Safeguard Application Encryption with Win 10 Golden Image VDI

Which client and which version are you using please Ryan?

I use and have used a Sophos SafeGuard client on a lot of my dev and testing and found it seems to work fine within VM's. I generally used VirtualBox and HyperV. 

Sophos official line is/was - it can work on VM's and I'm sure a VDI too - community.sophos.com/.../10813 https://community.sophos.com/kb/en-us/108133 

Sysprep pulls out all the identifying and specified hardware so that's there's no conflicts for a differing hardware set. It's no surprise to me that this would affect SafeGuard - it's fairly intergrated into the OS with specific drivers and filters. No doubt sysprep is removing some/all of this.

Would a RDP session be an alternative? Install the SafeGuard client on supported OS (I'd use Win10 1803 as a good stable supported base) and have your clients/users connect to that?

Yeah it 100% works with VM's and VDI the problem is the sysprep, I need a way around that. 

We run Hyper V 2016 host with a 2016 RDP server. Our golden image is a Windows 10 1809 LSTB version. If you're not familiar with LSTB its simply a stripped down version of windows without features like the store or cortana designed for golden images. 

I can get the Golden image to work just fine with safeguard.  I can get it to register, assign a license, receive policies, etc. Sysprep runs fine and the RDP will rebuild the current VM's with the new golden image without issue.  However, once the newly created VM's boot up the user cannot login as the machine just boot loops.

At the end of the day all I need is the ability to have a user sitting on a thin client, using an RDP session within our VDI environment to be able to access the encrypted files that are on the network.  There will be areas where files are not encrypted, actually 90% of the areas will be this way.  Only our outside sales force area will be encrypted and their admins and assistants needs access to these files in order to help them while they are in the field.  

We were under the impression from our 45 day proof of concept testing that we could assign licensing to a users or white-list our domain so that users within our domain could access them but after we purchased the product we found out that it is only machine based.

Hi Ryan Overby 

Safeguard in the VDI environment is not supported yet but file encryption may work in a virtual environment. You can refer to this document.

As you are using application-based file encryption, it may work in your environment but officially safeguard is not supported in the VDI environment. The problem which you have described above seems to be problem of local cache corruption of the safeguard when you are deploying the VDI machine through the golden template.

Local cache of the golden template machine is the information which has a list of certificates, keys, policy for that particular machine and also information of the user related to that particular machine and as you are deploying that to a different machine, the local cache may get corrupted while installation.

Could you please suggest which Safeguard enterprise and client version you are using in your environment?

So we have not found any way around the sysprep and have decided that since all we need is a way for our users in house to access some of the files we will have a folder that is a no-encrypted space for our outside sales staff to store documents that are shared with the home office.  We have turned off "Enable Persistent Encryption" which should decrypt any file that goes into a folder that does not have a policy applied to it.  We created a folder in the One Drive Cloud and told Application encryption to Exclude this location from encryption of any file.  No file that gets created there gets encrypted however, any file that was previously encrypted that is dropped in there stays encrypted which isn't supposed to happen based on the description of how persistent encryption is designed to work.   

My question now is that will Persistent Encryption work with Application Encryption or does it have to be File based Encryption?

Version we are running is 8.20.0.83

Again the goal here isn't to allow our VDI environment to have access to the encrypted files just to have some users have access to the files.  We would have liked to have moved all users to the encrypted format but Sophos is going to have to rewrite their program to be user based rather than machine based for that to happen.

Hi Ryan Overby 

Application-based Encryption, which is also known as Synchronized encryption, which is a type of File Encryption. Location-based and Application-based encryptions are two types of file-based encryption.

I understand your scenario and it should work as per your expectation but I'd request you to refer to this article which is for the persistent encryption and how it works when we have excluded any path.

We found out through tough trial and error that persistent encryption will not work with Application based Encryption.  It will work only with File based or Location-based encryption.  Once we made the switch then we were able to get the files to operate the way we needed them too.  File based requires more setup work but it does allow us to get around the fact that some of our users will not have safeguard so there are areas where files can be secure and where they are not.  With the 3rd party sync tool we have we can sync everything from the tablets back to our local shares, this allows our users in the field using tables to be encrypted while the users in the office can not be encrypted and access the same files.  So all is well in our world. 

Hi Ryan Overby 

I am glad to know that your purpose has been fulfilled and you were able to overcome the situation.