Jamf Nation Community

Cem · ‎08-23-2010

Hi Guys,

What is the best full disk encryption software for Macs out there? One
with Casper integration will be preferred...

Thanks in advance

Cem

kylegriffin · ‎08-23-2010

Don Montalvo pointed out JAMF's link to a recent Networkworld article about full disk encryption and single sign-on.

According to Pointsec's documentation, Networkworld is incorrect and the Pointsec FDE for Mac v3.2 does handle single sign-on. From page 32 of the admin guide for FDE for Mac:

"When single sign-on (SSO) is enabled for a Full Disk Encryption user account, the user must authenticate only during preboot. The user is then logged in automatically to the Mac OS X."

I'm just starting the process of testing this out for a client of mine so I don't know yet how well this works, but hey, if the vendor says it works, then it works - right? Sure, we've all been through that before!

Kyle Griffin
Virteva
5775 Wayzata Boulevard, Suite 900
Minneapolis, MN 55416
P 952.843.1149 | F 952.843.1201
kyle.griffin at virteva.com<mailto:kyle.griffin at virteva.com>
![external image link](attachments/59558ff5a3b14273aba7b3ad095fe5de)
IT on your terms www.virteva.com

ernstcs · ‎08-23-2010

I've heard that PGP is what a lot of people use, but now that Symantec has
their hands on that company. =) To me it seemed fairly expensive per seat,
even at educational pricing, but what's cheaper? Protected data or
unprotected data and some FERPA incident for us education folks, or HIPPA
for anything healthcare related.

TrueCrypt is free, but doesn't have any centralized management like PGP
does.

Sophos has a product coming out, but I believe it won't be integrated with
the Enterprise Console for a little while.

FileVault works ok, but doesn't work with Active Directory accounts, which
is too bad because that would have been perfect, and the JSS would have
tracked information about it. It's also just user directories.

However, you may want to wait for other responses as I've only tested
products thus far and haven't implemented anything to this point.

Craig E

jarednichols · ‎08-23-2010

Not WinMagic SecureDoc. Contact me offline if you want why.
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

jarednichols · ‎08-23-2010

I was excited to see that Sophos was stepping into this pool, but I think
you're right about the missing integration. Their datasheet has no mention
of it at all.

http://www.sophos.com/sophos/docs/eng/factshts/sophos-safeguard-mac-dsna.pd
f

You'd think they'd tell you if it was, though maybe I'm wrong. It sounds
an awful lot like a standalone product. Though, perhaps Casper can help
wrangle some of it...

j
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Report Inappropriate Content · ‎08-23-2010

Unless something has changed recently FileVault and TrueCrypt does not offer
full disk encryption. Another consideration could be Pointsec that worked
well in testing but the GUI and implementation at the time was not the best.

ernstcs · ‎08-23-2010

As I did state, FileVault is only User Acccounts, you are correct. However,
TrueCrypt should do full hard drive, unless it's a limitation based on the
OS you're using it with, but that I'm not aware of.

Craig E

donmontalvo · ‎08-23-2010

Neither does Credant, a solution we've been asked to look at since it's used on the Wintel side.

Just curious, assuming users do not have admin rights, what would be the benefit in having full disk encryption?

JAMF's site links to this page:

http://www.networkworld.com/news/2010/081610-encryption.html

"There are only two companies that offer Mac encryption – PGP and Check Point and sinceApple does not play nice in the sand box, the vendors cannot deliver a single sign-on solution."

Not sure about JAMF integration. I know Credant comes in a proper pkg format installer (verified by snapshot), relatively simple to deploy.

Don

--
https://donmontalvo.com

bentoms · ‎08-23-2010

We're soon to be testing checkpoints offering..

Haven't touched it yet.. but will let you know..

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

Report Inappropriate Content · ‎08-23-2010

We have been using PGP for the last few months. We rolled it out to our
laptops starting in May. Had to go whole disk.

Sean

jafuller · ‎08-23-2010

We are using PGP for two main features centralized management and WDE. The main issue we have with it is that it does not allow for SSO as already noted. Other than that, it has been fairly stable on the 10.0.2 client. We'll have roughly 50 laptops running it by the end of the month. We are using OSX 10.6.4 with the PGP 10.0.2 client.

You can add extension attributes to the JSS to view in your inventory reports, but that's about as far as you'll get with management of these machines. That would obviously allow for smart groups and other activity as you can see if a drive is fully encrypted or not and other pertinent information.

James Fuller | Starbucks Coffee Company | Technology Application Services | V: 206.318.7153

Report Inappropriate Content · ‎08-24-2010

Just thought I would put out our experiences with PGP if anyone is
interested. We have is on 220-230 laptops.

When we started our project PGP version 10 was just released. We went
through may trials and worked closely with them, reporting bugs to the
system and such. It got to the point that we had very little faith in the
product. We conveyed our concerns with them and they stepped up, became more
responsive, especially when we would do a webex and they could see the
issue, and in one case we sent them one of our laptops so they could trouble
shoot it in person. Some of the issues we had were things like clients being
prompted to re-enroll, kernel panics, grey screen at boot up (before
per-boot screen) The correct way to erase an encrypted disk to remove the
boot sector (documented process was for ver. 9.x, ver. 10.x process was
different). These were all things we discovered, then confirmed with PGP and
then they provided a solution for it, or fixed in an update. They were
really the only vendor that offered centralized management and that was a
requirment of the project.

