Manage BitLocker and FileVault with Trellix Native Encryption
In today’s enterprises, the proliferation of data and devices has heightened the complexity of safeguarding confidential information and adhering to compliance requirements. With substantial amounts of data stored on PCs, tablets, and other devices. Ensuring the security of sensitive data has become more critical than ever. In this article, we shall discuss How to Manage BitLocker with Trellix Native Encryption. Please see Mac FileVault Encryption: How to enable FileVault disk encryption, and What’s new in Veeam Backup and replication v11.
Note: When using Trellix Native Encryption, there is no need to decrypt and re-encrypt endpoints. They sell Trellix encryption on a per-node basis. Each license can provision a Windows with either drive encryption or
management of native encryption for BitLocker.
BitLocker and FileVault are native security features available in modern versions of Windows and OS X operating systems. These native encryption provides full drive encryption by encrypting data on the drive that Windows or OS X is installed on.
Adopting management of native encryption for BitLocker means you no longer need to manage, or maintain Microsoft BitLocker Administration and Monitoring (MBAM) and its associated servers. This lets you consolidate servers and eliminate the related Microsoft licenses, which provides significant cost savings and reduced management overhead. More of this later!
What does Native Encryption Entail?
You should already have an idea of what this is if you have followed up to this point. When you choose to encrypt your volumes (drives) through the native encryption supplied with the operating system. That is, the data encryption method integrated by the OS vendor. Apple offers native encryption in the form of FileVault and Microsoft offers BitLocker on Windows.
As described by Trellix, Trellix Management of Native Encryption (MNE) is a management product that allows Trellix ePolicy Orchestrator (Trellix ePO) administrators to manage Apple FileVault and Microsoft BitLocker. Trellix Management of Native Encryption provides an easy-to-use administrative interface to manage, report and recover the respective native encryption systems.
To ensure consistent policy and compliance enforcement across all devices and data stores. There is a need to have management software for BitLocker similar to Endpoint Configuration Manager or MBAM installed. Please see Trellix ePolicy Orchestrator Installation on Windows Server, and how to upgrade Trellix ePolicy Orchestrator.
To take full advantage of Apple FileVault and Microsoft BitLocker native encryption with centralized management through the ePO software. You will be able to centrally manage the below:
- Apple File Vault and Microsoft BitLocker
- Report encryption and compliance status
- Escrow, import, store, and retrieve recovery keys
Benefits of Trellix Native Encryption to Mac and Windows
Trellix Management for Native Encryption enhances the management of Apple FileVault and Microsoft BitLocker, offering the following benefits:
- Trellix hosts MVISION ePO, a cloud SAAS tool for managing endpoint security and more. While the on-prem Trellix ePO is a platform you install and host in your data centre.
- It makes an upgrade from one Windows Client and Server Operating System to another without having to decrypt and re-encrypt.
- Another interesting benefit is the Zero-day compatibility with Operating systems and Windows patches and upgrades and that for Apple as well. This is also applicable to new hardware from Apple and Microsoft.
- Trellix Native Encryption provides a self-service portal, which allows users to recover their own devices
- Trellix ePolicy Orchestrator supports a BYOD model wherein it only reports the compliance state, without managing the device itself.
- Lastly, it has a simplified administration and management portal.
Note: Trellix was previously known as McAfee. It has changed its name after Symphony Technology Group (STG) picked up McAfee Enterprise for $4 billion in March 2021 and followed it up in June with a $1.2 billion purchase of FireEye. With the merger of the two cybersecurity firms, the companies have been given a new name. The fully qualified domain name of their site has also changed from mcafee.com to trellix.com
Below is an image showing the key features of each operating system(Mac and Windows).
ePO Management Installation
This section involves installing Trellix Native Encryption Extensions and Packages to Manage BitLocker and FileVault in a case you have both OSes.
Method 1: Check in Trellix BitLocker Management Extensions
Extensions are files checked into Trellix to enable you to manage new processes. This does not mean you can deploy a package but can manage it.
I will not be checking in extensions. This step assumes that you have downloaded the needed extensions from the Trellix Product page. If you have downloaded these, you can check them in via extensions.
