Jamf Nation Community

Walter · ‎06-12-2013

Has anyone done a recent bake off between FileVault2 and McAfee for FDE? We have enterprise Windows support for laptops and they use McAfee for FDE. If we introduce enterprise support for OS X, should we expand our McAfee to support the Apple family or should we use FileVault2 that comes with OS X?

I've used FV2 on my own laptop since it was introduced with Lion. I haven't used McAfee on OS X so I have no basis for comparison. I'm hoping someone else has done some recent extensive testing of both and can provide some insight.

waqas · ‎06-12-2013

I came across the same conundrum when Macs were finally being used as Production machines in the firm I work for. McAfee AV and FDE is standard for Win 7 machines and Security wanted us to use the same for the Macs.

We started off with McAfee FDE and immediately ran into issues. Thanks to McAfee Support team's horrific responses to our issues (on one instance, we were told way back in Dec'12 to revert to 10.7, as McAfee FDE doesn't completely support 10.8), we decided on FV2. I still use McAfee AV on the Macs, distribute the agent through policy.

Our deployment is mainly MB Air and MB Retina machines, and having SSDs just makes the FV2 encryption remarkably fast, reliable and the individual recovery keys easy to escrow back in JSS.

alexjdale · ‎06-12-2013

We've gone down several paths for third-party FDE over the last several years, and they all ended poorly.

This is one area where the native tool is more reliable. It's even more important on Apple systems, since Apple does not test against third-party software that relies on changes to the EFI, and an Apple update can easily overwrite and break said EFI and stop a system from booting.

There's just too much risk, in my opinion. FV2 is free, has a very low incident rate, and I don't have to cross my fingers whenever a new OS update is released.

That said, we had similar issues on Windows platforms, and it's even worse since there are so many BIOS vendors and versions out there.

mm2270 · ‎06-12-2013

I got one sentence of acronyms for you- FV2 FTW!

OK, to elaborate a bit more on my statement, let me tell you some tales of using McAfee's encryption product. I assume you're referring to McAfee Endpoint Encryption?

While it generally "works" it kind of depends on your definition of 'working' Its really a disaster waiting to happen. All seems fine, until something actually goes wrong, or someone installs a Mac firmware update, then you are going through an ugly triage challenge/response process, likely with your security team to get the Mac unlocked from its protected state. See, McAfee EE more often than not doesn't take kindly to changes at the EFI level. Even the process of running Apple's disk diagnostics tools on the drive (we found this out the hard way) can trip up the encryption and leave the Mac nearly un-bootable.
We've also encountered a number of cases where the presence of McAfee encryption causes the Mac to think the drive is failing or in need of dire repair. In some cases it turns out to be true. In other cases, its a false positive that something in the product causes. So the question then becomes, do we attempt a drive repair? Well, read on for more on that.

So on running repairs, you pretty much cannot do it with McAfee's product, at least not if you want to boot into something like Recovery HD to run a proper disk repair. The disk0s2 is locked in this state and unmountable. Clicking the mount button in Disk Utility yields nothing. Contrast this with FV2 where you get prompted to unlock the disk with a password (and yes you can use the captured Recovery key from Casper for that) Our only recourse when running into disks in need of repair running McAfee EE is to fully decrypt the drive, assuming it even works, and then boot into Recovery HD, do your repairs, and then re-encrypt the drive. Sounds like fun, eh?

That said, there were one or two nice things in using the McAfee solution. Our security team uses a service account to auto authorize and "unlock:" the Mac at boot time. This is so no-one has to see the rather ugly McAfee Pre-boot screen. It brings the Mac to the regular username & password fields, and users can log in; actually any user can log in, which is where the nice part came in. This is in contrast to FV2 which as you know requires unlocking at boot time with an authorized account on that Mac or with a recovery key before the Mac will continue the startup sequence. I'd say that this is probably the only aspect where McAfee is easier on users and IT.

If the McAfee pre-boot stuff was enabled, its possible the above example of running a disk repair would work, if it somehow prompted to unlock the drive at boot time. I'm not sure though since we don't use it in that state, and I kind of suspect it wouldn't help anyway.

For all the above reasons and more we are actively moving Mac users over to 10.8 and FileVault 2. Life is much better on that.
Lastly, ask yourself when you think McAfee will start supporting 10.9 when that's out? Now ask yourself when FileVault 2 (and Casper Suite) will work with 10.9. I think the answer is clear on who will win that race.

waqas · ‎06-12-2013

@mm2270 ......
Excellent response, Sir. Very detailed and very very true.

nkalister · ‎06-12-2013

friends don't let friends use 3rd party FDE on OS X.
FV2 all the way.

JB_ITS · ‎06-17-2013

We went down the Sophos SafeGuard FDE path due to the timing of our rollout. For one the rollout was a nightmare, with SSG (Sophos) locking us out of machines and destroying them basically. After that rough patch things were much better, with the product being "light weight" but with all the major issues of a 3rd party FDE. ie, no repair disk, reset pram, issues with firmware installs, etc. Sophos also does not play nice with the JSS so it just adds more to my plate.

All in all, we are going to slowly phase out our 3rd Party FDE and go with FileVault2.

Jamf Nation Community

FileVault2 or McAfee?