This knowledge base article describes how to minimize user input when implementing SafeGuard Disk Encryption for Mac or SafeGuard File Encryption for Mac.
Applies to the following Sophos product(s) and version(s) Sophos SafeGuard File Encryption for MacSophos SafeGuard Disk Encryption for Mac
Operating systems macOS
Some implementation tasks can be automated by using the steps and script examples given here. These steps will allow you to install and initially configure a SafeGuard Disk Encryption for Mac and/or SafeGuard File Encryption for Mac client.
In this example, a SafeGuard Enterprise Server with an SMB network share on which everyone has read permissions is used. This example shows the format of the UNC path:
Windows UNC path: \\SGNSRV1\Install Mac network path: smb://SGNSRV1/Install
On this share, the following files are stored:
Once the share has been prepared, carry out these steps:
Install the required component: The following script will install SafeGuard Disk Encryption for Mac:
sudo installer -package "smb://SGNSRV1/Install/Sophos SafeGuard DE.pkg" -target /
Import the required IIS Server SSL certificate into the "System" section of the Mac keychain tool: sudo security add-trusted-cert -d -r trustAsRoot -p ssl -k “/Library/Keychains/System.keychain” "smb://SGNSRV1/Install/SGNSRV1.Testdomain.com.cer"
sudo security add-trusted-cert -d -r trustAsRoot -p ssl -k “/Library/Keychains/System.keychain” "smb://SGNSRV1/Install/SGNSRV1.Testdomain.com.cer"
Import the SafeGuard Enterprise client config zip file: Note: It is only necessary to import the SafeGuard Enterprise client config once. Even if you want to use both Mac products, you do not have to import it twice.
sudo sgdeadmin --import-config „smb://SGNSRV1/Install/SGN610Clientconfig.zip"
sudo sgfsadmin --import-config „smb://SGNSRV1/Install/SGN610Clientconfig.zip"
Once the above steps have been completed, the installation of the Mac client is finished and the client should be able to synchronize with the SafeGuard Enterprise backend.
Policies can now be assigned to the concerned client via the SafeGuard Enterprise Management Center.
You can send the FileVault2 recovery key of your Mac client to the SafeGuard Enterprise database. If you want to make use of SafeGuard's recovery mechanism, then this is mandatory for clients which were encrypted with FileVault2 prior to the implementation of SafeGuard.
To use the command below a user must know the FileVault2 recovery key and execute it manually. This recovery key is only displayed once during the activation of FileVault2 and cannot be displayed afterwards.
<code>sudo sgdeadmin --import-recoverykey --force xxxx-xxxx-xxxx-xxxx-xxxx-xxxx</code>
Replace xxxx-xxxx-xxxx-xxxx-xxxx-xxxx with the actual recovery key.
If you use the force option, you will overwrite the existing recovery key of this computer in the SafeGuard database. Therefore, make sure the recovery key is valid when executing the command. If an incorrect recovery key is sent to the database and you want to use it for recovery, you won't be able to get access to the files. With Mac OS X 10.9.x and Mac OS X 10.10.x there is an additional check if the key is valid. However, this option does not exist for Mac OS X 10.8.x.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.