To do this, click on the Trellix Menu and under Software, select Extensions.
Click install Extension
Use the Choose File option to browse to the Zip files you have downloaded.
Method 2: Software Catalog
Instead of pre-downloading the extensions, and packages. You can on the fly check them in via the Software catalog. This time, select “Software Catalog”.
From the Product category, select your product and in my case “Trellix Native Encryption Management”.
Note: You could download (check-in) the packages via the Packages and also check in the extensions separately. In this case, I am selecting all at once as shown below under Evalauation.
Accept the license terms and click checkin as shown below.
The system is actively loading and updating the packages and extensions.
We have successfully checked in these extensions and packages. Note: You can also download standalone installers for Windows and Mac. Just proceed to download them and save them to a secure location on your device.
Configure Trellix Native Drive Encryption Policies
From the Trellix Menu, select Policy catalog
Here you have the various policies. Please edit and assign policies based on your Lab or organisation’s need.
Below is an example of a BitLocker Product Settings. Remember to hit the SAVE button when you are done.
Note: These policies will be available in the “SYSTEM TREE”, under the “Assigned Policies”.
Deployment and Provisioning of ePO Native Encryption
Management of native encryption lets you manage native encryption functionality from ePO directly. To deploy native encryption management, follow the same method used for all Trellix software. Begin by deploying the agent to the Mac or Windows endpoints through Trellix ePO.
Note: Once management of native encryption is deployed and enabled. It can be configured for “Reporting Only” mode or “Full Management” mode.
The “Full Management” mode grants administrative control and enforcement over PCs using Trellix ePO software and allows for escrowing of keys for access and recovery purposes.
You can still use MBAM alongside Trellix in Reporting-only mode. This scenario, MBAM exclusively manages BitLocker management. The subsequent step, MBAM has retired, and Trellix Native Encryption has assumed control of encryption operations, now operating in Full management mode.
Native Encryption Agent Deployment
When management of native encryption is first installed on a system where BitLocker is running. Any existing recovery keys are backed up to Trellix ePO software by simply pulling them from the client using the BitLocker API.
Additionally, it adds and safely stores the management of native encryption recovery keys in Trellix ePO software. This occurs automatically with the first policy enforcement as management of native encryption pulls BitLocker into compliance with the management of native encryption policy.
Note: If the agents are not pre-installed, then the management of native encryption is deployed in the same method as all McAfee software. First, the agent is deployed to the Mac or Windows endpoint through the ePO.
This above step assumes you have successfully integrated Trellix with Active Directory and Deployed Trellix Agents to the Endpoints before deploying the native encryption agents to the clients. Here is how it works!
Trellix Native Encryption Reporting
Detailed Reports Management of native encryption provides comprehensive reports that put all the information at your fingertips to give you 360-degree visibility of your organization’s encryption status.
Utilize the Drive Encryption Go dashboards and customizable reports to gain detailed views of encryption enforcement across your organization. You can use report queries as dashboard monitors that automatically update every five minutes, ensuring you stay informed on high-priority items. Additionally, easily export reports in several formats to enhance accessibility and sharing.
- CSV
- XML
- HTML
The Trellix Encryption Go performs a pre-flight check to ensure device compatibility and encryption capability. As shown below, there are no issues detected.
The Trellix ePO console actively manages the encryption keys utilized for native encryption. It distinguishes between unmanaged (standalone) and managed (escrowed by the management console) keys.
Note: You can se below that these devices are not encrypted yet from the MNE dashboard. So, we will have to push the MNE agents now to the clients so they can be encrypted.
Protection of File and Removable Media Protection via Native encryption
You can also use Trellix to protect and enforce encryption of files, folders, removable media, and cloud storage. This option provides the following benefits:
- Prevents unauthorized access to information on network servers and removable media
- Provides key-sharing mechanisms that allow users to share files securely
- Reads and edits encrypted data on media without installing software. The data is saved with retained encryption
- Hardware is independent and protects any type of media regardless of the cost.
Configure Trellix Native Drive Encryption Policies
Assign policies to the required client systems to make sure that systems are managed and function as specified. A policy is a collection of settings that you create in Trellix ePO on-prem and assign to the required Trellix MNE client (OU) to configure client systems.