We did not go to full release of the PGP software until version 10.0.1. This
version had addressed all the issues we discovered. We rolled out the
software to 220 laptops, and had very little problem.

The biggest challenge was on the user side, and getting them to follow the
documentation. We sent out two seperat emails to each client with the
documentation attached. We pushed to software to them based on building, and
had technicians stationed for "drop by" rooms for people to go see them if
they had questions(very helpful), but some people did not take advantage of
that.

The following issues were only on a handful of user devices. Out of the 220
clients we only had problems with 7 people.

Client issues revolved around the client not reading the enrollment
documentation and are as follows:

Assumed software installation was all that was required, never went
through the enrollment process. Checking the JSS would show PGP was
installed, then we had to cross check client names in PGP server.
Clients would "sleep" their machines by closing lids to move from one
location to the next. PGP specifically says to keep power to the device
until the encryption is complete, if you need to move your laptop before
encryption process is incomplete then shut down device completely.
Clients would not keep power to the device during the encryption process.

All or most of these things resulted in us needing to back up the users
system, and reimage their devices. And then we encrypted them before we gave
them back to the client.

Since the project, we have our technicians image, and encrypt the device
before we deploy it to the client, and then the technician has the client
enroll as an additional user on the device, thereby avoiding the possibility
of the above mention errors.

Recovering Data:

Recovering data was easy for the most part. We would boot the problem device
in to target mode, and connect it to another laptop / desktop that had the
same version of PGP installed. At that point you just need the recovery
token for the problem device, enter it then the target volume mounts and you
copy the data off. After backup, wipe the drive, reimage, re-encrypt, then
restore the data.

Since the project the biggest complaint is that laptops no longer will do
the Apple "safe sleep". I have spoken to both PGP and Apple about this and
was told by both, that it is because the section of memory that the "safe
sleep" feature saves to, PGP prevents saving to that location.

If your not familiar with "safe Sleep" here is an apple KB article
http://support.apple.com/kb/HT1757?viewlocale=en_US

Sean

Cem · ‎08-25-2010

Hi All,

I am overwhelmed by the response. You guys all rock and I would have
attached a beer for you all, if I could :)

BTW PGP doesn't do SSO but Checkpoint does (I will have demo for both and
will confirm this)

All the best

Cem

jarednichols · ‎08-25-2010

My address is in my signature...

:)
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

tlarkin · ‎08-25-2010

my website has the "buy me a beer" pay pal module for Drupal, hahaha

bentoms · ‎08-25-2010

Well.. y'know i'm close from the London CCA :)

Anyways.. we're soon to test the checkpoint solution.. I'll drop you a line off list if you don't mind once we start the testing...

gachowski · ‎10-26-2011

How many of us are using full disk encryption and which one?

Thanks

C

jonscott · ‎10-26-2011

Curious here too. We are looking at Credant and possibly Sophos.

Jon

Report Inappropriate Content · ‎10-27-2011

Hello all really helpful mailing list.

I have Sophos Safeguard running on all my supported laptops around 100.
Happy with the product. Macs are very slow during initial encryption as
expected but fine afterwards. Encryption times are typically 12-15 hours
for a standard disc, 1-2 for SSD.

Scripts and white paper on deployment from JAMF were helpful. In rare cases
the script failed on creating recovery users. We also included backing up
the encryption keys, thankfully haven't needed those yet..

Also looked at the Checkpoint FDE tool (a couple of years back) way more
complex. It has SSO features, which Sophos doesn't, but I didn't like the
way it obscured the whole login process until the finder loaded. Also,
because of the way Checkpoint SSO captured credentials from the loginwindow,
it would be expecting the previous password for the first time after an AD
password change. Understandable perhaps, but a bit confusing for my largely
non-techie end users.

Lion does FDE with its new Filevault version, I haven't tried it out yet.

Simon.

noah_swanson · ‎10-27-2011

We use PGP. We have about 100 Laptops that require encryption (All of our other machines are desktops where we do not require encryption). Performance is so-so during encryption and encryption times aren't horrible (5-8 hours 500GB drive, 1-3 for SSD's). Decrypting is significantly longer...possibly double what I just mentioned. We also use PGP for our Windows XP machines so we have a centralized server for key management. There is a nice command-line interface for PGP which makes scripting and reporting through Casper very easy!

We have decided not to use Filevault for a few reasons:

* No centralized management of backup keys (Security had a hayday with that point)

* Encryption access is per local accounts.

o You have to grant access for encryption to each account that logs in

o Login passwords and encryption passwords are identical

o Once authenticated for encryption, the machine automatically logs in as that account

* Deploying Lion with the recovery partition can be somewhat challenging (from my experiences)

The items that our security department had the most issues with was key management and differentiation of login and encryption passwords. The auto-login was a red-flag as well.

Hope this information is helpful!

Report Inappropriate Content · ‎10-27-2011

PGP WDE

Sent from my iPad

Jamf Nation Community

Full disk encryption