FRP client events

Enforcement of FRP policies generates client events, which include the Event ID and appropriate information related to the event.

Removable media events

Table 1: Event types
Event ID Event Definition
20500 Removable Media Device Insert Event This event is reported whenever any type of removable media is inserted in the client.

Event severity: 0

20501 Removable Media User Response Event This event is reported whenever the user clicks Yes or No in the Removable Media Format Message window.

Event severity: 0

20502 Removable Media Initialization Start Event This event is reported whenever the user clicks Initialize or Cancel in the Removable Media Initialization window.

Event severity: 0

20503 Removable Media Initialization End Event This event is reported when initialization is complete.

Event severity: 4

20504 Removable Media Device Ejection Event This event is reported whenever any type of removable media is ejected from the client.

Event severity: 0

20509 Removable Media Device Upgrade Event This event is reported whenever the removable media is being upgraded to support large file sizes (> 4GB).

Event severity: 0

20521 Removable Media Application Upgrade event This event is reported when the removable media application is upgraded.
20553 Removable Media Authorization Success Event This event is reported when the user's removable media is authorized successfully.
20554 Removable Media Authorization Failure Event This event is reported when the user's removable media authorization is failed.
20555 Removable Media Recovery Success Event This event is reported when the user's removable media is recovered successfully.
20556 Removable Media Recovery Failure Event This event is reported when the user's removable media recovery is failed.
20557 Removable Media Authentication Change Success Event This event is reported when the user has changed the removable media authentication details successfully.
20558 Removable Media Authentication Change Failure Event This event is reported when the user's request for changing the removable media authentication details is failed.
Table 2: Event details
Information type Definition
Event ID Event ID number
System

  • User information (DomainName\UserName)
  • Time-stamp

Initialization

  • Initialization state (Failed, Canceled, Successful)
  • Backup state (None, Failed, Canceled, Successful)
  • Time taken for initialization (in sec)
  • Time taken for backup (in sec)
  • Backup size (in GB)
  • Size of protected part (only when initialization has completed successfully, in GB)

Device

  • Size (in GB)
  • File system of device (FAT32, NTFS, EERM)
    Note: File system for devices with new container format (support for files > 4 GB) are shown as FAT32; devices with legacy container are shown as EERM.
  • Vendor name
  • Product name
  • Exempted (Yes, No, Unknown)
  • Protected (Yes, No, Unknown) USB and CD/DVD media encrypted by either onsite only access or offsite access are both considered protected devices. They appear in both FRP queries as protected media.
    Note: Any new events sent from the FRP client to McAfee ePO will have an updated media status.

Event specific fields User response — Valid for events 20501 and 20502 only

Optical Media client events

Table 3: Event types
Event ID Event Definition
20505 Optical Media Initialization Start Event This event is reported whenever the user clicks Initialize or Cancel in the Initialization window.

Event severity: 0

20506 Optical Media Initialization End Event This event is reported when initialization is complete.

Event severity: 0

20507 Optical Media Insertion Event This event is reported whenever an optical media is inserted in the client.

Event severity: 0

20508 Optical Media Ejection Event This event is reported whenever a optical media is ejected from the client.

Event severity: 0

Table 4: Event details
Information type Definition
Event ID Event ID number
Computer

  • Name of the computer
  • User name
  • IP address
  • Operating system type

Media type

  • For Optical Media Initialization Start Events, the smallest disk type that can hold archived data (ISO, CD, DVD, or DVD-DL)
  • For Optical Media Initialization End Events, the physical media detected (for example, CD-ROM)
  • For Optical Media Insertion and Ejection Events, "Optical"

Device

  • Disk globally unique identifier (GUID)
  • Protected (Yes, No, Unknown) (only CD/DVDs protected by the "offsite access" options are considered protected)
  • Protected size (GB)
    • For Optical Media Initialization Start Events, the value is 0
    • For Optical Media Initialization End Events, the size of the encrypted archive
    • For Optical Media Insertion and Ejection Events, the size of the encrypted archive if the media is FRP encrypted

Event description

  • Description of the event
  • Event generation time

Event specific fields Initialization state (Failed, Canceled, Successful) (Optical Media Insertion and Ejection Events only)
Note: Only relevant information is captured in each event. For example, a device insert event does not contain the initialization state.

FRP: Key Authentication events

Table 5: Event types
Event ID Event Definition
20510 Token initialization success event This event is reported when token initialization is complete.

Event severity: 0

20511 Token initialization failure event This event is reported when token initialization fails.

Event severity: 1

20512 Authentication success event This event is reported when authentication successfully completes.

Event severity: 0

20513 Authentication failure event This event is reported when authentication fails.

Event severity: 1

20514 Authentication token invalidation event This event is reported when an authentication token has been invalidated by exceeding permitted incorrect attempts.

Event severity: 1

20515 Authentication change success event This event is reported when an authentication change successfully completes.

Event severity: 0

20516 Authentication change failure event This event is reported when an authentication change fails.

Event severity: 1

20517 Authentication recovery success event This event is reported when authentication recovery successfully completes.

Event severity: 0

20518 Authentication recovery failure event This event is reported when authentication recovery fails.

Event severity: 1

20519 Authentication recovery expired event This event is reported when the authentication recovery password has expired based on FRP Key Authentication settings.

Event severity: 1

20520 Authentication lockout event This event is reported when authentication locks out for the user.
20522 Advance Debug Option event This event is reported when the device inserted by the user is exempted by the system for better security.

Cloud provider client events

Table 6: Event types
Event ID Event Definition
20551 Cloud provider report event This event is reported when the cloud provider sends a report to the McAfee ePO server, even if any protection level is not selected.
20552 Cloud provider audit event This event is reported when the cloud provider sends an audit-level report to the McAfee ePO server, when the Audit protection level policy is selected.