Sophos SafeGuard Disk Encryption for Mac 6.01.0: Release Notes

  • Article ID: 118131
  • Rating:
  • 1 customers rated this article 3.0 out of 6
  • Updated: 29 Jan 2014

Sophos SafeGuard Disk Encryption for Mac 6.01.0 Release Notes

Known to apply to the following Sophos product(s) and version(s)

Sophos SafeGuard Disk Encryption for Mac 6.01.0

New features of version 6.01

Support for Mac OS X 10.8 and Gatekeeper

Sophos SafeGuard Disk Encryption for Mac 6.01 is available for Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion).

Its installer and binaries have been digitally signed with a developer ID certificate provided by Apple. It is therefore possible to install the product with the Gatekeeper feature set to “Mac App Store and identified developers”.

Support of Target Disk Mode

With Sophos SafeGuard Disk Encryption for Mac 6.01 Target Disk Mode is supported with certain technical constraints.

Contact Sophos support to get the necessary tools and documentation.

Support for Mac Firmware updates on Macs that have Sophos SafeGuard Disk Encryption for Mac 6.01 installed

With Sophos SafeGuard Disk Encryption for Mac 6.01 it is now possible to update the Mac Firmware, although Sophos SafeGuard Disk Encryption for Mac 6.01 is installed. However, for this to work several technical preconditions must be met:

  1. There must a boot partition of type Apple_Boot and it must be formatted as JHFS+.

    Note: A default Mac OS X 10.7 or 10.8 recovery partition qualifies as such an Apple_Boot partition.

  2. By default, the firmware-update-functionality of Sophos SafeGuard Disk Encryption for Mac 6.01 is turned off. To be able to use it, you must turn it on.

    This can be done from the command line with the following commands:

    • To turn the feature on:

    sgadmin --enable-firmware-update [--authenticate-user "admin username"] [--authenticate-password "admin password"]

    The Mac needs to be rebooted before the new setting becomes active.

    • To turn the feature off:

    sgadmin --disable-firmware-update [--authenticate-user "admin username"] [--authenticate-password "admin password"]

    The Mac needs to be rebooted before the new setting becomes active.

    • To query the firmware update status:

    sgadmin --status

Enhanced keyboard support in Power-on Authentication

In previous versions of Sophos SafeGuard Disk Encryption for Mac, several keys were not supported in Power-on Authentication (POA), for example <SHIFT>-<TAB> and the <ALT>-key.

Sophos SafeGuard Disk Encryption for Mac 6.01 solves these issues. It is now possible to step counterclockwise through the logon screen in POA, as <SHIFT>-<TAB> is now supported.

Key combinations that contain the <ALT> key are now also supported. In addition, all text entry fields in POA display an icon that shows whether Caps Lock is active or not.

Supported hardware and configurations

  • Hardware (Intel-based 64 bit CPU only)

MacBook

MacBook Pro

MacBook Air

iMac

Mac mini

Mac Pro

  • EFI

EFI32 (firmware)

EFI64 (firmware)

With the following terminal command, the EFI firmware can be verified:

"ioreg -l -p IODeviceTree | grep firmware-abi"

The return value should be "firmware-abi" = <"EFI64" > or "firmware-abi" = <"EFI32" >.

  • Operating system

10.8 (Mountain Lion) recent patch level (at least patch level of release date - September 2012)

10.7 (Lion) recent patch level (at least patch level of release date - September 2012)

  • Update of Sophos SafeGuard Disk Encryption for Mac

Sophos SafeGuard Disk Encryption for Mac 5.55 and 6.0 can be updated to 6.01.

  • Update of Mac OS X versions

To update the operating system from Mac OS X 10.5 (Leopard) to 10.6 (Snow Leopard), to 10.7 (Lion) or to 10.8 (Montain Lion), you need to uninstall Sophos SafeGuard Disk Encryption for Mac first. This step includes a final decryption of encrypted partitions.

After the successful update of OS X you need to install Sophos SafeGuard Disk Encryption 6.01 and encrypt the partitions again.

Bootcamp Support

It is necessary to set up a machine with a Bootcamp partition prior to installing Sophos SafeGuard Disk Encryption for Mac 6.01. It is not supported to set up or remove Bootcamp after installing Sophos SafeGuard Disk Encryption. Note that it is not supported to change/resize the partition layout after installing Sophos SafeGuard Disk Encryption.

