Authentication

You can define the policy settings for authentication to all FRP modules on the Authentication policy page.

Password

Option Definition
Content Requirements (applicable to both Windows and Mac systems) Defines the password policy rules for FRP Password Authentication, self-extractors, user local keys, CD/DVD/ISO, and removable media in the FRP client. If the password does not conform to a policy, an error message is displayed in the FRP client detailing the reason and prompting the user to try again.
  • Minimum Password Length — Specifies the minimum number of characters (7–40) that must be included in a password. Default value is 7.
  • Minimum Special Characters — Specifies the minimum number of special characters (0–15) that must be included in a password. Default value is 0.
  • Minimum Numeric Characters — Specifies the minimum number of numeric digits (0–15) that must be included in a password. Default value is 0.
  • Minimum Alphabetical Characters — Specifies the minimum number of letters (0–15) that must be included in a password. Default value is 0.
    • Minimum lowercase characters — Specifies the minimum number of lowercase letters (0–15) that must be included in a password. Default value is 0.
    • Minimum uppercase characters — Specifies the minimum number of uppercase letters (0–15) that must be included in a password. Default value is 0.
Content Restrictions (applicable to FRP Password Authentication only)

Defines the password content restrictions that apply to FRP Password Authentication only.

  • No anagrams — The password must not contain a word or phrase formed by rearranging the letters of another word or phrase.
  • No palindromes — The password must not comprise a string that reads the same backward as forward.
  • No user name— The password must not contain the user name.
  • No simple sequences — The password must not contain simple sequences (for example, 1234 or abcd) or a sequence based on the previous password.
Client Display Options (applicable to FRP Password Authentication only)
  • Allow user to see typed password — Enables the user to view the password as it is being typed. This option is disabled by default.
  • Display list of password rules to user — Enables the use to view the password content requirements from the client. This option is enabled by default.
Change Requirements (applicable to FRP Password Authentication only)
  • Prevent change — Prevents the user from changing the password.
  • Require change after __ days (1-366) — Requires that the user change the password at predefined intervals.
    • Warn user before change required - days __ (1-30) — Notifies the user to change the password before it expires.
  • Enable password history - changes __ (1-10) — Prevents the user from reusing the last X number of passwords in the password history.
Incorrect Password Behavior (applicable to FRP Password Authentication only)
  • Invalidate password after __ invalid attempts (1-100) — The number of failed logon attempts before the user password is invalidated and a recovery operation is required.
  • Initiate exponential backoff timeout after __ invalid attempts (1-20) — The number of times a user can enter an incorrect password before a timeout is enforced.
    • Maximum timeout - minutes __ (1-64) — The maximum time that the user is unable to enter password credentials after exceeding the allowed number of invalid attempts.

Smart card PKI

Smart cards are not supported out of the box in this release. Raise a Product Enhancement if smart card based authentication that is independent of Windows logon is required for your environment.

Option Definition
Initialization Method

Client-side Initialization

  • Use Windows user name if DN not available — Initializes the smart card with the Windows user name when a DN is not available. This option is enabled by default.

PIN Options
  • Allow PIN change — Allows the user to change the PIN.
    Note: This option works only if the smart card allows a change PIN operation.
  • Allow user to see typed PIN — Allows the user to view the PIN in the user interface.
Lock Triggers
  • On smart card removal — Unloads encryption keys when the smart card is removed making encrypted files inaccessible.

OS Token

Option Definition
Initialization Method Require authentication using Active Directory credentials at first logon — Select this option to require users to authenticate using Active Directory domain credentials at first logon on a client system for access to encryption keys assigned to OS Authentication. This option is disabled by default.
Note: Users will always be required to authenticate using Active Directory credentials with McAfee Endpoint Assistant.

