Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 13762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

File encryption on Mac OS X, keys won't be synced

Herbert McFadden

I try to be a good user and open a separate thread for every issue I run into. If this is not common here let me know and I'll put it all in once.

 

I've create a file encryption policy to encrypt files that will be saved on a shared drive. The policy defines that the share has 3 different subfolders for each of these folders another encryption key is used.

When I log into my windows machine it works fine. Applying the same settings to the mac doesn't work though for me. The policy is bound to a parent OU, Macs and Windows PCs are separated in OUs below that. I've set up 3 test users in the user pane on both computer objects.

I've applied my management package to the Mac after installing the FileEncryption module. The connection to the server seems to be fine, in the server tab of the Sophos SafeGuard software on the Mac I see informaton regarding my server and the company certificate. However in the Keys pane there is only the message "your user account hasn't been verified" and the policies tab is empty.

Edit: Another minor issue is that I am prompted for my safeguard/AD password after logging in. Is there a SSO option?

Edit2: Okay I just noticed where I can confirm my users, they were stuck in the .unconfirmed Users group since Safeguard didn't recognize em as AD accounts. I am getting some keys now but not the ones I am using for my policy. The policies pane is still empty though. Still appreciate any pointers for troubleshooting! :=)



This thread was automatically locked due to age.
  • 0

    Morning Herbert. On my phone so will reply again when I’m on my PC.

    I’m taking it your Mac isn’t bound to AD, or if it is you’re logging into it with an independent account?

    Your user is then isn’t known to Sophos and needs to be added/verified.

    On the console under users and computers and on the left under the root will be a container called Unconfirmed users. You should find your orphaned username in there. Right click it and confirm user.

    Damn, just seen in the edit! Will reply more once I’m back at the PC....

  • 0 in reply to MichaelMcLannahan

    Thanks for your reply Michael.

    I am using Centrify to bring my Mac to Active Directory and I haven't found anything on how Centrify and SafeGuard work together yet, I was assuming it would work.

     

    I figured out that SafeGuard doesn't recognize the Mac as a domain computer object so applying the policy to the OU doesn't take effect. I've applied the OU to the local object of the Mac and I can see the policy in the SafeGuard settings on the Mac now. I even pushed the keys I need to the user so I can decrypt/read ecnrypted files on my share.

     

    However I cannot encrypt files. When I save a file on the share it will not be encrypted automatically. Seems to be a small leap looking back to where I started. Maybe you guys can help me make the final jump :)

  • 0 in reply to Herbert McFadden

    I know you'll have done this but you have installed the File Encryption package as well as full disk on the Mac?

  • 0 in reply to MichaelMcLannahan

    Yes both packages are installed (by accident though)

    Is that wrong/good?

  • 0 in reply to Herbert McFadden

    No, that's good, just easy to overlook the obvious sometimes. People have complained before when one function didn't work only to discover they'd not installed the function yet! Happens frequently with the Windows client as there's tick boxes which can be easily misunderstood/forgotten!

  • 0 in reply to MichaelMcLannahan

    Maybe this is a hint for you to help me :)

    When I'm in the policies pane on the Mac I can see that the policies in the list with received policies but not the list with enforced policies.

    Edit: Playing around a little bit I think I found a solution. I am using Acronis Advanced Access to access my Windows fileshare with afp. Mounting the fileshare with smb triggers SafeGuard to enforce the policies.

    Maybe someone can confirm/deny/comment in any way here?

  • 0 in reply to Herbert McFadden

    I'm not encrypting files with our Macs but that would make a lot of sense, SMB being more compliant than AFP!

  • 0 in reply to MichaelMcLannahan

    It also may be an issue with the acronis advanced access software. One of my colleagues told me he implemented a SafeGuard encryption solution similar to my test case where shares are accessed via afp from a helios server. Just for anyone stumbling over this in the future

Unfiltered HTML