[Request for feedback] Check Point Full Disk Encryption

donmontalvo
Esteemed Contributor II

Anyone deploying Check Point Full Disk Encryption on their Macs?

http://www.checkpoint.com/products/full-disk-encryption/

Any feedback on experience, deployment, management, stability, reliability, etc...there doesn't seem to be a whole lot of info on it on JAMF Nation. :)

PS, I don't suppose it leverages Filesafe2 by escrowing encryption keys? This is Rich's cue...<g>...

Thanks,
Don

--
https://donmontalvo.com
13 ACCEPTED SOLUTIONS

rtrouton
Release Candidate Programs Tester

I haven't heard anything about Checkpoint now managing FileVault 2. I did recently learn that WinMagic is going the FileVault 2 management route for their SecureDoc software:

http://www.winmagic.com/products/full-disk-encryption-for-mac/enterprise

I don't have any additional information on that, beyond what WinMagic has posted on their site.

View solution in original post

Josh_S
Contributor III

I'd be a little concerned about their commitment to the Mac OS platform. Their listed specifications support Windows 8, but Mac OS support only goes up to 10.7, 10.8 has been out for nearly a year now. Even if it does work, it appears to add in Mac support as an afterthought. There is a thread a little while back regarding some experience with it:
http://jamfnation.jamfsoftware.com/discussion.html?id=7185

View solution in original post

MarkPetersonURM
New Contributor III

We use Checkpoint here, and are currently in the process of planning a major from the standalone client to the full console version.

They had some issues in the past with the OS X and Windows versions not being in sync, but with the latest release E80 release, the clients are identical.

There are still a few gaps, such as not supporting Fusion drives, but overall, things have been great.

Deployment has been simple: We create a composer package that pushes the installer and our installation profile onto the client, and then call a script to run through the pkg installer. It has worked flawlessly for us.

As far as management goes, the reason we are moving to the console version is to have better reporting. Currently, the encryption files are written to a File share, and that is all the logging we get. We use the JSS' EA to get a more up to date picture, but with the Console version, it allows for more "real-time" updates (1-2 minutes).

The stability has been great for us. We have found a few iMacs that shipped to us with bad blocks/sectors that were not picked up by any of our HD diagnostics.

When we have reached out to support, they have been quick to respond. Like I said above, I definitely suggest the web chat as the best option.

Reliability has been pretty good. We saw an uptick in "black screens" that leave the machines in an un-bootable state, but that is more due to the fact that these drives have been encrypted for 4-5 years, and are used 24/7.

As far as performance goes, we have noticed that with Checkpoint we are getting about a 1-2% performance hit over FileVault, but nothing that has cause major issues.

View solution in original post

iJake
Valued Contributor

We are just wrapping up a proof of concept with Checkpoint for Mac and of the options out there I'd say it is by far the best. Especially if you integrate with AD. The encryption is pretty quick with low overhead after the fact. Deployment is really easy and its in their roadmap to be able to build Mac packages from the console. The two biggest sells for me on the product are the preboot single sign on THAT WORKS and the ability of our techs to mount the filesystem while booted from one of our emergency drives. This gives it parity with FileVault, which we can not deploy in our environment. I've been testing it for about a month if you have any specific questions.

View solution in original post

iJake
Valued Contributor

No, it does not currently offer that but there are plenty of solutions that do if that's something you need. Honestly, though, I don't know how anybody can deploy Filevault in any sort of managed environment. It can't be completely forced on and any admin can decrypt a machine and turn it off. As well, there is no central authorization of preboot users. That would be a mess in our environment.

View solution in original post

iJake
Valued Contributor

Any user authorized to login at preboot that is also an admin can turn off and decrypt filevault

View solution in original post

Josh_S
Contributor III

@iJake

That is 100% true. There are some things you can do to mitigate this, using profiles to lock down the "Security & Privacy" preference pane comes to mind. But, in the end, you are correct. If someone has an administrative account, that is also authorized to unlock the drive, and wants to decrypt the drive, they can.

That said, any of the other solutions allow an administrative account that is authorized to unlock the drive to access, and copy data off of, the encrypted drive - which is the root of what you're trying to prevent. There is a lot of trust/responsibility given to people that have administrative rights to a machine, this is no different.

I treat this as an issue with breaking corporate policy. Set up a smart group for machines that are not encrypted and have it mail you on group change. If someone decrypts their machine, give them a very firm warning and re-encrypt the drive. If it happens again, forward the email to your security team or HR and let them discuss the employee's continued future at the company.

