Sophos SafeGuard Disk Encryption for Mac: information on Single Sign-On functionality and limitations

  • ID dell'articolo: 116756
  • Aggiornato: 08 mag 2014

This article gives an overview of the SSO (Single Sign-On) functionality and limitations in Sophos SafeGuard Disk Encryption for Mac. This feature is available as of version 6.00.0.

Known to apply to the following Sophos product(s) and version(s)

Sophos SafeGuard Disk Encryption for Mac 6.00.0

What To Do

Single Sign-On between Power-On Authentication and Mac OS X logon including a simple password synchronization:

Sophos SafeGuard Disk Encryption for Mac 6.0 can be operated in a mode, where users only have to enter their credentials at Power-on Authentication and are automatically logged on to Mac OS X as individual users. For Single Sign On users need to have the same user names and passwords at Power-on Authentication and in Mac OS X.

In addition, several technical prerequisites must be met for Single Sign On. For further information, see "Single-sign on (SSO) and password synchronization".

Sophos SafeGuard Disk Encryption for Mac also offers a feature to change the passwords at Power-on Authentication and in Mac OS X and keep them synchronized. Sophos SafeGuard Disk Encryption for Mac 6.0 triggers the password change and this is supported for local Mac OS X users and for Active Directory mobility accounts.

The following limitations apply to the Single Sign-On between SSG POA and Mac OS X:

The Single Sign On feature of Sophos SafeGuard Disk Encryption for Mac 6.0 depends on two Mac OS X settings. These are Automatic login and Display login window as. Automatic login must be activated.

In general, the setting of 'Display login window as' would be irrelevant, but we have seen issues when running on Mac OS X 10.7 (Lion). At the time of Sophos SafeGuard Disk Encryption for Mac 6.0 release, the current Mac OS X release is 10.7.2. To avoid issues when running on Mac OS X 10.7 (Lion), set 'Display login window as' to List of users.

  1. The setting of “Display login window as” must not be set to “Name and password”

    Under Mac OS X 10.7 'Display login window as' must be set to List of users. If it is set to Name and password on Mac OS X 10.7 (Lion), a successful Single Sign On works, but the Mac OS X becomes entirely unusable after an unsuccessful Single Sign On. This means that you cannot log on anymore. This can for example happen, if the passwords of a user in the POA and in Mac OS X have gone out of sync or the SafeGuard User does not exist in Mac OS X.

    Sophos has experienced this behavior under all OS X 10.7 builds that have been released before March 2012. It turned out that this behavior cannot be experienced any more under the preview version of Mac OS X 10.8 (Mountain Lion).

  2. In order to use SSG’s Single Sign-On, the Mac OS X setting “Automatic login” must not be set to “Off”.

    Doing so stops the Single Sign On process in the Mac OS X logon and Mac OS X waits for user interaction. Clicking one of the displayed user names triggers the system to continue with the logon process. It is irrelevant which user name you click. The Single Sign On continues and the user that was logged on at POA is logged on to Mac OS X.
    sgadmin --enable-sso ensures that this setting is set to a correct value (not to “Off”). But you should not set it back to Off later, while the product is installed or Sophos SafeGuard Disk Encryption Single Sign On is enabled. To disable Single Sign On correctly, sgadmin --disable-sso needs to be called. This changes the setting of Automatic login back to Off and deactivates Single Sign On.

Single-sign on (SSO) and password synchronization:

Sophos SafeGuard Disk Encryption for Mac 6.0 can be operated in a mode, where users only have to logon at POA and will then boot up into the Mac OS X desktop as individual users. In order to make this SSO possible, the users at Power-on authentication and in Mac OS X need to have the same user name and password.

This means that a Sophos SafeGuard administrator needs to create the SafeGuard users initially, so that their user name matches the user name of the corresponding Mac OS X user with which SSO shall be made.

Note: Sophos SafeGuard Disk Encryption for Mac 6.0 offers SSO for local Mac OS X users as well as for Active Directory mobility accounts.

How to set up :

  1. A user needs to be created in Sophos SafeGuard Disk Encryption for Mac that matches the Mac OS X user. Their user names and passwords must be identical. The Mac OS X user can either be a local user or an Active Directory mobility account.
  2. SSO must be enabled first in Sophos SafeGuard Disk Encryption for Mac. This can only be done via command line with the command:

    sgadmin --enable-sso (sgadmin --disable-sso turns SSO off again)
  3. When you logon to POA with this user ID, then the user will be logged on to Mac OS X automatically.

As described already under limitations, the value of the Mac OS X 10.7 setting “Display login window as” must be set to “List of user”.

In addition, Sophos SafeGuard Disk Encryption for Mac 6.0 contains a feature to change the passwords in Power-on authentication and in Mac OS X in a synchronized way so that they stay in sync.

Note: This feature has several limitations - especially compared to SGN for Windows.

  • The password change dialog in Sophos SafeGuard Disk Encryption for Mac triggers the password change.
  • If the currently logged on SafeGuard user and the Mac OS X user have the same user name, then the password change dialog displays a new checkmark that offers to “Sync Passwords”.

  • If the user keeps the checkmark set and clicks “OK”, then Sophos SafeGuard attempts to change the password in Sophos SafeGuard Disk Encryption for Mac, Mac OS X (user password and keychain password) in a synchronized way.
  • Whenever this is successful, Sophos SafeGuard Disk Encryption for Mac does not disturb the user by displaying a success message, but it simply updates the “Modified” timestamp.

  • If any of the three passwords cannot be changed, then all passwords remain unchanged. A situation like this can e.g. be caused by a new password that violates the password rules of Sophos SafeGuard Disk Encryption for Mac or Mac OS X or the Active Directory. In this case no single password is changed and they all keep their old value.
  • If the user unchecks the checkmark, then only the password in Sophos SafeGuard Disk Encryption for Mac gets changed.
  • The "Sync Passwords" checkmark is only available for the user which is logged on to Mac OS X.

 
Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente

Commenti