How to sign a Sophos Disk Encryption System Policy with the Company Certificate of the Sophos Endpoint Security and Control version 10.1 environment.

  • Article ID: 116669
  • Updated: 23 Dec 2014

If you have received a Sophos Disk Encryption system policy from Sophos Support or downloaded a Sophos Disk Encryption system policy from the knowledge database, for security reasons, the system policy needs to be signed with the Company Certificate of the current Sophos Endpoint Security and Control environment, before the client will accept the system policy.

This article explains how to sign a system policy with the current company certificate.

Known to apply to the following Sophos product(s) and version(s)
Sophos Disk Encryption 5.61.0
Beta Endpoint Security and Control 10.0 (encryption)

What To Do

Before you start, make sure that yow have the requirements to perform the action. You need:

  • Sophos Disk Encryption System Policy (available from Sophos Support / Sophos Knowledge Database)
  • script
  • Access to a machine, hosting Sophos Enterprise Console v. 10.1 and be able to execute a Cscript.exe operation on the machine
  • Password of the Sophos Management Host Service account

Download and extract the file, copy the SignFileWithCompCert.vbs and the System Policy (i.e. deactivate_ginachainrepair.xml) to a temporary location on the machine installed with the Sophos Enterprise Console 10.1 installed (i.e. C:\temp\)

Open a command prompt and use the SignFileWithCompCert.vbs to sign the system policy with the Company Certificate using the following syntax:

  • x86 based machine: C:\temp>cscript.exe SignFileWithCompCert.vbs /password:Passw0rd! /policy:deactivate_ginachainrepair.xml
  • x64 based machine: C:\temp>C:\Windows\SysWOW64\cscript.exe SignFileWithCompCert.vbs /password:Passw0rd! /policy:deactivate_ginachainrepair.xml

    /password: Specify the password of the Sophos Management Host Service account
    /policy: Specify the name of the system policy

The script will now sign the specified system policy with the respective Company Certificate of the environment. The script will display that "Signing the System Policy was successful.". The signed system policy will reside in the same location as the original policy and will be saved under the same name as the original policy with the "_Signed.xml" extension.

To apply the system policy to the client machine, the signed system policy can now be copied into the Sophos Disk Encryption Client's import folder in the LocalCache:

  • For Windows XP: %ALLUSERSPROFILE%\Application Data\Utimaco\SafeGuard Enterprise\LocalCache
  • For Windows Vista, Windows 7: %ALLUSERSPROFILE%\Utimaco\SafeGuard Enterprise\

On the Sophos Disk Encryption Client, from %WINDIR%\system32\, locate the tool "SGMCmdIntn.exe", and run it with -i from the commandline:

  • SGMCmdIntn.exe -i deactivate_ginachainrepair_Signed.xml

The signed system policy should now disappear from the import folder and be applied to the client.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent