Jamf Nation Community

Looks like this has been brought up before. https://jamfnation.jamfsoftware.com/discussion.html?id=1802
The website still only mention 10.6. I do like the key escrow feature.

Ya, for companies that use Credant on the Wintel side it was worth a look. Solid solution, but their Mac support seems more like best-effort to keep their enterprise customers satisfied, rather than making it work really well on BOTH platforms. :(

@rtrouton This is your queue...cauliflower vest... :)

Don

we use credent on the PC side, it's a POOR product and the bane of our deskside support's existence. I can't recommend staying away from it enough.

We're going to be testing this once the server is updated at one of the shops we support. There aree 10,000+ PC workstations and having polled the Help Desk and Desktop Support they haven't seen many issues with it...at least on the PC side. Hopefully the Mac side won't be a problem. :) Not much on this forum on Credant, and they don't seem to have a forum at their site (I've been set up with support portal access)...where to go for some feedback? :/

Don

I would encourage you to use Casper and FV2. Using 3rd Party FDE creates a dependences, You won't be able to upgrade the OS until your 3rd Party FDE vendor updates their software.

It is my understanding that Google looked a every Mac FDE option, picked PGP then realized that it was so bad that they wrote their own based on undocumented Apple APIs in X.7 before FV2 improvements in X.8

C

Thanks for all of your responses. Despite my best efforts we are going ahead with Credant for Mac. Version 7.1.5.4855 is compatible with 10.8.2.

I feel for you, we have credent here on the PC's and it's a nightmare.

@gachowski Good point, however in the line of business I'm in, it's all about leveraging existing infrastructure wherever possible. We had a call with Credant and we plan to start testing in an isolated LAB environment, using the latest version of Credant. If we don't see any major issues, we'll be implementing it and the existing infrastructure staff responsible for laptop security/encryption will be able to use their existing tools to manage/support our Mac laptops. Since our hand is being forced with Late 2012 model Macs, I'll get formal confirmation on System Requirements, etc.

@jwojda John, check your Gmail...if you're open to it, I'm happy to mention the issues you're having, if only to get them to fess up and provide a fix for you, but also to leverage commitment from them that if we DO run into any problems on the Mac side, they'll resolve. So far the PC side has been problem free.

Don

One interesting thing I noticed on Credant's Enterprise Edition page was that they say they can manage FileVault 2:

http://www.credant.com/products/cmg-enterprise-edition-features.html

I'd be very interested to learn more about that, if someone with Credant's software is willing to share.

That is pretty interesting. I wonder if they're using fdesetup as well.

@rtrouton Yep, when they told us during our last call we were hot to get started with LAB testing...that nugget might become the highlight of our testing. I wonder if someone from Credant is monitoring this forum, maybe we can get a response from them. ;)

@jarednichols and @donmontalvo ... as noted on our site we are adding support for managing FV2 as well as offering our own software encryption for the mac platform.

@gachowski makes a great point as far as using FV2 vs. any 3rd party encryption (including Credant) ... the latter typically prevents OS upgrades (talking major versions here, *not* incremental updates) until the vendor can complete regression testing. One issue with FV2 is that it does not address removable media, this is a gap Credant fills.

One of the major issues you need to consider with any encryption strategy is how are the keys escrowed and how are those keys secured. When considering a FV2 management product you want to make sure it is very good at key escrow and you want to make sure it is properly securing the key material. This is important for FIPS compliance as well as the overall security of the solution. This area can be overlooked by companies not familiar with encryption generally.

@jwojda I would be happy to reach out to your team; any outstanding issues not being addressed by Credant I certainly want to know about.

pkenn,

Would it be possible to get a trial version of the Credant enterprise software? I'd like to see how Credant's enterprise FileVault 2 management stacks up against the other available enterprise management tools for FileVault 2.

@rtrouton We should be able to set something like that up ... let's connect offline

One of the major issues you need to consider with any encryption strategy is how are the keys escrowed and how are those keys secured. When considering a FV2 management product you want to make sure it is very good at key escrow and you want to make sure it is properly securing the key material. This is important for FIPS compliance as well as the overall security of the solution. This area can be overlooked by companies not familiar with encryption generally.

Please note this statement can be a bit misleading. FileVault 2 (and specifically CommonCrypto) is not yet FIPS certified. It's still in the "Review Pending" stage with NIST. (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf) This statement makes it sounds like FileVault 2 is FIPS compliant.

It's also worth noting that Apple is focusing on FIPS certification for Mountain Lion, not Lion. As of this date, there is no plan to go back and certify Lion.

@rtrouton U da man!

Credant can escrow FileVault2 keys...looking forward to testing. :)

http://derflounder.wordpress.com/2012/12/14/credant-enterprise-edition-for-mac-adds-filevault-2-supp...

Why do you need Credant for FileVault2 if you have Casper Suite 8.6+? Can anyone shed some light? Perhaps I am missing something here...

@Cem For large companies that have existing infrastructure, it's an opportunity to leverage it, the existing processes and support staff.

http://www.credant.com/resources/articles/doc_download/32-credant-fde-for-mac.html

"What's there not to like?" - Jerry Sienfeld

Kudos to the Credant folks...very willing to engage and discuss getting this baby deployed to enterprise Macs in proper fashion...silently and adhering to Apple guidelines. :)

Don

@jarednichols have a look at this:
Apple FIPS Cryptographic Module v3.0
http://support.apple.com/kb/DL1555

@Cem
The Crypto Module 3.0 simply updates the FIPS module's POST test routine. The CoreCrypto modules themselves are still undergoing validation by NIST.

See Shawn Geddis' message on Fed-Talk: http://lists.apple.com/archives/fed-talk/2012/Jul/msg00039.html