If you have received a Sophos Disk Encryption system policy from Sophos Support or downloaded a Sophos Disk Encryption system policy from the knowledge database, for security reasons, the system policy needs to be signed with the Company Certificate of the current Sophos Endpoint Security and Control environment, before the client will accept the system policy.
This article explains how to sign a system policy with the current company certificate.
Known to apply to the following Sophos product(s) and version(s)
Sophos Disk Encryption 5.61.0
Beta Endpoint Security and Control 10.0 (encryption)
What To Do
Before you start, make sure that yow have the requirements to perform the action. You need:
- Sophos Disk Encryption System Policy (available from Sophos Support / Sophos Knowledge Database)
- SignFileWithCompCert.zip script
- Access to a machine, hosting Sophos Enterprise Console v. 10.1 and be able to execute a Cscript.exe operation on the machine
- Password of the Sophos Management Host Service account
Download and extract the SignFileWithCompCert.zip file, copy the SignFileWithCompCert.vbs and the System Policy (i.e. deactivate_ginachainrepair.xml) to a temporary location on the machine installed with the Sophos Enterprise Console 10.1 installed (i.e. C:\temp\)
Open a command prompt and use the SignFileWithCompCert.vbs to sign the system policy with the Company Certificate using the following syntax:
- x86 based machine: C:\temp>cscript.exe SignFileWithCompCert.vbs /password:Passw0rd! /policy:deactivate_ginachainrepair.xml
- x64 based machine: C:\temp>C:\Windows\SysWOW64\cscript.exe SignFileWithCompCert.vbs /password:Passw0rd! /policy:deactivate_ginachainrepair.xml
/password: Specify the password of the Sophos Management Host Service account
/policy: Specify the name of the system policy
The script will now sign the specified system policy with the respective Company Certificate of the environment. The script will display that "Signing the System Policy was successful.". The signed system policy will reside in the same location as the original policy and will be saved under the same name as the original policy with the "_Signed.xml" extension.
To apply the system policy to the client machine, the signed system policy can now be copied into the Sophos Disk Encryption Client's import folder in the LocalCache:
- For Windows XP: %ALLUSERSPROFILE%\Application Data\Utimaco\SafeGuard Enterprise\LocalCache
- For Windows Vista, Windows 7: %ALLUSERSPROFILE%\Utimaco\SafeGuard Enterprise\
On the Sophos Disk Encryption Client, from %WINDIR%\system32\, locate the tool "SGMCmdIntn.exe", and run it with -i from the commandline:
- SGMCmdIntn.exe -i deactivate_ginachainrepair_Signed.xml
The signed system policy should now disappear from the import folder and be applied to the client.