/37
9 In the Command Line text box, type the DLP command line executable, for example:
msiexec /I DLPAgentInstall.msi /qn /forcerestart.
NOTE: McAfee recommends restarting the managed computer after DLP Agent package
installation. To enable this option use the /forcerestart parameter. To enable the installation
log use /log .
10 On the Environment tab select Whether or not a user is logged on from the Programcan run drop-down menu. Click OK.
NOTE: Verify that Run with Administrative Rights is selected. McAfee Host Data Loss
Prevention setup requires administrative rights to complete installation successfully.
Creating the advertisementSMS packages need to be "advertised." Use this task to create the SMS package advertisement.
Task1 In the Systems Management Server console, right-click Advertisements and select New
| Advertisement. Type the advertisement name.
2 From the Package drop-down menu, select the McAfee DLP package name .
3 From the Program drop-down menu, select the McAfee DLP program name .
4 Click Browse and select the collection that the McAfee DLP installation package should
apply to, then click OK.
5 On the Schedule tab, confirm the time that the advertisement is offered, specify if the
advertisement should expire, and when. Click OK.
Creating the SMS uninstall packageUse this task to create the SMS uninstall package.
Task
1 In the Systems Management Server console, right-click Packages and select New |
Package.
2 On the General tab, type the Package Name (required), and the Version, Publisher
and Language (optional).
3 On the Data Source tab, select This Package Contains Source Files, then click Set.
4 In the Set Source Directory window under Source Directory Location, select the typeof connection to the set-up files in the source directory. Type the source directory path in
the text box and clickOK.
5 On the Distribution Settings tab, select High from the Sending Priority drop-down menu,
and click OK. The package appears under the Packages node of the site tree.
6 Expand the new package under the Packages node.
7 Right-clickDistribution Points and select New | Distribution Point. Select the server
or servers you want to be the distribution points for this package, then click Finish.
8 Right-clickPrograms and select New | Program. Type the program name.
Appendix I Deploying McAfee Host Data Loss Prevention with SMSCreating the advertisement
33McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
34/37
9 In the Command Line text box, type the DLP command line executable, for example:
msiexec /x DLPAgentInstall.msi /qn /forcerestart
10 On the Environment tab select Whether or not a user is logged on from the Program
can run drop-down menu. Click OK.
Appendix I Deploying McAfee Host Data Loss Prevention with SMSCreating the SMS uninstall package
McAfee Host Data Loss Prevention 9.0 Installation Guide34
8/3/2019 Dlp 900 Install Epo45 en-us
35/37
Appendix II Users and permission sets
McAfee Host Data Loss Prevention roles and permissions are created and set in ePolicy
Orchestrator. McAfee recommends creating specific administrator roles and permissions for the
DLP Policy Manager and the DLP Monitor. Roles include creating and saving policies, viewing
(but not changing) policies, generating override, uninstall, and quarantine release keys, viewing
the DLP Monitor and revealing sensitive fields in the Monitor.
Sensitive data redaction and the DLP Monitor permission sets
To meet the legal demand in some markets to protect confidential information in all
circumstances, McAfee Host Data Loss Prevention software version 9.0 offers a data redactionfeature. Fields in the DLP Monitor containing confidential information are encrypted to prevent
unauthorized viewing. The feature is designed with a "double key" release. This means that to
use the feature, you must create two permission sets: one to view the monitor and another to
view the encrypted fields. Both roles are required to use the feature.
Contents
Creating and defining DLP administrators
Creating and defining permission sets
DLP permission set options
Creating and defining DLP administratorsUse this task to create and define a DLP adminstrator in ePolicy Orchestrator.
Task
For option definitions, click ? in the interface.
1 On the ePolicy Orchestrator menu, select User Management | Users.
2 Click New User.
3 Type a user name and specify logon status, authentication type, and permission sets.
McAfee recommends creating user groups related to the role, for example DLP MonitorViewer.
NOTE: The order of creating users and permission sets is not critical. If you create users
first, user names appear in the permission set form and you can attach them to the set. If
you create permission sets first, the permission set names appear in the user form and
you can attach the user to them.
4 Click Save.
35McAfee Host Data Loss Prevention 9.0 Installation Guide
8/3/2019 Dlp 900 Install Epo45 en-us
36/37
Creating and defining permission setsUse this task to create and define a DLP administrator permission set in ePolicy Orchestrator.
Task
For option definitions, click ? in the interface.1 On the ePolicy Orchestrator menu, select User Management | Permission Sets.
2 Click New Permission Set.
3 Type a name for the set and select users.
NOTE: The order of creating users and permission sets is not critical. If you create users
first, user names appear in the permission set form and you can attach them to the set. If
you create permission sets first, the permission set names appear in the user form and
you can attach the user to them.
4 Click Save.
5 In the Data Loss Prevention field for the new permission set, clickEdit.
6 Select the required permissions and click Save.
Figure 8: Editing a permission set for HDLP
NOTE: To turn off the sensitive data redaction feature, select User can view DLP Monitor
in the monitor section.
DLP permission set optionsPermission set options are designed to give granular control over administrator roles. While the
division of roles is generally optional, if you are using the sensitive data redaction feature, you
must create separate permission sets for the monitor viewer and the administrator who canreveal the encrypted data.
Use this page to specify permission sets for DLP administrators in ePolicy Orchestrator.
Option definitions
DefinitionOption
User is not a policy administrator.User cannot view policies.
Appendix II Users and permission setsCreating and defining permission sets
McAfee Host Data Loss Prevention 9.0 Installation Guide36
8/3/2019 Dlp 900 Install Epo45 en-us
37/37
DefinitionOption
User administrator role is limited to override, uninstall, and
release keys.
User can only generate Agent Override, Agent Uninstall,
and Agent Quarantine Release keys.
User can review but not edit policies.User can only view policies.
User has full policy administrator permissions.User can view and save policies.
User is not a monitor administratorUser cannot view DLP Monitor
New in McAfee Host Data Loss Prevention software
version 9.0 one of the required roles for sensitive data
redaction.
User can partially view DLP Monitor (cannot view private
fields)
New in McAfee Host Data Loss Prevention software
version 9.0 one of the required roles for sensitive data
redaction.
User can reveal sensitive data but cannot view DLP
Monitor. User can only reveal sensitive data with the
presence of a user with view permissions.
User has full policy administrator permissions. Use this
option if you are not using the sensitive data redaction
feature.
User can view DLP Monitor
Appendix II Users and permission setsDLP permission set options