Device Encryption status (Mac)
Users can access information on the encryption status using the Sophos Device Encryption application. It is installed to the
Applications directory and can be launched via Finder, Launchpad or Spotlight.
The Sophos Device Encryption application provides the following information:
- Policy status: The first line tells users whether or not their endpoint is managed by Sophos Device Encryption.
- User status: The second line tells users what they can and cannot do.
Disk status: A list of all internal disks is displayed. If the disk name is grayed out, the disk is currently not mounted. An icon next to the disk name indicates the status of the disk. The following statuses are available:
- Green: The disk is fully encrypted and the recovery key is stored centrally.
- Yellow: The disk is fully encrypted, but the recovery key is not stored in Sophos Central. This may happen when Sophos Central is currently not reachable. If encryption of the disk is not required, the recovery key may not exist at all. This is usually the case when the disk is not managed by Sophos Central Device Encryption and it was encrypted using operating system tools.
- Yellow + exclamation mark: The disk is fully encrypted, a policy exists which requires that the disk is encrypted, but there is no recovery key available.
- Red: The disk is not encrypted, but a policy is active which requires that the disk must be encrypted.
- Gray: The disk is not encrypted and the policy does not require encryption or there is no policy at all.
- Status bar + Encrypting: The disk is currently being encrypted.
- Status bar + Decrypting: The disk is currently being decrypted.
If a user with administrative privileges on a Mac endpoint attempts to manually decrypt their hard disk with an encryption policy applied, Sophos Central cannot override this and the disk will be decrypted. When the decryption is complete the user is asked for their password to enable FileVault and the disk will be encrypted again.
Recovery status: At the bottom of the window, users are informed whether recovery keys are available for their disks.
Alternatively, you can access information on the Device Encryption status via a command line tool. The tool is installed to
/usr/local/bin/seadmin. The following commands are available:
help: Displays a list of available commands.
status: Displays the last synchronization of the encryption software and the synchronization interval.
--device-encryption: Displays the current encryption policy and the encryption and recovery status of all internal disks.