Frequently asked questions (Mac)
These are frequently asked questions for Sophos Central Device Encryption on Macs.
Which macOS versions can I use?
Sophos Central Device Encryption for Mac has the same system requirements as Sophos Endpoint for Mac.
For details, see the following documents:
Sophos Central Device Encryption doesn't support Windows partitions created on a Mac using Boot Camp.
What are the steps to encrypt a Mac?
How does the endpoint handle policies?
When you change a Device Encryption policy, the Mac picks up and enforces the change automatically. If there's no policy change, the Mac enforces the policy each time a user signs in.
Depending on the FileVault 2 status and the Device Encryption is on policy setting, the following actions are performed:
FileVault 2 status | Device Encryption is on | Action |
---|---|---|
Turned off | Turned on | Turn on FileVault 2. |
Turned off | Turned off | No action. |
Turned on | Turned on | Add the user to FileVault 2. |
Turned on | Turned off | No action. Sophos Central doesn't store a recovery key. |
Encrypting | Turned on | Add the user to FileVault 2. |
Encrypting | Turned off | No action. Sophos Central doesn't store a recovery key. |
Decrypting | Turned on | No action. |
Decrypting | Turned off | No action. |
Can I migrate from SafeGuard Enterprise?
We recommend uninstalling SafeGuard Enterprise before installing Sophos Central Device Encryption.
With Sophos SafeGuard Enterprise 8 or later, you can leave the disks encrypted.
Are SGN File Encryption modules supported?
I'm using the Sophos SafeGuard Enterprise File Encryption modules (Data Exchange, File Encryption, or Synchronized Encryption) to protect files. Can I use Sophos Central Device Encryption?
Yes. You can use both products in parallel.
Where are the recovery keys stored?
Sophos Central Device Encryption stores the recovery key in the Mac's keychain and Sophos Central.
We don't recommend using iCloud Keychain to back up the recovery key.
What if the recovery key can't be stored?
If Sophos Central Device Encryption can't store the recovery key, it shows the key to the user and asks them to save it.
Sophos Central Device Encryption also stores the recovery key in the Library/Application support/Sophos Encryption/.RecoverykeyEmergencybackup
folder, which only the root user can access.
Can I manage Macs that are already encrypted?
Yes. To start managing a Mac that's already encrypted, apply a Device Encryption policy to it with Device Encryption is on turned on.
Are unassigned users removed from FileVault?
No. When you unassign a user from the policy in Sophos Central, they remain a FileVault 2 user.
You can check the user's status with the sudo fdessetup list
command in Terminal.
How can I check the encryption status?
You can check the encryption status with the Sophos Device Encryption application or the seadmin
command-line tool.
What happens when a user turns off FileVault?
A Mac user with administrative rights can turn off FileVault 2, which decrypts all volumes.
But the next time a user signs into the Mac that you assigned the Device Encryption policy to, FileVault 2 is turned on again and all volumes are encrypted.