Migration from existing File Encryption module on OS X

The Sophos SafeGuard Enterprise OS X endpoints can handle both Synchronized Encryption policies of type Application-based and File Encryption policies of type Location-based. Depending on which policies they receive, endpoints act either as a Synchronized Encryption endpoint or a File Encryption endpoint.

If you upgrade from version 6.1, the endpoints keep on working in the File Encryption location-based mode as in the previous version.

To switch to the Synchronized Encryption application-based mode, do the following:

Run migration
  1. In the Management Center, create new Synchronized Encryption policies.
    • All applications that should be able to access encrypted files must be part of the Application List used in the Synchronized Encryption policies.
    • Synchronized Encryption policies should cover the same Encryption scope as previous location-based File Encryption policies.
    • Specify settings for initial encryption. Initial encryption will start immediately after the policy has been applied on the endpoint and encrypt or re-encrypt all files with the Synchronized Encryption key. This ensures that all files are encrypted according to policies.
      Note: Users can also start initial encryption from the Policies tab in the preference pane (Enforce all policies).
  2. Deploy the policies.
  3. When users receive the policies they will be prompted to log off and log on again.


  • Encrypted files covered by the Synchronized Encryption policies are re-encrypted with the Synchronized Encryption key.

  • Files created or modified by applications on the Synchronized Encryption Application list will be encrypted with the Synchronized Encryption key.

  • Encrypted files not covered by the Synchronized Encryption policies stay encrypted with the File Encryption key. Users who have the required key in their key ring can always decrypt files manually, even if files are no longer covered by encryption policies.