This article answers the frequently asked questions on Sophos Central Device Encryption (CDE).
The following questions are answered:
Applies to the following Sophos products and versions Central Windows Device Encryption 1.4Central Windows Device Encryption 2.0
The supported Windows versions are listed in KBA 113278 Supported OS X/macOS versions (FileVault2 management) are: macOS Sierra (10.12), macOS High Sierra (10.13) and macOS Mojave (10.14).
FAQ about Sophos Central Device Encryption for OS X Sophos Central Device Encryption does not support managing Windows installations on Boot Camp.
You can apply Device Encryption to system volumes and fixed data volumes but not devices which are treated as removable media. BitLocker to go can be used to encrypt such devices but the recovery keys will not be managed by CDE nor will such volumes be listed in the Central Console. As of CDE version 1.4 it is possible to only encrypt system volumes and leave data volumes unencrypted.
This feature consists of two components:
Both methods create a password protected HTML file containing the encrypted files (encrypted using AES-256), which can be shared with internal or external colleagues. The recipient simply needs a web browser and the password in order to open the files.
The ‘Require new authentication password/PIN from users’ policy setting enables administrators to specify an interval to prompt users to change their BitLocker password or PIN. Intervals are in months. Additionally, the administrator can prompt for an immediate password change on an individual device by going to the device page and clicking the ‘Send reset authentication request’ within the Device Encryption section.
TPM + PIN, Passphrase, TPM, and USB Startup key. See Sophos Central Device Encryption Administrators Help manual for details on the protectors available on each OS.
Yes you can. Toggle the Require startup authentication switch to on in the policy at any time.
Yes, clients that have the corresponding GPO setting "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" enabled, can be managed by Sophos Central Device Encryption.
Yes, in this case existing recovery protectors are replaced.
As of SafeGuard 8.0, you can uninstall the BitLocker module without decrypting the volumes first. You can then manage Bitlocker using Sophos Central.
Yes, you can use both products in parallel.
Depending on the chosen policy type, remove all the users or computers from the policy first and then turn off the encryption on the client. You can do this in the Windows Explorer:
NOTE: Only a Windows Administrator can perform this operation.
No, you can only recover boot volumes in the Self-Service portal. NOTE: Only the last user who logged on to the client can recover the system volume using the Self-Service Portal.
Common reasons for BitLocker requesting a recovery key at startup are:
Other potential root causes are described in the following MS TechNet Article: Bitlocker Tip of the Day
Enable logging and tracing. The resulting files show status and error messages. See, Sophos Central Device Encryption: Configuring Log and trace file.
Volumes below 64 MB will be ignored. The client sends a corresponding report to the console once.
Accounts with the Helpdesk, Admin or Super Admin role have the required permission.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.