Sophos SafeGuard File Encryption for Mac 6.10: Release Notes
Applies to the following Sophos product(s) and version(s)
Sophos SafeGuard File Encryption for Mac 6.10
OSX 10.7, 10.8, 10.9, 10.10*
* Installations on OS X 10.10 require an updated installation package (version 220.127.116.114), which is available in the download area of Sophos.com as of 24th of October 2014.
About SafeGuard File Encryption for Mac
Sophos SafeGuard File Encryption for Mac offers transparent file-based encryption on local drives, network shares, removable drives and in the cloud via certain cloud storage providers.
With SafeGuard File Encryption for Mac you can safely encrypt and decrypt files and exchange these files with others.
- New files in the relevant locations are encrypted automatically.
- Old files in the relevant locations can be encrypted initially.
- If you have the key for an encrypted file, you can read and modify the content.
- If you do not have the key for an encrypted file, you can only see the encrypted (not readable) content. Please note that if you access an encrypted file from any other computer, on which SafeGuard File Encryption for Mac is not installed, the encrypted file content is shown as well.
- Mac OS X versions: SafeGuard File Encryption for Mac supports Mac OS X 10.7, 10.8 and 10.9.
- OSXFUSE: SafeGuard File Encryption for Mac is based on OSXFUSE version 2.61 or newer. During the installation process it is checked, whether OSXFUSE version 2.61 or higher is installed. If not found, the installation terminates and prompts the user to install OSXFUSE first. To obtain OSXFUSE, please go to http://osxfuse.github.io/
- Sophos SafeGuard Enterprise: SafeGuard File Encryption for Mac needs a SafeGuard Enterprise backend, from which it obtains its encryption policies and the encryption keys.
Please install the Sophos SafeGuard Enterprise backend version 6.10 or higher prior to installing SafeGuard File Encryption for Mac.
During the installation process of the Mac client you will be required to provide and import a SafeGuard Enterprise Client Configuration ZIP file, in order to bind the Mac to its SafeGuard backend.
- SSL trust to the SafeGuard backend server must be configured on client.
Please make certain that the correct SSL certificates of the SGN server(s) are imported into the Mac’s System keychain only, and not in the user’s Login keychain.
- Supported client languages: The supported client languages are English, German, and French.
Compatibility and upgrades
The compatibility of this release of SafeGuard File Encryption for Mac with previous releases and modules of Sophos is as follows:
SafeGuard File Encryption for Mac and SafeGuard Disk Encryption for Mac
Both products share the modules that connect the SafeGuard for Mac client to the SafeGuard Enterprise 6.10 backend.
Note that SafeGuard File Encryption for Mac adds two new features to the server connection:
- The SafeGuard for Mac client supports two SGN servers – just as the SafeGuard for Windows clients do.
- During the setup of the SSL-connection between SafeGuard for Mac client and its server(s), the authenticity of the SSL certificates of the SGN servers is verified.
As both products share common modules, they need to be installed and uninstalled in a certain order.
These are the supported installation sequences:
Only SafeGuard File Encryption for Mac is used:
- Install SafeGuard File Encryption for Mac and import the SafeGuard Enterprise Client Configuration ZIP file.
SafeGuard File Encryption for Mac and SafeGuard Disk Encryption for Mac version 6.01 and older are used together on the same Mac:
- Install SafeGuard Disk Encryption for Mac version 6.01 first or upgrade to it from an older version (versions 5.55 or 6.0).
- Import the SafeGuard Enterprise Client Configuration ZIP file.
- Then install SafeGuard File Encryption for Mac version 6.10.
Note: SafeGuard File Encryption for Mac 6.10 is compatible with SafeGuard Disk Encryption for Mac version 6.01 only.
If you have an older version of SafeGuard Disk Encryption for Mac installed (for example SafeGuard Disk Encryption for Mac version 5.55 on Mac OS X 10.7), then you need to upgrade SafeGuard Disk Encryption for Mac to version 6.01 first before you install SafeGuard File Encryption for Mac.
Note that it is highly recommended to always have the latest versions of Sophos applications installed.
SafeGuard Disk Encryption for Mac 6.01 or older gets updated or uninstalled, while SafeGuard File Encryption for Mac is installed:
Note that these situations need to be taken care of, because this overwrites shared modules with older versions or might even remove modules, so that SafeGuard File Encryption for Mac will not work correctly any more.
- After having removed or upgraded SafeGuard Disk Encryption for Mac 6.01 or older, you need to reinstall SafeGuard File Encryption for Mac and re-import the SafeGuard Enterprise Client Configuration ZIP file.
SafeGuard File Encryption for Mac and SafeGuard Disk Encryption for Mac version 6.10 are used together on the same Mac:
- Both products take care of each other and can be installed, and uninstalled in any order.
Usually anti-virus software works in two modes:
- Manual or scheduled mode or
- Real time scanning or On-access scan mode
For both modes applies the following:
- Whichever scanning mode you are using, we do not recommend you scan the encrypted files in their original location. This is because you cannot find a virus within an encrypted file.
- Instead, it is strictly recommended to scan all files in the corresponding SafeGuard Secured volumes.
This returns the unencrypted file content and therefore viruses can be detected.
