Skip to content

Migrate to Sophos Central Device Encryption (Mac)

If you want to use Sophos Central to manage Mac endpoints that are already encrypted with FileVault, you need to apply a Sophos Central Device Encryption policy to these endpoints.


  • If you are using FileVault with SafeGuard Enterprise, you must uninstall the Sophos SafeGuard Device Encryption software first.
  • You must install the Sophos Central agent software on the endpoints.
  • You must configure and turn on a Device Encryption policy in Sophos Central.
  • Users must log on to their endpoints. They must be connected to and synchronized with Sophos Central.

    Note that remote logon is not supported.

Migrate Macs

These instructions tell you what users see and what they need to do:

  1. When users log on or when you apply a Sophos Central Device Encryption policy while the users are logged on, users are informed that Device Encryption has been set up to protect their computers.
  2. To turn on Sophos Central Device Encryption, users must enter their login password and click Create key.

    A new recovery key is created and stored centrally for recovery purposes. If there are other unencrypted internal disks, those disks are encrypted as well. You do not need a separate disk password for them.

  3. If there are internal disks that are already encrypted with a disk password, users must enter the disk password and click Proceed.

    The disk password is now managed by Sophos Central. The disk is unlocked automatically during startup.

The endpoint is now managed by Sophos Central Device Encryption.