MacBook deploy of Sophos Safeguard Device Encryption - Can they then reinstall on their own?

Question

Hello, and sorry for the lower level question. 
 We are thinking of deploying the Sophos Safeguard Device Encryption for some users running MacBooks in our company. I know this encrypts the drive, but would they still then be able to Command+R at boot and freshly reinstall the Macbook as new or are there safeguards to prevent this? On some of our Windows device, SafeGuard Logon looks to prompt for password prior to windows boot and did not know if it was similar for MacOS. In one that I saw, it did not seem to prompt for any password prior to booting into OSX. 
 Thank You!

Haridoss Sreenivasan · Answer

Hi Michael, 
 Yes, It is possible to access the recovery window and freshly install the MacBook as new as Safeguard doesn't change the UEFI settings and it doesn't modify the disk layout by adding or deleting partitions. All we do is manage the FileVault 2 encryption. 
 When you use Command-R to boot into the partition you will see the boot partition but encrypted. If you want to set up a new Mac, you just need to wipe the existing one. If you want to maintain it, copy some data off (you need to know the password for it)