Note: When configuring policies for the first time. You must plan product policies for different segments of your System Tree. Also, create and assign policies to groups and systems. This section will be broken down into two parts.
Part 1: Launch Client Task Catalog
Client tasks automate system management activities, such as product deployment, upgrades, and updates. To do this, from the Trellix menu, launch the Client Task Catalog.
Usually, you would create a “New task”. But this is not needed as we already have some tasks below.
I will select assign associated with the Management of Native Encryption – BitLocker
I will select the OU I have created in the System Tree, and click OK.
Review and save the Client Task Catalog.
As you can see, this has been assigned.
Part 2: Launch System Tree
You can also modify these settings after creation via the system tree. Launch System Tree and Edit BitLocker Product Settings
Under the Assigned Policies, under the Policy, click on “My Default” as shown below to Modify BitLocker product Settings.
Here is a sample of BitLocker Product Settings. Please read through it for a good understanding. Uncheck the Policies that are not needed and save.
Navigate to your Client’s PC
Because we have not configured the agent to refresh automatically. This was because I manually deployed the agents. I will also assign these policies to ensure this is done automatically.
As I said, I am yet to do this, I will manually refresh the agent.
If you select TPM + PIN (any of the options), the below window will be prompted. If you select TPM only, this window, will not be prompted. The encryption will happen without your intervention if the agent is configured to refresh at regular intervals. Enter the PIN and click OK.
Immediately, the drive encryption will begin.
You can also query the BitLocker Status as shown below.
When the encryption completes. You will see the protection status change to enabled and also be able to query the copy of the Bitlocker Recovery Key locally by using the command below. To do this, start a Command Prompt or PowerShell “as Administrator”
manage-bde -protectors C: -getBack to the ePO dashboard, select view the MNE dashboard, and you will see one of our clients’ reports correctly as encrypted.
Conclusion
Management of native encryption empowers you to take full advantage of Apple FileVault and Microsoft BitLocker native encryption with centralized management through McAfee ePO software, which ensures that you have consistent policy and compliance enforcement across your encryption technology stack
Note: Trellix MNE management does not provide the underlying FileVault or BitLocker encryption technology. If you encounter any issues with FileVault or BitLocker technology, contact Apple for FileVault support and Microsoft for BitLocker support.
Please see how to Disable SQL Auto Close: Auto Close is enabled for both ePO and ePO Events Databases. How to Reload all Microsoft Edge Browser Tabs, and how to Remove clickable icons from the Edge browser.
FAQs on how to Manage BitLocker and FileVault with Trellix Native Encryption
Why should enterprises have their devices encrypted?
Businesses need to control access to sensitive data to achieve regulatory compliance and reduce liability. Through the use of best practices, encryption can be a simple and effective way to protect your enterprise data.
Why is Data Encryption important on your Mac or Windows device?
Encryption plays an essential role as it actively hides the underlying data and prevents unauthorized access to the information. This ensures that even if a device containing confidential information is lost or stolen, the information remains secure.
Why employ a centralised BitLocker Management tool?
Centralized management ensures that you have consistent policy and compliance enforcement across your encryption technology stack. Management of native encryption allows you to manage native encryption directly from the Trellix ePO management console
Can I simply move from the Microsoft BitLocker Administration and Monitoring (MBAM) client to MNE?
Yes. You need to push the MNE client software to the endpoints and enable the MNE reporting policy in the first instance. After you see your systems reporting BitLocker status, you can then start removing MBAM from the endpoint and enabling the MNE management policy. For example, set the BitLocker product policy to turn on (enable) BitLocker with appropriate options. If you fail to remove MBAM from the endpoint, it results in conflict between the two management solutions as they compete to manage BitLocker.
Can MNE manage a Trusted Platform Module (TPM)?
No. MNE doesn’t manage TPM. On Windows 7 systems, you need to manage TPM yourself. On Windows 8 and above, the operating system can manage TPM for you if you’ve not already managed it
I hope you found this post on how to Manage BitLocker and FileVault with Trellix Native Encryption very useful. Please feel free to leave a comment below.
