Sophos Central Device Encryption: Administrator Guide
Sophos Central Device Encryption: Administrator Guide
Sophos Central Device Encryption: Administrator Guide
Encryption
Administrator Guide
Contents
About Sophos Central Device Encryption............................................................................................... 1
Manage BitLocker Drive Encryption........................................................................................................ 2
Migrate to Sophos Central Device Encryption.............................................................................. 2
Prepare Device Encryption............................................................................................................3
Device Encryption step by step.................................................................................................... 3
Device Encryption system compatibility........................................................................................ 5
Device Encryption authentication modes...................................................................................... 6
BitLocker group policy settings..................................................................................................... 8
Limitations.................................................................................................................................... 10
Encryption method and reporting................................................................................................ 10
About decryption..........................................................................................................................11
Recover Windows endpoints.......................................................................................................11
Manage FileVault Encryption................................................................................................................. 13
Migrate to Sophos Central Device Encryption (Mac)..................................................................13
Device Encryption step by step (Mac)........................................................................................ 13
Recover Mac endpoints.............................................................................................................. 14
Device Encryption status (Mac).................................................................................................. 17
Password protect files for secure sharing............................................................................................. 18
Prompt users to change their password/PIN.........................................................................................19
Retrieve recovery key via Self Service Portal....................................................................................... 20
Further reading.......................................................................................................................................21
Supported Web Browsers...................................................................................................................... 22
Get additional help................................................................................................................................. 23
Legal notices.......................................................................................................................................... 24
(2020/08/20)
Sophos Central Device Encryption
Related information
Sophos Central help
Related tasks
Migrate to Sophos Central Device Encryption (Mac) (page 13)
If you want to use Sophos Central to manage Mac endpoints that are already encrypted with FileVault,
you need to apply a Sophos Central Device Encryption policy to these endpoints.
Note
If you are using BitLocker with SafeGuard Enterprise version 6.x or 7.x, we recommend that you
upgrade to the newest version of SafeGuard Enterprise first.
If you are using SafeGuard Enterprise version 6.x or 7.x, you must decrypt the system disk
following the steps in the SafeGuard Enterprise administrator help before you can migrate to
Sophos Central Device Encryption.
To migrate from a SafeGuard Enterprise BitLocker Client (version 8.0 or later) to Sophos Central
Device Encryption:
1. Go to Control Panel > Uninstall a program and right-click Sophos SafeGuard Client.
2. Select Change from the right-click menu.
The Sophos SafeGuard Client Setup wizard opens.
3. Uninstall the BitLocker component.
Note
Removing the BitLocker component does not decrypt your volumes or files.
5. Make sure that a Sophos Central Device Encryption policy is assigned to the endpoint and
activated.
You can now manage BitLocker using Sophos Central. You do not need to re-encrypt. Once
you have applied a Sophos Central Device Encryption policy to the endpoint, the recovery key is
renewed and sent to Sophos Central. File encryption functionality remains unchanged.
Related information
SafeGuard Enterprise administrator help
• Users must log on to their endpoints interactively and have them connected to and synchronized
with Sophos Central. Note that remote logon is not supported.
• The operating system must support BitLocker Drive Encryption. For more information, see Prepare
Device Encryption and Device Encryption system compatibility.
These instructions tell you what users will see and what they need to do:
1. If the TPM security hardware is not yet enabled, a BIOS action is triggered to enable it. This
requires a restart. The user can restart immediately or postpone the restart.
During the restart, the user is prompted to enable the TPM. If the TPM cannot be enabled or the
user does not respond, a message is displayed.
2. If the TPM is active and enabled but not owned, the Sophos Central agent software automatically
generates and sets TPM owner information. An alert is sent to Sophos Central if this fails.
3. If endorsement keys of the TPM are missing, the Sophos Central agent software automatically
creates them. An alert is sent to Sophos Central if this fails.
4. If the Device Encryption policy does not specifiy Require startup authentication, encryption of the
hard disk starts automatically. There is nothing users need to do in this case. You can skip to step
8.
5. If the Device Encryption policy does specifiy Require startup authentication, the user sees the
Sophos Device Encryption dialog.
• If the Device Encryption policy requires a PIN or password for authentication, users need
to follow the on-screen instructions to define a PIN or password. If TPM+PIN is used, the
encryption key for the system disk will be stored in the TPM.
Note
Users need to be careful when setting a password. The pre-boot environment only
supports the US-English keyboard layout. If they set a PIN or password now with special
characters, they might have to use different keys when they enter it to log on later.
• If the Device Encryption policy requires a USB key for authentication, users need to connect a
USB flash drive to their computer. The USB flash drive must be formatted with NTFS, FAT, or
FAT32.
6. When the user clicks Restart and Encrypt, the computer restarts and checks that Device
Encryption works.
The user can select Do this later to close the dialog. However, it will appear again next time the
user logs on or when you change the Device Encryption policy.
7. If the user cannot enter the correct PIN/password, they can press the Esc key. The system boots
normally since encryption has not been applied yet. The user is asked to try to enter the PIN/
password again after logon.
8. You can see which users have not yet enabled encryption. This means they have not yet restarted
their computer or they have not yet completed the on-screen instructions. Look in Reportsin
Sophos Central.
9. If the pre-boot test has been successful, the Sophos Central agent software starts encrypting the
fixed disks. Encryption happens in the background, allowing users to work with their computer as
usual.
If the hardware test fails, the system reboots, and encryption will not be enforced. An event will be
sent to Sophos Central to notify you.
10. After the Sophos Central agent has encrypted the system volume, the encryption of the data
volumes is started (if specified in the policy). Protection for these volumes is stored on the system
volume, so that data volumes are available automatically after startup. This means that when
a user logs on to their computer, the data volumes can be accessed without any further user
interaction. Removable data volumes, for instance USB flash drives, are not encrypted.
You can find two log files - CDE.log and CDE_trace.xml under %ProgramData%\Sophos
\Sophos Data Protection\Logs on the endpoint.
Related concepts
Prepare Device Encryption (page 3)
By default, most system drives are prepared for BitLocker. If this is not the case, Sophos Central
Device Encryption automatically runs the required Microsoft command line tool BdeHdCfg.exe to
prepare the drive.
Device Encryption system compatibility (page 5)
The table below gives an overview of which protection types are supported on which platform. The
protection type applied depends on the Windows version and whether TPM security hardware is
available.
TPM+PIN (page 7)
The TPM+PIN mode uses the computer's TPM security hardware and a PIN as authentication.
You may need to configure TPM on the endpoint computer when you are using Central Device
Encryption.
If you are using TPM 2.0 or later, you must format the hard drive as GPT and the BIOS must be in
UEFI mode.
If you are using TPM 1.2, you must enable TPM in the BIOS/UEFI and and it must be ready for use.
You can check this by using TPM.MSC.
We recommend that you update your endpoint computers to the latest BIOS/UEFI version before
you install Central Device Encryption.
When Windows FIPS Mode is enabled, BitLocker encryption is only supported on systems with
Windows 8.1 or Windows 10. For detailed information on BitLocker in FIPS mode on Windows 7,
see A FIPS-compliant recovery password cannot be saved to AD DS for BitLocker in Windows 7 or
Windows Server 2008 R2.
You can use encrypted hard drives with Sophos Central Device Encryption. For more information,
see Encrypted Hard Drive.
Central Device Encryption supports pre-provisioned BitLocker.
Related information
A FIPS-compliant recovery password cannot be saved to AD DS for BitLocker in Windows 7 or
Windows Server 2008 R2
Encrypted Hard Drive
Related concepts
Device Encryption system compatibility (page 5)
The table below gives an overview of which protection types are supported on which platform. The
protection type applied depends on the Windows version and whether TPM security hardware is
available.
BitLocker group policy settings (page 8)
Sophos Central defines some group policy settings automatically, so that administrators don't have to
prepare computers for device encryption.
2.5.1 TPM+PIN
The TPM+PIN mode uses the computer's TPM security hardware and a PIN as authentication.
Users have to enter this PIN in the Windows pre-boot environment every time the computer starts.
TPM+PIN requires a prepared TPM and the GPO settings of the system must allow the TPM+PIN
mode.
If all conditions are met, the TPM+PIN setting dialog will be displayed and the user is prompted to
define a PIN. The user can click Restart and Encrypt to immediately reboot the computer and start
encryption.
If the GPO setting Allow enhanced PINs for startup is enabled, the PIN may include numbers,
letters, and special characters. Otherwise, only numbers are allowed.
PINs for BitLocker are between four and twenty characters in length. You can define a higher
minimum length through a group policy. The Sophos Central agent software sets the group policy to
allow enhanced PINs. The dialog tells the user which characters may be entered and what minimum/
maximum lengths are allowed.
Note
All users of a specific Windows computer need to use the same PIN to unlock the system disk.
After that, they log on to the operating system with their individual credentials. Single sign-on is not
supported for Windows computers.
2.5.2 Passphrase
For authentication at endpoints without TPM security hardware, a passphrase can be used.
Users have to enter this passphrase in the Windows pre-boot environment every time the computer
starts.
Passphrase protection requires Windows 8.0 or later and the GPO settings of the system must allow
the passphrase mode.
If all conditions are met, the passphrase setting dialog will be displayed and the user is prompted
to define a passphrase of 8-100 characters in length. The user can click Restart and Encrypt to
immediately reboot the computer and start encryption.
2.5.3 TPM-only
The TPM-only mode uses the computer's TPM security hardware without any PIN authentication.
This means that the user can start the computer without being prompted for a PIN in the Windows
pre-boot environment.
TPM-only requires a prepared TPM and the Device Encryption policy setting Require startup
authentication must be disabled. Furthermore, the GPO settings of the system must allow TPM-only
protection.
If all conditions are met, the TPM-only protection installation dialog will be displayed. The user can
click Restart and Encrypt to immediately restart the computer and start encryption.
Require Configure TPM Allow startup PIN If the Device Encryption policy setting
additional startup PIN with TPM Require startup authentication is
authentication at set and the system has a TPM, then
startup this group policy setting will allow
protection of the system drive by
TPM, with the user also asked for a
PIN.
Configure pre- Select an option Use default This is set to use the Sophos default
boot recovery for the pre- recovery message and URL.
message and boot recovery message and
URL message URL
• Encryption algorithm to be used: By default, Sophos Central Device Encryption uses AES-256.
There is a group policy setting that can be used to select AES-128.
• PIN/password requirements: There are group policy settings that can be used to set a minimum
PIN/password length and to require complex passwords.
• Encrypt all data or used space only: If the group policy for boot volumes and/or data volumes is set
to require full data encryption, it overrides any Sophos Central policy that allows encryption of used
space only.
Some group policy settings may conflict with Sophos Central so that encryption cannot be enabled.
In that case, an event is sent to Sophos Central.
• Smart card required: If a group policy requires a smart card to be used for BitLocker, this is not
supported by Sophos Central and generates an error event.
• Encrypt all data or used space only: If the group policy for boot volumes and/or data volumes is set
to encrypt used space only but Sophos Central policy requires full encryption, this generates an
error event.
If you want to encrypt tablet devices (such as the MS Surface Pro) and use startup authentication,
you need to enable the following group policy setting:
Related concepts
Encryption method and reporting (page 10)
You can encrypt volumes with software-based or hardware-based encryption.
Related information
BitLocker Group Policy Settings
TPM Group Policy Settings
knowledge base article 125772
2.7 Limitations
Dynamic Disks
BitLocker does not support dynamic disks. The endpoints send an event to Sophos Central to notify
you that encryption failed. This is because a system volume on a dynamic disk cannot be encrypted.
Data volumes on dynamic disks are simply ignored.
Remote Desktop
When using a Windows endpoint through Remote Desktop that has the Sophos Central agent
software installed, no dialogs are displayed and device encryption will NOT be enforced if an
encryption policy is deployed. Enabling encryption would result in a reboot sequence to verify
compatibility of the hardware. The user needs to be able to enter PIN / passphrase in the pre-boot
environment and this cannot be done through Remote Desktop.
The Encryption status report shows the encryption status of your computers.
You can see which of your computers are encrypted, which volume types are encrypted, and
which computers comply with your encryption policies. You can also find out how your computers
authenticate and how they're encrypted.
Related concepts
BitLocker group policy settings (page 8)
Sophos Central defines some group policy settings automatically, so that administrators don't have to
prepare computers for device encryption.
Computers
Computer summary
Related tasks
Retrieve recovery key via Self Service Portal (page 20)
If users cannot log on to their computer (forgot BitLocker PIN, macOS password, etc.), they can use
the Sophos Self Service Portal to retrieve a recovery key.
Related information
Self-Service Portal
Sophos Central help
Note
If you are using FileVault with SafeGuard Enterprise, you must uninstall the Sophos SafeGuard
Device Encryption software first.
• Users must log on to their endpoints. They must be connected to and synchronized with Sophos
Central. Note that remote logon is not supported.
These instructions tell you what the users see and what they need to do.
1. Enter their login password after starting their Mac.
This turns on Sophos Device Encryption.
2. Click either Encrypt to start the encryption of their system disk or Postpone to start the process
later.
When users enter their login password and click Encrypt, the recovery key is stored locally in
the keychain and Sophos Central.
All existing users of an endpoint are added to FileVault automatically.
On endpoints running macOS 10.12 or earlier, each user needs to log in separately to be added
to FileVault.
When the system disk is encrypted, the internal data volumes are automatically encrypted.
Encrypted disks are automatically unlocked when the computer starts.
Notifications tell users about the encryption status of the individual disks.
You can help users to regain access. These instructions tell you what the users will see and what
they need to do. They must:
1. Switch on the endpoint computer and wait until the Recovery key ID is displayed.
The recovery key ID is displayed only for a few minutes. To display it again, users must restart their
computer.
2. Call the administrator and tell them the recovery key ID.
You can give them the recovery key. For help on retrieving a key for one of your users, see the
Sophos Central help.
3. Click the question mark icon in the Password field.
A message is displayed.
4. Click the arrow icon next to the message to switch to the recovery key field.
5. Enter the recovery key.
For users imported from Active Directory, you need to do the following extra steps:
• Reset the existing password in Active Directory. Then generate a preliminary password and
give it to the user.
• Tell the user to click Cancel in the Reset Password dialog and enter the preliminary
password instead.
6. Follow the on-screen instructions to create a new password.
7. If prompted, click Create New Keychain.
Users can access their computer's startup volume again.
On endpoints running macOS 10.12 or earlier, a new recovery key will be created and stored in
Sophos Central. A recovery key can only be used once. If you need to recover a computer again
later, you need to retrieve a new recovery key.
On endpoints running macOS 10.13 and Apple File System (APFS), no new recovery key is created.
The existing recovery key remains valid.
Related tasks
Retrieve recovery key via Self Service Portal (page 20)
If users cannot log on to their computer (forgot BitLocker PIN, macOS password, etc.), they can use
the Sophos Self Service Portal to retrieve a recovery key.
Unlock HFS+ volumes with Terminal commands (page 15)
You can use Terminal commands to unlock encrypted volumes. The commands in this section apply to
endpoints running macOS 10.12 or earlier with volumes formatted with HFS+.
Unlock APFS volumes with Terminal commands (page 16)
You can use Terminal commands to unlock encrypted volumes. The commands in this section apply to
endpoints running macOS 10.13 and Apple File System (APFS).
Related information
macOS Recovery
How to select a different startup disk
Sophos Central help
Related information
Sophos Central help
Related information
Sophos Central help
Note
If a user with administrative privileges on a Mac endpoint attempts to manually decrypt their
hard disk with an encryption policy applied, Sophos Central cannot override this and the disk
will be decrypted. When the decryption is complete the user is asked for their password to
enable FileVault and the disk will be encrypted again.
• Recovery status: At the bottom of the window, users are informed whether recovery keys are
available for their disks.
Alternatively, you can access information on the Device Encryption status via a command line tool.
The tool is installed to /usr/local/bin/seadmin. The following commands are available:
• help: Displays a list of available commands.
• status: Displays the last synchronization of the encryption software and the synchronization
interval.
• --device-encryption: Displays the current encryption policy and the encryption and recovery
status of all internal disks.
Note
The feature is only available in Central Device Encryption 2.0 or later. This is only available for
Windows.
Related information
Device Encryption policy
Note
This option is only available for Windows.
• Use the Require new authentication password/PIN from users option in the encryption policy.
This option is turned off by default. It forces a change of the BitLocker password or PIN after the
specified time. An event is logged when users change their password or PIN.
Note
The feature is only available in Central Device Encryption 2.0 or later.
• Use the Trigger change of password/PIN option on the Summary tab in a computer's details
page.
This requires users to immediately change their BitLocker password or PIN. A message is
displayed when the request has been sent successfully.
On the endpoint, users are prompted to set a new BitLocker password or PIN. If users close the
dialog without entering a new password or PIN, the dialog is shown again after 30 seconds. This
stops when they enter one. After users have closed the dialog five times without changing the
password or PIN an alert is logged.
Related information
Device Encryption policy
Computer summary
Related information
Self-Service Portal
7 Further reading
Windows
• FAQs: knowledge base article 124819
• BitLocker Frequently Asked Questions (FAQ)
• BitLocker Group Policy Settings
• TPM Fundamentals
• TPM Group Policy Settings
• Trusted Platform Module Administration Technical Overview
Mac
• FAQs: knowledge base article 125982
• FileVault setup: Use FileVault to encrypt the startup disk on your Mac
• FileVault recovery keys: Set a FileVault recovery key for computers in your institution
• Password reset: Change or reset the password of a macOS user account
Related information
BitLocker Frequently Asked Questions (FAQ)
BitLocker Group Policy Settings
TPM Group Policy Settings
TPM Fundamentals
Trusted Platform Module Administration Technical Overview
Use FileVault to encrypt the startup disk on your Mac
Set a FileVault recovery key for computers in your institution
Change or reset the password of a macOS user account
knowledge base article 124819
knowledge base article 125982
Note
Sophos Central Admin is not supported on mobile devices.
Note
If you selected the option to enable Support to access your Sophos Central session, this function
is enabled when you click Send. Remote assistance will automatically be disabled after 72 hours.
To disable it sooner, click on your account name (upper right of the user interface), select Account
Details, and click the Sophos Support tab.
Submit feedback
To submit feedback or a suggestion to Sophos Support:
1. Click Help in the top right of the user interface and select Give Feedback.
2. Fill in the form.
3. Click Submit.
Additional help
You can also find technical support as follows:
• Visit the Sophos Community at community.sophos.com/ and search for other users who are
experiencing the same problem.
• Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx.
10 Legal notices
Copyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording or otherwise unless you are either a valid licensee where the documentation
can be reproduced in accordance with the license terms or you otherwise have the prior permission
in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.