Frequently asked questions (Mac)

These are frequently asked questions for Sophos Central Device Encryption on Macs.

Which macOS versions can I use?

Sophos Central Device Encryption supports the following macOS versions:

  • macOS 10.13 High Sierra
  • macOS 10.14 Mojave
  • macOS 10.15 Catalina
  • macOS 11 Big Sur

Sophos Central Device Encryption doesn't support Windows partitions created on a Mac using Boot Camp.

What are the steps to encrypt a Mac?

See Device Encryption step by step (Mac).

How does the endpoint handle policies?

When you change a Device Encryption policy, the Mac picks up and enforces the change automatically. If there's no policy change, the Mac enforces the policy each time a user signs in.

Depending on the FileVault 2 status and the Device Encryption is on policy setting, the following actions are performed:

FileVault 2 status

Device Encryption is on

Action

Turned off

Turned on

Turn on FileVault 2.

Turned off

Turned off

No action.

Turned on

Turned on

Add the user to FileVault 2.

Turned on

Turned off

No action. Sophos Central doesn't store a recovery key.

Encrypting

Turned on

Add the user to FileVault 2.

Encrypting

Turned off

No action. Sophos Central doesn't store a recovery key.

Decrypting

Turned on

No action.

Decrypting

Turned off

No action.

Can I migrate from SafeGuard Enterprise?

We recommend uninstalling SafeGuard Enterprise before installing Sophos Central Device Encryption.

With Sophos SafeGuard Enterprise 8 or later, you can leave the disks encrypted.

Are SGN File Encryption modules supported?

I'm using the Sophos SafeGuard Enterprise File Encryption modules (Data Exchange, File Encryption, or Synchronized Encryption) to protect files. Can I use Sophos Central Device Encryption?

Yes. You can use both products in parallel.

Where are the recovery keys stored?

Sophos Central Device Encryption stores the recovery key in the Mac's keychain and Sophos Central.

We don't recommend using iCloud Keychain to back up the recovery key.

What if the recovery key can't be stored?

If Sophos Central Device Encryption can't store the recovery key, it shows the key to the user and asks them to save it.

Sophos Central Device Encryption also stores the recovery key in the Library/Application support/Sophos Encryption/.RecoverykeyEmergencybackup folder, which only the root user can access.

Can I manage Macs that are already encrypted?

Yes. To start managing a Mac that's already encrypted, apply a Device Encryption policy to it with Device Encryption is on turned on.

Are unassigned users removed from FileVault?

No. When you unassign a user from the policy in Sophos Central, they remain a FileVault 2 user.

You can check the user's status with the sudo fdessetup list command in Terminal.

How can I check the encryption status?

You can check the encryption status with the Sophos Device Encryption application or the seadmin command-line tool.

See Device Encryption status (Mac).

What happens when a user turns off FileVault?

A Mac user with administrative rights can turn off FileVault 2, which decrypts all volumes.

But the next time a user signs into the Mac that you assigned the Device Encryption policy to, FileVault 2 is turned on again and all volumes are encrypted.