I didn't think full disk encryption was possible with Mac OS X, at least that's what the vendors have been telling us.

Don

We've not heard that yet.. mind you I've not been in the meetings discussing it!

We've tested alertsec (nasty little product) & am now about to test sophos

Regards,
Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |  Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

There's quite a few FDE vendors. We're using WinMagic. You're talking to
the wrong vendors.
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

We're using PGP 10.1 here and it works fine.
On Fri, Jan 21, 2011 at 8:53 AM, Nichols, Jared - 1170 - MITLL <jared.nichols at ll.mit.edu> wrote:

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

I BETA tested Sophos' Disk Encryption. I think it will be good, but some
of the features and integration with Enterprise Console need to mature.

Craig E

Technically, you're probably right. I doubt there's enough space in EFI to contain the entire decryption program (nor would I recommend trying - it would be far too risky). Checkpoint (what we use, reluctantly) encrypts the main volume, and creates a small partition whose job is to boot just enough to have the user log in, and decrypt the main volume, then it passes control to the main volume's OS, which then boots normally.

I have two gripes about that mini-OS that it loads from that partition: it looks exactly like Windows XP, and it doesn't seem robust enough to make encryption useful for any computer on a domain. Meaning, if multiple users have to share the same encrypted laptop, the only way to permit that is to have them all use the same login information for the decryption. I have no idea what it might take to change the passwords remotely, either, but I doubt it's easy (or even possible).

I hear Checkpoint does a better job on PCs...

RE the multiple users authorized to decrypt... At least with WinMagic, you
can assign as many users as you want who are authorized to decrypt and
boot a drive. You add the user on the server console and then the next
time the machine checks in it adds that user to the authorized list of
users to decrypt and boot. No need to share any sort of credentials. If
that were the case, our security department would have put the kibosh on
it immediately. Any sort of common credentials is a bit no-no in my parts.

j
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Indeed, I believe the PC version of Checkpoint has something similar. The Mac version does not. There is no server, it's all on the client. Frankly, I'd be happy with using FileVault instead. (I know, I know, but it's better than this crap...)

Yep like not being able to use the console sucks.. but the casper scripts seem to work nice.. it does just mean all you're getting is more an EFI type username & password combo.

Regards,
Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |  Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

Wow, It would appear so! :)

** Sent from my iPhone **

Ok, looks like I'm 2-3 years behind the curve on the full disk encryption side of things. I found a link to show that Checkpoint was the first available solution, released in 2008:

http://www.checkpoint.com/press/2008/fdemac052808.html

Redwood City, CA — May 28, 2008

"Check Point® Software Technologies Ltd. (Nasdaq: CHKP), the worldwide leader in securing the Internet, today announced the release of Check PointFull Disk Encryption™ for Mac OS X, the industry’s first full-disk encryption solution with pre-boot authentication to support the Mac OS."

I do remember exploring this a few years ago and being told by the vendors that the only encryption solution/method available (at the time) was to encrypt the user directories, which wasn't acceptable to us. Haven't had a need to revisit since then. I guess I should have signed on the JAMF encryption web demo... :)

http://www.jamfsoftware.com/solutions/full-disk-encryption/

Thanks,
Don

Don,
We use PGP WDE and have very few "gripes" about it. It can centrally manage the encryption keys and is cross platform since we have a ton of Windows here.

I've often wondered what the purpose of WDE is when you can lock users down to the Users directory and keep the out of the rest of the HD. Any potentially secret information could be encrypted in the Users directory and WDE wouldn't be needed. But we had it first on the WinXP/Win7 side and thus were required to implement it on the OS X side.

James Fuller | Technology Application Services | application developer II | V: 206.318.7153

We have been using PGP for the last year now.