View solution in original post

iJake
Valued Contributor

Locking down the profile only does so much as you can always do the same thing from the command line or Disk Utility with FileVault. I agree with your points, though. Its not about protecting the data from the customers but rather for them and I need them to not turn off that protection.

View solution in original post

JPDyson
Valued Contributor

If your main concern is what your approved, privileged users are capable of doing with your systems, your problem won't be solved by software.

Edit: Oh, and we used CheckPoint at my last gig. My only problem with third-party tools is that they tend to have compatibility issues with firmware updates, if they even facilitate them in the first place. Also, there was the occasional bricked drive during encryption or decryption (I'm talking 1% or less). E80 was looking alright, last time I saw it.

View solution in original post

iJake
Valued Contributor

We didn't Symantec because If I'm remember correctly it has the serious design flaw of not being able to have the machine shut down during initial encryption. It would break the encryption. Symantec bought PGP, so if you're familiar with that then its what it is. Aside from CheckPoint and FileVault we tested Credant and McAfee. The Credant had some issues when I first tested it but after those were cleared up it worked pretty well. It just doesn't offer pre boot and that was a no go for me. We use Credant file encryption on our PCs and are quite experienced with it. Its definitely the best option if you want the absolute least change for your customers. McAfee is just not ready on the Mac. It can't work with local users for pre boot but rather they HAVE to be AD. That eliminates any local admin account you might use. As well, there is no way to mount the filesystem from another drive. I wasn't really a fan of the ePO console as its quite confusing and overcomplicated.

View solution in original post

nessts
Valued Contributor II

I use Symantec Encryption Desktop or PGP. I can provide a list of reasons that you might not want to use it.
it takes over the Apple recovery partition and makes it very difficult to boot to another partition although bootcamp supposedly works. Having User Data on a separate partition is possible but like i said you cannot boot to another OS partition or restore only the OS partition in my few attempts anyway so there is no point in separating user data from the OS. Filevault is not much better for multi-partition stuff either, I found some tool some really smart guy wrote to mount the user data partition, which has to be encrypted separately and mounted separately and it works most of the time, but every now and then i login and the user data partition did not mount, its an easy fix to reboot but kind of clunky.
It is very good at finding bad sectors on the disk, the bad news is it usually does not boot when it finds them.
It can be very susceptible to OS X updates, read this as might not boot after an update.
it only supports 8 keyboard layouts fully, others mostly work but the UK is not one of the supported layouts and if you use the pound symbol in your passphrase you are going to have a bad day.
It encrypts a SSD really fast, and the later version encrypts a bit faster on the spinning disks, but 320GB in about 12 hours is what I see and you cannot use the machine during this time on spinning disks because it is so slow.
Some firmware updates seem impossible to install because I think the recovery partition and firmware stuff is taken over by boot guard.
the boot guard password has to be managed separately from the user password.
Good or bad you choose, it does not autologin after you type your boot guard password.
Good things a user cannot decrypt their drive without herculean efforts. once its there it does not seem to affect the systems performance, we leave that to SEP.
Having PGP installed on a users computer does get them all to be pretty diligent about connecting their time machine backup disks regularly.
in all seriousness though, i have near 1000 users on PGP, we have had a couple dozen or so over the last year that have gotten the no boot symbol, and can that all be blamed on PGP? the disks were replaced and the systems ran fine afterward. From my experience at other accounts that might be a bit high for disk failure although every laptop with a 7200 rpm drive i have ever had has been replaced.

I will be starting a couple of projects for a couple of new customers with Checkpoint shortly so I am glad to see the good reviews on it.

View solution in original post

nessts
Valued Contributor II

@ijake you can reboot during initial encryption, i have pressed the power button during initial encryption and had it be ok.

View solution in original post

iJake
Valued Contributor

They should change their documentation then. That is where I read it. Good to know, though. It seemed ridiculous.

View solution in original post

19 REPLIES 19

rtrouton
Release Candidate Programs Tester

I haven't heard anything about Checkpoint now managing FileVault 2. I did recently learn that WinMagic is going the FileVault 2 management route for their SecureDoc software:

http://www.winmagic.com/products/full-disk-encryption-for-mac/enterprise

I don't have any additional information on that, beyond what WinMagic has posted on their site.

Josh_S
Contributor III

I'd be a little concerned about their commitment to the Mac OS platform. Their listed specifications support Windows 8, but Mac OS support only goes up to 10.7, 10.8 has been out for nearly a year now. Even if it does work, it appears to add in Mac support as an afterthought. There is a thread a little while back regarding some experience with it:
http://jamfnation.jamfsoftware.com/discussion.html?id=7185

MarkPetersonURM
New Contributor III

We use Checkpoint here, and are currently in the process of planning a major from the standalone client to the full console version.

They had some issues in the past with the OS X and Windows versions not being in sync, but with the latest release E80 release, the clients are identical.

There are still a few gaps, such as not supporting Fusion drives, but overall, things have been great.

Deployment has been simple: We create a composer package that pushes the installer and our installation profile onto the client, and then call a script to run through the pkg installer. It has worked flawlessly for us.

As far as management goes, the reason we are moving to the console version is to have better reporting. Currently, the encryption files are written to a File share, and that is all the logging we get. We use the JSS' EA to get a more up to date picture, but with the Console version, it allows for more "real-time" updates (1-2 minutes).

The stability has been great for us. We have found a few iMacs that shipped to us with bad blocks/sectors that were not picked up by any of our HD diagnostics.

When we have reached out to support, they have been quick to respond. Like I said above, I definitely suggest the web chat as the best option.

Reliability has been pretty good. We saw an uptick in "black screens" that leave the machines in an un-bootable state, but that is more due to the fact that these drives have been encrypted for 4-5 years, and are used 24/7.

As far as performance goes, we have noticed that with Checkpoint we are getting about a 1-2% performance hit over FileVault, but nothing that has cause major issues.

iJake
Valued Contributor

We are just wrapping up a proof of concept with Checkpoint for Mac and of the options out there I'd say it is by far the best. Especially if you integrate with AD. The encryption is pretty quick with low overhead after the fact. Deployment is really easy and its in their roadmap to be able to build Mac packages from the console. The two biggest sells for me on the product are the preboot single sign on THAT WORKS and the ability of our techs to mount the filesystem while booted from one of our emergency drives. This gives it parity with FileVault, which we can not deploy in our environment. I've been testing it for about a month if you have any specific questions.

donmontalvo
Esteemed Contributor II

@iJake Nice to hear you guys give Checkpoint Full Disk Encryption good reviews. We were hoping to leverage Filevault2 technology, but doesn't look like Checkpoint is able to escrow FileVault2 keys. :(

--
https://donmontalvo.com

iJake
Valued Contributor

No, it does not currently offer that but there are plenty of solutions that do if that's something you need. Honestly, though, I don't know how anybody can deploy Filevault in any sort of managed environment. It can't be completely forced on and any admin can decrypt a machine and turn it off. As well, there is no central authorization of preboot users. That would be a mess in our environment.

donmontalvo
Esteemed Contributor II

@iJake wrote:

...any admin can decrypt a machine and turn it off.

Without the encryption key? ;)

--
https://donmontalvo.com

iJake
Valued Contributor

Any user authorized to login at preboot that is also an admin can turn off and decrypt filevault

donmontalvo
Esteemed Contributor II

Interesting, I wasn't aware of that. I'd imagine control to the authorized account would/should be very tightly controlled.

--
https://donmontalvo.com

Josh_S
Contributor III

@iJake

That is 100% true. There are some things you can do to mitigate this, using profiles to lock down the "Security & Privacy" preference pane comes to mind. But, in the end, you are correct. If someone has an administrative account, that is also authorized to unlock the drive, and wants to decrypt the drive, they can.

That said, any of the other solutions allow an administrative account that is authorized to unlock the drive to access, and copy data off of, the encrypted drive - which is the root of what you're trying to prevent. There is a lot of trust/responsibility given to people that have administrative rights to a machine, this is no different.

I treat this as an issue with breaking corporate policy. Set up a smart group for machines that are not encrypted and have it mail you on group change. If someone decrypts their machine, give them a very firm warning and re-encrypt the drive. If it happens again, forward the email to your security team or HR and let them discuss the employee's continued future at the company.

iJake
Valued Contributor

Locking down the profile only does so much as you can always do the same thing from the command line or Disk Utility with FileVault. I agree with your points, though. Its not about protecting the data from the customers but rather for them and I need them to not turn off that protection.

JPDyson
Valued Contributor

If your main concern is what your approved, privileged users are capable of doing with your systems, your problem won't be solved by software.