McAfee Endpoint Assistant

Option Definition
Passcode Definition Select one of the following options to set a PIN or password to authenticate to the McAfee Endpoint Assistant app:
  • PIN, exactly 4 digits — Enforces a PIN with exactly 4 digits.
  • PIN, exactly 6 digits — Enforces a PIN with exactly 6 digits.
  • PIN, exactly 8 digits — Enforces a PIN with exactly 8 digits.
  • Password: Minimum 6 characters with 1 numeric, 1 alphabetical characters — Enforces a password with minimum 6 characters containing 1 numeric and 1 alphabetic characters.
  • Password: Minimum 6 characters with 1 numeric, 1 uppercase and 1 lowercase characters — Enforces a password with minimum 6 characters containing 1 numeric, 1 uppercase, and 1 lowercase characters.
  • Password: Minimum 8 characters with 1 numeric, 1 uppercase, 1 lowercase and 1 symbol characters — Enforces a password with minimum 8 characters containing 1 numeric, 1 uppercase, 1 lowercase, and 1 symbol characters.
Client-to-Server Sync Sync interval __ min (5-2880) — Enter the time in minutes to allow the McAfee Endpoint Assistant app on the client's mobile device to synchronize with the McAfee ePO server periodically.

Require periodic authentication using domain (AD) credentials — Enable this option to mandate periodic authentication on the McAfee Endpoint Assistant app using the Active Directory domain credentials.

Every __ days (1-365) — Enter the number of days.

Note: This option is enabled only if the Require periodic authentication using domain (AD) credentials option is enabled.

Connection Timeout After seconds __ (5-300) — Enter the time in seconds to configure timeout before the McAfee Endpoint Assistant application stops waiting for response from McAfee ePO. It is recommended to tune this value based on network latency in your specific environment.

Encryption Key Options

Option Definition
Unlock Triggers Specifies the conditions at which users are prompted to authenticate (if required) and encryption keys are loaded.
  • Windows logon — If there are any keys associated with Password token, an authentication prompt is shown to users immediately after Window logon.

    If there are any keys associated with OS token, those get loaded (if available) immediately following a successful OS logon.

  • Encryption key access — Prompts the user to authenticate whenever a user-initiated action requires access to an encryption key.
  • McAfee tray — Enables the user to manually logon/logoff to FRP using the McAfee tray Quick Settings menu.
Lock Triggers Specifies the conditions that trigger the unloading of encrypted keys.
  • Windows screen lock — Requires that the user reauthenticate if Windows is not used for the configured time period (0-720 minutes). Default value is 0.
    Note: When you set the timeout to 0, the FRP keys are dropped immediately after the screen is locked. When you disable the Windows screen lock, the keys are not dropped, even though the screen is locked, because the policy is disabled.
  • Key use inactivity — Requires that the user reauthenticate if encryption keys have not been used for the configured time period (5-720 minutes). Default value is 60.
Client-to-Server Sync Sync interval __ min (5-2880) — Enter the time in minutes after which the client system synchronizes with the McAfee ePO server periodically. Default value is 120 minutes.
Key Cache (this option is applicable only to keys that are assigned to systems and not users) Enable Key Cache expiry — Enables the automatic removal of keys from the key cache if the client system fails to connect to the McAfee ePO server within the Key Cache expiry period.
Note: Status XML does not contain key information if the keys have been unloaded due to key cache expiry.

Key Cache expiry period — Specifies the number of days after which all keys are removed from the key cache. This is applicable when Enable Key Cache expiry is selected and the client system has not connected to the McAfee ePO server. Default value is 90 days.

Custom Messages

Option Definition
OS Token Initialization Prompt (Windows) The text displayed to prompt end users to authenticate using the Active Directory domain credentials to provide the OS token on a particular system.
OS Token Initialization Prompt (McAfee Endpoint Assistant app) The text displayed to prompt end users to authenticate using the Active Directory domain credentials to allow provisioning of the McAfee Endpoint Assistant application.
Authentication Prompt (Windows) The text displayed to prompt end users to authenticate to FRP.
Authentication Failure (Windows) The text displayed to end users when authentication to FRP password token fails.
Recovery Messages (Windows) Password recovery — The text displayed to end users when FRP password token recovery is initiated.

Smart card recovery — The text displayed to end users when FRP smart card recovery is initiated.