Skip to content

Frequently asked questions (Mac)

These are frequently asked questions for Sophos Central Device Encryption on Macs.

Which macOS versions can I use?

Sophos Central Device Encryption for Mac has the same system requirements as Sophos Endpoint for Mac.

For details, see the following documents:

Sophos Central Device Encryption doesn't support Windows partitions created on a Mac using Boot Camp.

What are the steps to encrypt a Mac?

See Device Encryption step by step (Mac).

How does the endpoint handle policies?

When you change a Device Encryption policy, the Mac picks up and enforces the change automatically. If there's no policy change, the Mac enforces the policy each time a user signs in.

Depending on the FileVault 2 status and the Device Encryption is on policy setting, the following actions are performed:

FileVault 2 status Device Encryption is on Action
Turned off Turned on Turn on FileVault 2.
Turned off Turned off No action.
Turned on Turned on Add the user to FileVault 2.
Turned on Turned off No action. Sophos Central doesn't store a recovery key.
Encrypting Turned on Add the user to FileVault 2.
Encrypting Turned off No action. Sophos Central doesn't store a recovery key.
Decrypting Turned on No action.
Decrypting Turned off No action.
Can I migrate from SafeGuard Enterprise?

We recommend uninstalling SafeGuard Enterprise before installing Sophos Central Device Encryption.

With Sophos SafeGuard Enterprise 8 or later, you can leave the disks encrypted.

Are SGN File Encryption modules supported?

I'm using the Sophos SafeGuard Enterprise File Encryption modules (Data Exchange, File Encryption, or Synchronized Encryption) to protect files. Can I use Sophos Central Device Encryption?

Yes. You can use both products in parallel.

Where are the recovery keys stored?

Sophos Central Device Encryption stores the recovery key in the Mac's keychain and Sophos Central.

We don't recommend using iCloud Keychain to back up the recovery key.

What if the recovery key can't be stored?

If Sophos Central Device Encryption can't store the recovery key, it shows the key to the user and asks them to save it.

Sophos Central Device Encryption also stores the recovery key in the Library/Application support/Sophos Encryption/.RecoverykeyEmergencybackup folder, which only the root user can access.

Can I manage Macs that are already encrypted?

Yes. To start managing a Mac that's already encrypted, apply a Device Encryption policy to it with Device Encryption is on turned on.

Are unassigned users removed from FileVault?

No. When you unassign a user from the policy in Sophos Central, they remain a FileVault 2 user.

You can check the user's status with the sudo fdessetup list command in Terminal.

How can I check the encryption status?

You can check the encryption status with the Sophos Device Encryption application or the seadmin command-line tool.

See Device Encryption status (Mac).

What happens when a user turns off FileVault?

A Mac user with administrative rights can turn off FileVault 2, which decrypts all volumes.

But the next time a user signs into the Mac that you assigned the Device Encryption policy to, FileVault 2 is turned on again and all volumes are encrypted.