How to deploy SafeGuard Enterprise Disk Encryption or File Encryption for Mac with minimal user input

  • Article ID: 120507
  • Rating:
  • 2 customers rated this article 2.0 out of 6
  • Updated: 08 Jun 2015

This article describes how to minimize user input when implementing SafeGuard Disk Encryption for Mac or SafeGuard File Encryption for Mac.

Applies to the following Sophos product(s) and version(s)
Sophos SafeGuard File Encryption for Mac 6.10
Sophos SafeGuard Disk Encryption for Mac 7.0
Sophos SafeGuard Disk Encryption for Mac 6.10
SafeGuard File Encryption 7.0

Operating systems
Mac OS X 10.8.x, Mac OS X 10.9.x, Mac OS X 10.10.x

Implementation of Disk Encryption and File Encryption for Mac

You can automate some implementation tasks by using the steps and script examples given here. These steps will allow you to install and initially configure a SafeGuard Disk Encryption for Mac and / or SafeGuard File Encryption for Mac client.

In this example we use a SafeGuard Enterprise Server with an SMB network share on which everyone has read permissions. This example shows the format of the UNC path:

Windows UNC path: "\\SGNSRV1\Install"
Mac Network path: "smb://SGNSRV1/Install"

On this share you should store the following files:

  • The public part of the SSL certificate (*.cer) used by the SafeGuard Enterprise Server IIS service.
  • All required Mac installer files (to get the files, mount the *.dmg files and copy the *.pkg files to the share above).
  • The SafeGuard Enterprise client config zip file.

Once you have prepared this share, carry out these steps:

  1. Install the required component:
    The following script will install SafeGuard Disk Encryption for Mac:

    sudo installer -package "smb://SGNSRV1/Install/Sophos SafeGuard DE.pkg" -target /

  2. Import the required IIS Server SSL certificate into the "System" section of the Mac keychain tool:

    sudo security add-trusted-cert -d -r trustAsRoot -p ssl -k “/Library/Keychains/System.keychain” "smb://SGNSRV1/Install/"

  3. Import the SafeGuard Enterprise client config zip file:

    Note: It is only necessary to import the SafeGuard Enterprise client config once. Even if you want to use both Mac products, you do not have to import it twice.

    sudo sgdeadmin --import-config „smb://SGNSRV1/Install/" - example for using Disk Encryption

    sudo sgfsadmin --import-config „smb://SGNSRV1/Install/" - example for using File Encryption

When you have completed the above steps, the installation of the Mac client is finished and the client should be able to synchronize with the SafeGuard Enterprise backend.

You can now assign policies to this client via the SafeGuard Enterprise Management Center, to protect the client.


You can send the FileVault2 recovery key of your Mac client to the SafeGuard Enterprise database. If you want to make use of SafeGuard's recovery mechanism, then this is mandatory for clients which were encrypted with FileVault2 prior to the implementation of SafeGuard.

To use the command below a user must know the FileVault2 recovery key and execute it manually. This recovery key is only displayed once during the activation of FileVault2 and cannot be displayed afterwards.

    sudo sgdeadmin --import-recoverykey --force xxxx-xxxx-xxxx-xxxx-xxxx-xxxx

    Please replace xxxx-xxxx-xxxx-xxxx-xxxx-xxxx with the actual recovery key.

    If you use the force option you will overwrite the existing recovery key of this computer in the SafeGuard database. Therefore, you should make sure the recovery key is valid when executing the command. If an incorrect recovery key is sent to the database and you want to use it for recovery, you won't be able to get access to the files. With Mac OS X 10.9.x and Mac OS X 10.10.x there is an additional check if the key is valid. However this option does not exists for Mac OS X 10.8.x.

    If you need more information or guidance, then please contact technical support.

    Rate this article

    Very poor Excellent