Edit: Oh, and we used CheckPoint at my last gig. My only problem with third-party tools is that they tend to have compatibility issues with firmware updates, if they even facilitate them in the first place. Also, there was the occasional bricked drive during encryption or decryption (I'm talking 1% or less). E80 was looking alright, last time I saw it.

donmontalvo
Esteemed Contributor II

@JCPyson It's not, but point taken. :) FV2 was appealing because some third party solutions could escrow its keys. We looked at Credant at a previous company but I left before we could test; it can escrow FV2 keys. As far as alternate accounts used to decrypt drives, any such account would be very strictly controlled (read: process controls).

Great feedback, you guys all rock...anyone using other solutions for Full Disk Encryption (like Symantec?).

Don

--
https://donmontalvo.com

iJake
Valued Contributor

We didn't Symantec because If I'm remember correctly it has the serious design flaw of not being able to have the machine shut down during initial encryption. It would break the encryption. Symantec bought PGP, so if you're familiar with that then its what it is. Aside from CheckPoint and FileVault we tested Credant and McAfee. The Credant had some issues when I first tested it but after those were cleared up it worked pretty well. It just doesn't offer pre boot and that was a no go for me. We use Credant file encryption on our PCs and are quite experienced with it. Its definitely the best option if you want the absolute least change for your customers. McAfee is just not ready on the Mac. It can't work with local users for pre boot but rather they HAVE to be AD. That eliminates any local admin account you might use. As well, there is no way to mount the filesystem from another drive. I wasn't really a fan of the ePO console as its quite confusing and overcomplicated.

nessts
Valued Contributor II

I use Symantec Encryption Desktop or PGP. I can provide a list of reasons that you might not want to use it.
it takes over the Apple recovery partition and makes it very difficult to boot to another partition although bootcamp supposedly works. Having User Data on a separate partition is possible but like i said you cannot boot to another OS partition or restore only the OS partition in my few attempts anyway so there is no point in separating user data from the OS. Filevault is not much better for multi-partition stuff either, I found some tool some really smart guy wrote to mount the user data partition, which has to be encrypted separately and mounted separately and it works most of the time, but every now and then i login and the user data partition did not mount, its an easy fix to reboot but kind of clunky.
It is very good at finding bad sectors on the disk, the bad news is it usually does not boot when it finds them.
It can be very susceptible to OS X updates, read this as might not boot after an update.
it only supports 8 keyboard layouts fully, others mostly work but the UK is not one of the supported layouts and if you use the pound symbol in your passphrase you are going to have a bad day.
It encrypts a SSD really fast, and the later version encrypts a bit faster on the spinning disks, but 320GB in about 12 hours is what I see and you cannot use the machine during this time on spinning disks because it is so slow.
Some firmware updates seem impossible to install because I think the recovery partition and firmware stuff is taken over by boot guard.
the boot guard password has to be managed separately from the user password.
Good or bad you choose, it does not autologin after you type your boot guard password.
Good things a user cannot decrypt their drive without herculean efforts. once its there it does not seem to affect the systems performance, we leave that to SEP.
Having PGP installed on a users computer does get them all to be pretty diligent about connecting their time machine backup disks regularly.
in all seriousness though, i have near 1000 users on PGP, we have had a couple dozen or so over the last year that have gotten the no boot symbol, and can that all be blamed on PGP? the disks were replaced and the systems ran fine afterward. From my experience at other accounts that might be a bit high for disk failure although every laptop with a 7200 rpm drive i have ever had has been replaced.

I will be starting a couple of projects for a couple of new customers with Checkpoint shortly so I am glad to see the good reviews on it.

nessts
Valued Contributor II

@ijake you can reboot during initial encryption, i have pressed the power button during initial encryption and had it be ok.

iJake
Valued Contributor

They should change their documentation then. That is where I read it. Good to know, though. It seemed ridiculous.

wmateo
Contributor

@MarkPetersonURMC Hey Mark, we are currently deplying CP E80 to our clients. Can you share your script. I had an issue copying over the hidden files in the DMG

MarkPetersonURM
New Contributor III

@wmateo, no problem!

I also used Composer to copy the .pkg and the hidden files to /tmp/FDE.
I also have it remove the uninstaller.sh script, as anyone with Admin rights can uninstall/decrypt....Something that wasn't possible in the standalone version.

#!/bin/sh
echo "Starting FDE install on $2"
installer -pkg /private/tmp/FDE/EPS_E80.41.pkg -target / 
rm -rf /Library/Application Support/Checkpoint/Endpoint Security/uninstall.sh
rm -rf /private/tmp/FDE
srm $0