Sophos SafeGuard Native Device Encryption is a management tool that is used to manage the recovery key and report on the status of Apple s FileVault 2 encryption. As the underlying technology is FileVault 2, any limitations and experiences with SafeGuard will mirror that of FileVault 2, including the preboot authentication in which a user is prompted to login before Mac OS X completes the boot process. Before you install SafeGuard, make sure to review the following information to help ensure a successful installation: Hardware Software Apple RAID driver Boot Camp Assistant Imaging Disk Types Other Encryption Software Miscellaneous Notes Intel- based Macintosh (PowerPC- based Macs are not supported) At least 2 GB RAM 40 MB available in the file system where SafeGuard will be installed. Mac OS X versions supported: 10.8, 10.9, & 10.10 Mac OS X 10.11 is not yet supported. SafeGuard cannot encrypt a RAID configuration as FileVault does not support a RAID volume. You cannot use Boot Camp Assistant to install Boot Camp multi- boot after SafeGuard is installed. Install Boot Camp and complete your Windows installation before you install SafeGuard. Imaging with SafeGuard installed is not supported. SafeGuard Native Device Encryption for Mac can only encrypt internal (standard or solid state) disks. If other encryption software is being used (such as Check Point), ensure the hard drive is decrypted and a reboot has been performed after decryption before installing SafeGuard. Do not install or uninstall on battery power. Do not force a power- off during installation or uninstallation. Back up all data before installation. Make sure the disk is error- free before installation. Do not try to uninstall SafeGuard when the disk is being encrypted. This may cause data loss.
If you are attempting to install SafeGuard when the machine is already encrypted with FileVault, you must have the existing FileVault recovery key available to import into SafeGuard. Without it, SafeGuard administrators cannot assist with password recovery and you are at risk of data loss. If you do not have the recovery key, decrypt the machine and go through the normal installation process as follows. If you do have the recovery key, skip to the Installing with FileVault encryption present section. The following describes the installation of Sophos SafeGuard Native Device Encryption on Mac OS X clients. Installation prerequisites Before starting the installation, make sure the SGN server certificate has been imported into the system keychain and is set to Always Trust for SSL. To do this perform the following: 1. From the Finder, select Go Connect to Server, enter smb://its- fp1.ur.rochester.edu/apps and click Connect. Once the share mounts, go to Security/Encryption and copy the Mac directory to your computer. 2. Import the its- sge- wp1.cer file into your keychain from the terminal.!!! DO NOT USE KEYCHAIN ACCESS TO ADD THE CERTIFICATE!!! Open the Terminal app and run the following command: sudo /usr/bin/security add- trusted- cert - d - k /Library/Keychains/System.keychain r trustasroot - p ssl "/folderofcert/its- sge- wp1.cer" where /folderofcert is the local folder where you copied the certificate.
3. Open a web browser and check that your SafeGuard Enterprise Server is available by browsing to https://its- sge- wp1.ur.rochester.edu (ensure the link is https and not http) 4. Open Disk Utility (Macintosh HD Applications Utilities Disk Utility). 5. Select the System Drive and then click Verify. If Verify discovered problems with the disk, proceed to step 6; otherwise, proceed with the installation of the SafeGuard Device Encryption software (install process is on the next page).
6. Click Repair Disk to resolve any issues. When done, go back to step 5 and verify the disk.
Installation 1. Double- click the Sophos SafeGuard DE.dmg to start the installation. 2. If you would like to learn more about the product, double- click on and read through the offered readme.html file; otherwise, double- click Sophos SafeGuard DE.pkg and follow the installation wizard. You will be prompted for your password to allow the installation of new software.
3. Click Close to complete the installation. 4. Restart your computer and logon with your Mac password.
5. Open the System Preferences and click the Sophos Encryption icon to start the application.
6. Click the Server tab. 7. Select the Managed Client (Default).zip file and drag the zip file to the Drag configuration zip file here box.
8. You will be prompted to enter a Mac administrator password. Enter the password and click OK to confirm. Enter your password again to restart and begin encrypting. If you are asked to restart again after you reboot your machine, click Restart. 9. Return to the Server tab in Sophos Encryption under System Preferences. Click Synchronize. A successful connection will result in an updated "Last Contacted" time stamp (Tab Server, Server Info area, Last Contacted). An unsuccessful connection will display the red X icon.
10. Your system disk should now start encrypting. This can be verified by going to the Disk Encryption tab and reading the Status. It should read The system disk is currently being encrypted. A centrally stored recovery key is available. If any error messages appear, please contact the University IT Help Desk at 585-275- 2000. In order to provide efficient service, please have the name of your computer ready. To find your computer name, go to System Preferences and open the Sharing Preference.
Installing with FileVault encryption present If you have the existing FileVault recovery key, follow the steps below to install SafeGuard and import your key to the SafeGuard server. If you do not have the existing FileVault recovery key, decrypt the machine and go through the normal installation process. 1. Follow the normal installation prerequisites. 2. Follow the normal installation process until it comes time to Synchronize. You will not have to restart as you would in the regular installation since your machine is already encrypted. 3. You should receive this notification: and the Disk Encryption tab should have the following status: 4. Open Terminal, and type the following command: sudo sgdeadmin - - import- recoverykey <YOUR KEY HERE>
Type your password when prompted, and the recovery key should import successfully. 5. Return to the Disk Encryption tab, and the status should change to include a centrally stored recovery key is available.