PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
This article answers the frequently asked questions on Sophos Central Device Encryption.
The following questions are answered:
Applies to the following Sophos products and versions Sophos Central Device Encryption
OS X 10.10 Yosemite, OS X 10.11 El Capitan, macOS 10.12 Sierra and macOS 10.13 High Sierra
Before users can start:
When an encryption policy is active for the logged in user and FileVault 2 is turned off, they will be asked to enter their password to enable FileVault 2 and encrypt the disk. The currently logged in user is the only user that will be enabled in FileVault 2, other users can be enabled after FileVault2 is activated.
Changed disk encryption policies will be fetched by clients automatically and policies will be enforced immediately. If there is no policy change, it will be enforced each time a user logs in.
According to the policy content and the current FileVault2 status, the following actions are performed:
Sophos SafeGuard Device Encryption needs to be uninstalled before Central Device Encryption is installed.
After users enter their login password and choose encrypt, the recovery key is stored both locally in the keychain and in Sophos Central.
If the recovery key cannot be stored in keychain or additional information could not be stored in the local storage or the recovery key could not be sent to backend, the recovery key will be displayed to the user and they will be asked to save the key. In addition, the recovery key will be stored in the folder Library/Application support/Sophos Encryption/.RecoverykeyEmergencybackup and the contents can only be read by the root user.
Yes, you only need to apply a Device Encryption policy to these endpoints.
No, the user will still be a member of FileVault2 users. It can be verified using command sudo fdessetup list in Terminal.
sudo fdessetup list
The information about encryption status can be accessed either via the Sophos Device Encryption application in the application directory and can be launched via Finder, launchpad and spotlight or alternatively you can use an installed tool called seadmin in the /user/local/bin folder.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.