- Please test, whether the on-access scanner of the installed anti-virus product finds a virus in files on SafeGuard Secured volumes. Please see instructions about the EICAR test file below.
Sophos Anti-Virus for Mac version 8 and 9 have been tested with SafeGuard File Encryption for Mac and detect viruses on SafeGuard Secured volumes in both modes under the following circumstances:
- “Scan now” or “Scan local drives”:
Make sure you always scan the SafeGuard Secured volumes or you risk missed detection.
If you happen to scan it through the original path, you can do so, it won’t do any harm, but you won’t find any virus, as the file content you scan is encrypted.
If you have installed SafeGuard File Encryption for Mac, please make sure that
- the on-access scanner of Sophos Anti-Virus for Mac is turned and
- its feature “Scan Files on network volumes” is switched on as well.
This will allow the file content on a SafeGuard Secured volume to be scanned on-access.
If you are using other anti-virus software, make sure that your product is able to detect viruses, too. You can use the EICAR Anti-Malware test file (http://www.eicar.org/86-0-Intended-use.html ) for testing purposes.
Particularities and limitations
- Files can be accessed via two different paths: the original path and the SafeGuard File Encryption Secured Volume (mount point). Transparent encryption works only on the SafeGuard Secured Volumes.
- Blacklisted folders: SafeGuard File Encryption for Mac OS X makes certain that folders that are important for OS X to function properly are not and cannot be encrypted by a SafeGuard administrator.
Even if a SafeGuard Security Officer specifies an encryption policy for a folder on the blacklist, the client software of SafeGuard File Encryption for Mac OS X will not encrypt file is this folder.
This is the list of folders on the blacklist:
Folders without subfolders
Folders including their subfolders:
- <Removables>/System Volume Information/
- It is not possible to modify sharing & permission via Finder for a SafeGuard File Encryption mount point. This is, because the SafeGuard File Encryption mount point is not the original path, but only a “shadow”.
To modify it for a certain folder, please do this via the original path.
- Read-only folders (such as disk images or NTFS formatted devices) will not be mounted as Secured Volume by SafeGuard File Encryption for Mac.
- OSXFuse provides its Secured Volumes as network volumes.
This has several consequences:
- Volumes will be shown on your OS X Desktop, if configured in the Finder Preferences.
Or you can find them using the Finder option “Go > Computer”
- The Spotlight service has no access to the SafeGuard Secured mount points. A search will find a file in the original path, but not in the SafeGuard Secured Volume.
- Deletion of files cannot be undone in Secured Volumes. These volumes don’t have a trash.
- The OS X feature “Browse All Versions” is not supported in Secured Volumes.
- Some anti-virus scanners (like for example Sophos Anti-Virus) do not scan files on network volumes via their built-in on-access scanners, unless they are explicitly told to do so.
Please turn on such a feature.
- It is not guaranteed that policies for SafeGuard File Encryption for Mac can be implemented in reality immediately (for example, a mounted Secured Folder cannot be unmounted, because files in it are open.)
To be on the safe side, please log out and log in again.
Check the known issues for this SafeGuard Enterprise release, since improper configuration of certain options may cause unexpected behaviour.
Note the following additional known issues:
- OSXFUSE supports a maximum of 24 mounts per Mac.
- The installation, upgrade and uninstallation of SafeGuard File Encryption for Mac can take longer (up to 5 – 20 minutes), if your Mac is located behind a firewall, which prevents direct access to the Internet.
In order to speed up the installation in such a case, either disconnect it from any network or allow direct Internet access.
Please note that this is a general issue with OSX Gatekeeper and is caused by the verification of the digital signature via Apple servers, with which SafeGuard’s files are signed.
- Circular copy of a file and user decides to “Replace” the file:
If you copy a file from a SafeGuard Secured Volume to its original volumes or vice versa, always select the option “Keep both” or “Stop”!
If you accidentally select the option “Replace”, both files will be deleted.
- Creation of mobile user accounts at OS X login with confirmation by user:
Do not require confirmation of the OS X user before creating a mobile account, as the user can select “Don’t Create”. Selecting this option will create an incomplete OS X user, for example a user that does not have a local home directory.
- Labelled files:
If you open a labelled file via a Smart Folder, OS X does not open the file in the SafeGuard Secured Folder, but opens the file in its original location.
If the file is encrypted, you will only see its encrypted content.
- Displaying the encryption status of a file via colour-coding in the inner circle of the SafeGuard system menu icon:
To display the encryption status reliably, please mark the file, click on the desktop and then in the Finder window again. This will display the status colour in the inner circle of the SafeGuard system menu icon correctly.
- Show icon preview
For performance reasons it is recommended to turn of the Finder option “show icon preview”.
This is particularly valid for slow devices or network shares, on which a big number of encrypted files are located.
Note that application-specific icons (for example Microsoft Office for Mac) are also influenced by the Finder option “show icon preview”.
- Keys sporadically and wrongly shown in orange in SafeGuard Preference Pane on Mac OS X 10.8.
The availability of the SafeGUard keys is shown correctly via sgfsadmin --list-keys though. The keys can be used and files can be en- and decrypted.
- For performance reasons and Finder stability it is not recommended to copy files via Finder in parallel multiple times into the same SafeGuard SECURED folder.
Back to Sophos SafeGuard Release Notes Landing Page