Posted on 04-26-2013 10:41 AM
been looking for a method to deploy the checkpoint client with FDE via casper. has anyone written anything about this?
Posted on 04-26-2013 01:04 PM
We deployed it in our 10.6.x environment and had a lot of issues, which prompted us to move to FV2 for 10.8.x. Also I just spoke with an Apple Engineer a couple days ago and he mentioned that you need to decrypt the disk and uninstall Full Disk Encryption before doing any Firmware Updates (10.8 is what I had asked about). Not sure why or what the reasoning was behind that statement, but not good if it is true and I cannot find anything within the Checkpoint Documentation in regards to this. I do know that Checkpoint requires you to decrypt the disk and uninstall Full Disk Encryption before any major updates like from 10.7 -> 10.8. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk80500
But when we did deploy it for 10.6, we deployed MacFUSE as part of our Core Image Config and then Installed the Checkpoint Software in a PostImage Policy.
I hope this helps or at least provides some insight.
Posted on 04-27-2013 09:01 AM
I have deployed it in the past for 10.6.8 through 10.8.2 clients (my new current project uses Filevault 2). We set up a server running IIS to capture the keys and from a Mac running the client, I created the .isp setting file. I took that file along with the Checkpoint installer pkg and placed those in a folder (something like /usr/temp would work fine) which was captured with Composer. This could be deployed with a policy from Self Service with a script tacked on to run the installer pkg. As long as the isp and pkg are in the same directory, it will install. If you want to run it during bare metal imaging with Casper Imaging however, the pkg and isp can be cached like with Self Service and executed post imaging.
Definitely agree with the whole moving from 10.6 to 10.7 etc. with this form of disk encryption. It is similar to PGP so you will need to decrypt, update and then be sure to have the latest version of the Checkpoint client. Point upgrades though for the most part seem to be okay. Also as mentioned by jedberg, watch out for firmware updates that might pertain to the recovery partition. Checkpoint is using it's own recovery partition so those updates could make the system unstable.
Posted on 04-29-2013 06:47 AM
Strictly speaking, to update firmware, you need only to be booted to an unencrypted volume running the OS (so you could do this with an external drive, for example). It's a huge hassle, but you don't need to decrypt and re-encrypt.
That being said, this was the driving force behind eliminating third-party encryption in my current environment. We were on Sophos (to align with the Windows environment), and considering a move to McAfee (again, alignment), and I made the case to do neither and go FileVault. Essentially, demonstrating the issue with firmware updates, as well as Casper's management of FV keys and access logging, it became apparent that we had no need to spend more money on a product that didn't work as well and increased support burden.
Hat tip to our friend Jared, who paved the way in a sister organization and offered his support.