Sophos SafeGuard Disk Encryption for Mac 6.00.0 Release Notes
Known to apply to the following Sophos product(s) and version(s)
Sophos SafeGuard Disk Encryption for Mac 6.00.0
New features of version 6.0
Display of status data in the SafeGuard Management Center and Inventory reporting with SafeGuard Enterprise 6.0
SafeGuard Enterprise is a modular security suite that enforces security on Windows endpoints using administrator-defined policies. SafeGuard Enterprise offers full disk encryption, file-based encryption, Active Directory integrated central management, reporting, multi-factor authentication and many more security features for Windows endpoints. Endpoints are managed by SafeGuard Enterprise security officers in the SafeGuard Management Center. For further information on SafeGuard Enterprise, see http://www.sophos.com/en-us/products/encryption/safeguard-enterprise.aspx and the SafeGuard Enterprise documentation.
With Sophos SafeGuard Disk Encryption 6.0, a client configuration package (.zip file) can be installed on a Mac to connect it to the SafeGuard Enterprise environment (SafeGuard Management Center, server and database). The Mac then reports its inventory data to the SafeGuard Enterprise Database. In the SafeGuard Management Center Inventory, the Mac's inventory data is displayed.
This enables a SafeGuard Enterprise security officer to check for example whether a lost or stolen Mac is encrypted or not.
The following machine details are shown in the Inventory:
Power-on Authentication can be deactivated
- Machine name of the Mac
- Operating system version
- Type of Power-on Authentication (Mac)
- State of Power-on Authentication (enabled/disabled)
- Number of plaintext and encrypted partitions
- Time stamp of last server contact
- State (up-to-date yes/no) of the SafeGuard Enterprise company certificate which is necessary to connect a Mac to a SafeGuard Management Center. The certificate is imported with the client configuration package.
- Encryption details per partition (drive name and label, partition type, encryption state, encryption algorithm)
- Details of the company certificate
With version 6.0 it is now possible to deactivate Power-on Authentication. If Power-on Authentication is deactivated, partitions remain encrypted, but interactive authentication during the pre-boot phase is not required. This is for example useful when Macs have to be started with Wake on LAN for unannounced operating system tasks.
Note: Deactivating the POA reduces system security and increases the risk of unauthorized access to encrypted data.
POA can deactivated and activated by using the user interface or SGADMIN. The SGADMIN commands are:
Single Sign On between Power-on Authentication and Mac OS X logon including simple password synchronization
- sgadmin --poa on
- sgadmin --poa off
Sophos SafeGuard Disk Encryption for Mac can be operated in a mode, where users only have to enter their credentials at Power-on Authentication and are automatically logged on to Mac OS X as individual users. For Single Sign On users need to have the same user names and passwords at Power-on Authentication and in Mac OS X.
In addition, several technical prerequisites must be met for Single Sign On. For further information, see Unsupported hardware, configurations and operations .
Sophos SafeGuard Disk Encryption also offers a feature to change the passwords at Power-on Authentication and in Mac OS X and keep them synchronized. Sophos SafeGuard Disk Encryption 6.0 triggers the password change and this is supported for local Mac OS X users and for Active Directory mobility accounts.
Support of Intel’s quick hardware-based encryption and AES encryption algorithm (AES-NI)
Most of the current Macs have Intel i5 and i7 CPUs that support AES-NI (Advanced Encryption Standard – New Instructions). Sophos SafeGuard Disk Encryption for Mac 6.0 uses AES-NI for bulk data encryption, whenever it is available.
Sophos SafeGuard Disk Encryption thereby minimizes the performance loss caused by encryption. Most hard drives can be operated at the same speed as without encryption. AES-NI is therefore very beneficial, if the hard drive is an SSD. Update of the SafeGuard Enterprise company certificate
SafeGuard Enterprise 6.0 offers a new feature to update company certificates required for connecting Macs to a SafeGuard Enterprise environment in a secure way (for example, if a company certificate is about to expire). With Sophos SafeGuard Disk Encryption for Mac 6.0 you can import a new company certificate to maintain the connection with the SafeGuard Enterprise environment.
Authentication as SafeGuard Admin user required for backup and restore of authentication data
To prevent that unauthorized users can restore backups of Sophos SafeGuard Disk Encryption authentication data, the backup and restore processes for authentication data now require a successful authentication as a SafeGuard Admin user. New command line switches
Sophos SafeGuard Disk Encryption for Mac 6.0 offers new command line parameters for SGADMIN:
- sgadmin --status
Displays more details.
- sgadmin --poa on
Turns Power-on Authentication on.
- sgadmin --poa off
Turns Power-on Authentication off.
- sgadmin --enable guimenu
Displays the Sophos SafeGuard Disk Encryption menu.
- sgadmin --disable guimenu
Hides the Sophos SafeGuard Disk Encryption menu.
- sgadmin --synchronize
Starts data synchronization with the SafeGuard Enterprise server.
- sgadmin --contact-interval “interval”
Defines a new time interval for data synchronization processes between the Mac and the SafeGuard Enterprise server.
- sgadmin --import-config “/path/to/target/file”
Imports a SafeGuard Enterprise client configuration package (.zip file) to connect a Mac protected by Sophos SafeGuard Disk Encrytion to a SafeGuard Management Center or to update the company certificate.
- sgadmin --enable-sso
Enables Single Sign On from POA to Mac OS X.
- sgadmin --disable-sso
Disables Single Sign On from POA to Mac OS X.
- sgadmin --backup-authentication
Now requires authentication as a SafeGuard Admin user.
- sgadmin --backup-kernel
Now requires authentication as a SafeGuard Admin user.
For further details on these commands, enter "man sgadmin" on the command line on a Mac with Sophos SafeGuard Disk Encryption for Mac 6.0 installed.
Supported hardware and configurations Hardware (Intel-based 64 bit CPU only)
With the following terminal command, the EFI firmware can be verified:
"ioreg -l -p IODeviceTree | grep firmware-abi"
The return value should be "firmware-abi" = <"EFI64" > or "firmware-abi" = <"EFI32" >.
- Operating system
10.7 (Lion) recent patch level (at least patch level of release date - February 2012)
10.6 (Snow Leopard) recent patch level
10.5 (Leopard) recent patch level
- Update of Sophos SafeGuard Disk Encryption for Mac
Sophos SafeGuard Disk Encryption for Mac 5.50.1 and 5.55 can be updated to 6.0.
- Update of Mac OS X versions
To update the operating system from Mac OS X 10.5 (Leopard) to 10.6 (Snow Leopard) or to 10.7 (Lion), you need to uninstall Sophos SafeGuard Disk Encryption for Mac first. This step includes a final decryption of encrypted partitions.
After the successful update you need to install Sophos SafeGuard Disk Encryption 6.0 and encrypt the partitions again.
Please change your exclude rules for your time machine configuration: Add “Library/LaunchDaemons/com.sophos.sgsd.plist” to the list.
It is required to set up a machine with a Bootcamp partition prior to installing Sophos SafeGuard Disk Encryption. It is not supported to set up or remove Bootcamp after installing Sophos SafeGuard Disk Encryption. Note that it is not supported to change/resize the partition layout after installing Sophos SafeGuard Disk Encryption.
If the default operating system is changed from OS X to Windows it cannot be set back to OS X, neither with Windows Bootcamp Control Panel nor with OS X Startup Disk Utility. This has to be done using the functionality provided by Sophos SafeGuard Disk Encryption.
You can set the default boot system to OS X in the following ways:
1. By using the user interface:
- Open SafeGuard Disk Management.
- Open the Edit menu and select Boot this operating system by default. It is required to authenticate as an OS X Administrator.
2. By using Terminal:
- Open a Terminal and enter “sudo sgadmin --set-boot”. Note that OS X Administrator authentication is required.
Unsupported hardware, configurations and operations
- Operating system
Version 10.4 and earlier version.
- Bootcamp + SafeGuard Enterprise/SafeGuard Easy for Windows
Sophos SafeGuard Disk Encryption for Mac supports bootcamp, but SafeGuard Enterprise must not be installed in the Windows partition. This restriction is valid until explicitly stated otherwise in the SafeGuard Enterprise for Windows documentation.
- The following limitations apply to the product:
Sophos SafeGuard Disk Encryption for Mac does not support multi-boot systems, this means multiple installations of OS X on the same Mac.
Sophos SafeGuard Disk Encryption for Mac and Mac OS X 10.7 (Lion) FileVault 2 must not be run on one machine at the same time. If you are going to use Sophos SafeGuard Disk Encryption for Mac, no local partition must be encrypted by FileVault. You must ensure that FileVault is disabled before you install Sophos SafeGuard Disk Encryption for Mac. If you want to use FileVault, Sophos SafeGuard Disk Encryption for Mac must not be installed.
Do not install the software on systems with more than 50 partitions.
We recommend not to encrypt more than five partitions simultaneously.
Single Sign On between Sophos SafeGuard Disk Encryption POA and Mac OS X
The Single Sign On feature of Sophos SafeGuard Disk Encryption depends on two Mac OS X settings. These are Automatic login and Display login window as. Automatic login must be activated.
In general, the setting of Display login window as would be irrelevant, but we have seen issues when running on Mac OS X 10.7 (Lion). At the time of Sophos SafeGuard Disk Encryption for Mac 6.0 release, the current Mac OS X release is 10.7.2. To avoid issues when running on Mac OS X 10.7 (Lion), set Display login window as to List of users.
- The setting of “Display login window as” must not be set to “Name and password”.
Under Mac OS X 10.7 Display login window as must be set to List of users. If it is set to Name and password on Mac OS X 10.7 (Lion), a successful Single Sign On works, but the Mac OS X becomes entirely unusable after an unsuccessful Single Sign On. This means that you cannot log on anymore.