If the default operating system is changed from OS X to Windows, it cannot be set back to OS X, neither with Windows Bootcamp Control Panel nor with OS X Startup Disk Utility. This has to be done using the functionality provided by Sophos SafeGuard Disk Encryption.

You can set the default boot system to OS X in the following ways:

By using the user interface:
  • Open SafeGuard Disk Management.
  • Open the Edit menu and select Boot this operating system by default. You must authenticate as an OS X Administrator.
 By using Terminal:
  • Open a Terminal and enter “sudo sgadmin --set-boot”. You must authenticate as an OS X Administrator.

Time Machine backups

The following components of Sophos SafeGuard Disk Encryption should be excluded from Time Machine backups:

  • /.com.sophos
  • /System/Library/Extensions/sgbiodrv.kext
  • /usr/sbin/sgd
  • /usr/bin/sgadmin
  • /Library/Sophos SafeGuard
  • /Library/LaunchDaemons/com.sophos.sgd.plist
  • /Library/LaunchDaemons/com.sophos.sgsd.plist
  • /Library/LaunchAgents/com.sophos.sguimenu.plist
  • /Library/LaunchAgents/com.sophos.sgsynclang.plist
  • /Applications/sgui.app
  • /usr/share/man/man1/sgadmin.1
  • /usr/share/man/man1/sgsd.1
  • /usr/bin/sgsd
  • /Library/LaunchDaemons/com.sophos.sgsd.plist
  • /Library/Security/SecurityAgentPlugins/Sophos_SSO.bundle
  • /var/spool/sg
  • /var/sg
  • /var/sgkernel 
  • /var/run/sgd.pid

Unsupported hardware, configurations, and operations

  • Hardware

PowerPC-based hardware

  • Operating systems

Version 10.6 and earlier version.

  • Bootcamp + SafeGuard Enterprise/SafeGuard Easy for Windows

Sophos SafeGuard Disk Encryption for Mac supports bootcamp, but SafeGuard Enterprise must not be installed in the Windows partition. This restriction is valid until explicitly stated otherwise in the SafeGuard Enterprise for Windows documentation.

  • The following limitations apply to the product:

Sophos SafeGuard Disk Encryption for Mac does not support multi-boot systems, this means multiple installations of OS X on the same Mac.

Sophos SafeGuard Disk Encryption for Mac and Mac OS X FileVault 2 must not be run on one machine at the same time. If you are going to use Sophos SafeGuard Disk Encryption for Mac, no local partition must be encrypted by FileVault 2. You must ensure that FileVault 2 is disabled before you install Sophos SafeGuard Disk Encryption for Mac. If you want to use FileVault 2, Sophos SafeGuard Disk Encryption for Mac must not be installed.

Do not install the software on systems with more than 50 partitions.

We recommend you do not encrypt more than five partitions simultaneously.

Single Sign On between Sophos SafeGuard Disk Encryption POA and Mac OS X

To turn on the Sophos SafeGuard Disk Encryption Single Sign On feature, run the command sgadmin --enable-sso from terminal.

To turn off the Sophos SafeGuard Disk Encryption Single Sign On feature, run the command sgadmin --disable-sso from terminal.

With some sub-versions of Mac OS X 10.7 and 10.8, the Sophos SafeGuard Disk Encryption Single Sign On feature does not work as expected. For example: The Single Sign On simply does not work and OS X stops at its logon windows, or one and the same user is always logged on to OS X regardless of the user who has logged on to Sophos SafeGuard Disk Encryption at pre-boot level.

Should these problems occur, follow these guidelines:

  1. The 'Single Sign On' feature of Sophos SafeGuard Disk Encryption depends on two Mac OS X settings. These are Automatic login and Display login window as. You can find these settings under System Preferences > Users & Groups > Login Options. In general, the setting of Display login window as is irrelevant, but in some OS X versions Single Sign On only works, if the OS X setting Display login window as is set to List of users. Check the Sophos knowledgebase article 116756 for the current state.
  2. To use the Sophos SafeGuard Disk Encryption 'Single Sign On' feature, the Mac OS X setting Automatic login must not be set to Off. If the setting is set to Off, the Single Sign On process stops in Mac OS X logon and Mac OS X waits for user interaction. Click one of the user names displayed to trigger the system to continue with the logon process. It is irrelevant which user name you click. Single Sign On continues and the user who has logged on at POA is logged on to Mac OS X.

If a Mac shows the behavior described above, you need to manually set the two OS X settings mentioned to the correct values.

  • To activate Single Sign On, ensure that both settings are set to a correct value. Then run sgadmin --enable-sso.
  • To turn Single Sign On off again, change these OS X settings back manually. Then run sgadmin --disable-sso.

Keyboard: Non-numeric keypad keys cannot be guaranteed to give the same character sequence when the keyboard is changed from one layout to another. So only use "0-9" from that block. It is due to EFI only returning a US ANSII character equivalent and no modifier keys. During translation, the normal keyboard key takes precedence over the numeric keypad key. This affects the non-numeric keys on the numeric keypad, this means the '=', '/', '', '-', '+','*' keys. These keys may translate into different characters due to the keyboard layout. For example, on a German keyboard the numeric keypad '' key will translate into the keyboard '(' character. The code has been developed and tested with the following keyboards: US, French, German. There is no guarantee that other keyboards work.

Keyboard - Caps Lock key LED: On some keyboards the LED of the CAPS LOCK key does not light up, when pressed. In order to visualize to the user that caps lock is active, a little icon is displayed on the right hand side of each text entry field in POA.

Partitioning: After Sophos SafeGuard Disk Encryption for Mac has been installed it is not possible to change the partitioning layout. You must not change anything with "gpt" or "diskutil". Important: If someone repartitions the machine you will not be able to use it, and you will need to completely re-install this machine in order to use it again.

You must also not add additional hard drives to a Mac after Sophos SafeGuard Disk Encryption for Mac has been installed.

In particular, you must not start the initial encryption of a volume on a disk that has been added after the installation of Sophos SafeGuard Disk Encryption for Mac, because this can lead to data loss of the data stored on this volume!

Formatting: Formatting of encrypted partitions is not supported. If you want to remove all data, we recommend that you delete the files or decrypt the partition, format it and encrypt it again.

Note: Only HFS+ and HFS+ (Journaled) are supported. The hard drive must be GPT-partitioned.

Target Disk Mode: With Sophos SafeGuard Disk Encryption for Mac 6.01 Target Disk Mode is supported under certain technical constraints.

Contact Sophos support to get the necessary tools and documentation.

diskutil from a system started via network boot: Do not use diskutil from a system started via network boot while local partitions are encrypted. In this case diskutil does not recognize the encrypted partitions and wants to initialize them. Doing so results in data loss.

Erasing partitions: Erasing a partition while an initial encryption or a final decryption operation is performed is not supported. Also, erasing encrypted partitions is not supported. Partitions have to be decrypted first and can then be encrypted again.

Unmounted partitions and encryption/decryption: Starting initial encryption or final decryption for partitions that are not mounted is not supported. Unmounting a partition while it is encrypting or decrypting is also not supported. Doing so may result in data loss.

OS upgrades (for example from 10.7 to 10.8) are not supported as long as Sophos SafeGuard Disk Encryption for Mac is installed: It is necessary to decrypt the partitions of your Mac first and then to uninstall Sophos SafeGuard Disk Encryption for Mac. Afterwards, you can upgrade the operating system, install Sophos SafeGuard Disk Encryption for Mac released for the new OS X version and encrypt the partitions again.

Deep Sleep: When Sophos SafeGuard Disk Encryption for Mac is installed the hibernation feature, "Deep Sleep" is not supported and is disabled. Some applications do not auto-save their data when the sleep mode is activated. In case the sleep mode is used for an extended period while not being connected to power and such an application is open with unsaved data, data might be lost.

Bad sectors: We recommend not to install the product if there are bad sectors on your hard disk. Initial encryption does not stop when bad sectors are encountered, but a log entry is created in the kernel log.

Initial encryption/final decryption on data partitions: Before you begin to encrypt a data partition ensure that all files on this partition are closed. The same is valid for the final decryption of a data partition: Ensure that all files are closed during the very last steps of the decryption, when Sophos SafeGuard Disk Encryption for Mac removes the Sophos icon of the partition.

Mac OS X Safe Boot usage: When booting into Safe Boot / Safe Mode it is not possible to use sgadmin or the SafeGuard menu. This is related to Mac OS X not loading 3rd party launch agents / daemons (sgd) in the Safe Boot / Safe Mode functionality.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments