This article answers the frequently asked questions on Sophos Central Device Encryption.
The following questions are answered:
Applies to the following Sophos products and versions Sophos Central Device Encryption
macOS 10.13 High Sierra, macOS 10.14 Mojave, macOS 10.15 Catalina
Sophos Central Device Encryption does not support managing / encrypting Windows or Linux installations on Boot Camp.
Before users can start:
When an encryption policy is active for the logged in user and FileVault 2 is turned off, they will be asked to enter their password to enable FileVault 2 and encrypt the disk. The currently logged in user is the only user that will be enabled in FileVault 2, other users can be enabled after FileVault2 is activated.
Changed disk encryption policies will be fetched by clients automatically and policies will be enforced immediately. If there is no policy change, it will be enforced each time a user logs in.
According to the policy content and the current FileVault2 status, the following actions are performed:
Sophos recommends uninstalling SafeGuard Device Encryption before Central Device Encryption is installed. There is no need to de-crypt and re-encrypt the local drives. Sophos Central Device Encryption can work together with all Sophos SafeGuard File Encryption modules.
After users enter their login password and choose encrypt, the recovery key is stored both locally in the keychain and in Sophos Central.
Sophos recommends to refrain from using iCloud Keychain backup to store the FV2 recovery key in parallel.
If the recovery key cannot be stored in keychain or additional information could not be stored in the local storage or the recovery key could not be sent to backend, the recovery key will be displayed to the user and they will be asked to save the key. In addition, the recovery key will be stored in the folder Library/Application support/Sophos Encryption/.RecoverykeyEmergencybackup and the contents can only be read by the root user.
Yes, you only need to apply a Device Encryption policy to these endpoints with enabled encryption.
No, the user will still be a member of FileVault2 users. It can be verified using command "sudo fdessetup list" in Terminal.
sudo fdessetup list"
The information about encryption status can be accessed either via the "Sophos Device Encryption application" in the application directory and can be launched via Finder, launchpad and spotlight. Alternatively you can use an installed terminal tool called "seadmin" in the /user/local/bin folder.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.