This can for example happen, if the passwords of a user in the POA and in Mac OS X have gone out of sync or the SafeGuard User does not exist in Mac OS X. Please check the Sophos knowledgebase article 116756 for the current state of this issue seen with Mac OS X 10.7.
- To use the Sophos SafeGuard Disk Encryption feature Single Sign On, the Mac OS X setting “Automatic login” must not be set to “Off”.
Doing so stops the Single Sign On process in the Mac OS X logon and Mac OS X waits for user interaction. Clicking one of the displayed user names triggers the system to continue with the logon process. It is irrelevant which user name you click. The Single Sign On continues and the user that was logged on at POA is logged on to Mac OS X. sgadmin --enable-sso ensures that this setting is set to a correct value (not to “Off”). But you should not set it back to Off later, while the product is installed or Sophos SafeGuard Disk Encryption Single Sign On is enabled. To disable Single Sign On correctly, sgadmin --disable-sso needs to be called. This changes the setting of Automatic login back to Off and deactivates Single Sign On.
Keyboard: The keyboard translation code only deals with normal keys and keys with a shift modifier. Non-numeric keypad keys cannot be guaranteed to give the same character sequence when the keyboard is changed from one layout to another. So only use "0-9" from that block. It is due to EFI only returning a US ANSII character equivalent and no modifier keys. During translation, the normal keyboard key takes precedence over the numeric keypad key. This affects the non-numeric keys on the numeric keypad, this means the '=', '/', '', '-', '+' keys. These keys may translate into different characters due to the keyboard layout. For example, on a German keyboard the numeric keypad '' key will translate into the keyboard '(' character. The code has been developed and tested with the following keyboards: US, French, German. There is no guarantee that other keyboards work.
Partitioning: After Sophos SafeGuard Disk Encryption for Mac has been installed it is not possible to change the partitioning layout, nor is it supported. You must not change anything with "gpt" or "diskutil".
Important: If someone repartitions the machine you will not be able to use it, and you will need to completely re-install this machine in order to use it again.
Formatting: Formatting of encrypted partitions is not supported. If you want to remove all data, we recommend that you delete the files or decrypt the partition, format it and encrypt it again.
Note: Only HFS+ and HFS+ (Journaled) are supported. The hard drive must be GPT-partitioned.
Target Disk Mode: The usage of Target Disk Mode is not supported, if both the local machine and the target disk are encrypted.
Plaintext partitions on a target disk can only be accessed in Target Disk Mode from a local machine, if this local machine does not have Sophos SafeGuard Disk Encryption for Mac installed.
If the local machine has Sophos SafeGuard Disk Encryption for Mac installed, then the machine in Target Disk mode must not have Sophos SafeGuard Disk Encryption for Mac installed.
diskutil from a system started via network boot: Do not use diskutil from a system started via network boot while local partitions are encrypted. In this case diskutil does not recognize the encrypted partitions and wants to initialize them. Doing so results in data loss. Erasing partitions: Erasing a partition while an initial encryption or a final decryption operation is performed is not supported. Also, erasing encrypted partitions is not supported. Partitions have to be decrypted first and can then be encrypted again.
Unmounted partitions and encryption/decryption: Starting initial encryption or final decryption for partitions that are not mounted is not supported. Unmounting a partition while it is encrypting or decrypting is also not supported. Doing so may result in data loss.
OS upgrades (like from 10.6 to 10.7) are not supported: It is necessary to decrypt the partitions of your Mac first and then to uninstall Sophos SafeGuard Disk Encryption for Mac. Afterwards, you can upgrade the operating system, install Sophos SafeGuard Disk Encryption for Mac released for 10.7 and encrypt the partitions again.
Deep Sleep: When Sophos SafeGuard Disk Encryption for Mac is installed the hibernation feature, "Deep Sleep" is not supported and is disabled. Some applications do not auto-save their data when the sleep mode is activated. In case the sleep mode is used for an extended period while not being connected to power and such an application is open with unsaved data, data might be lost.
Bad sectors: We recommend not to install the product if there are bad sectors on your hard disk. Initial encryption does not stop when bad sectors are encountered, but a log entry is created in the kernel log.
Initial encryption/final decryption on data partitions: Before you begin to encrypt a data partition ensure that all files on this partition are closed. Make sure that all files on the data partition to be decrypted are closed while decryption is performed.
Firmware update: It is possible to update the firmware of a Mac, although Sophos SafeGuard Disk Encryption for Mac is installed. However, some things need to be kept in mind. Please check the Sophos knowledgebase article #111941 for details.
Mac OS X Safe Boot usage: When booting into Safe Boot / Safe Mode it is not possible to use sgadmin or the SafeGuard menu. This is related to Mac OS X not loading 3rd party launch agents / daemons (sgd) in the Safe Boot / Safe Mode functionality.