Posted on 03-14-2012 05:48 AM
So I've never worked with SafeGuard before and am curious as to how folks are deploying it. I've tried a login policy for right after Imaging that will call jamfHelper to fs mode, install Sophos, then run the activateSophos script as provided in the resource kit, but I always get an error 31 upon reboot as if the product isn't completely installed.
Anyone run into this? What does your workflow look like?
Thanks!
Solved! Go to Solution.
Posted on 03-14-2012 08:16 AM
My company looked at this products and scrapped it. After talking with Sophos they have no way to escrow the keys like on Windows which is where we use it presently to encrypt XP machines. That functionality isn't expected for at least another year. JAMF has a white paper somewhere and when I was doing the POC it worked fine by following their document. We also looked at PGP based encryption, but that breaks on every firmware update according to our pilot group we had a few months back. Considering all of the changes that Apple makes these days without documenting it we are sticking with FV2 for now. This is just my opinion and your employer may be mandating this product so you might not have a choice.
Posted on 03-16-2012 06:22 AM
So I got this working. I followed the white-paper and what is left out is something I just reported to Taylor at JAMF support yesterday.
My issue stemmed from the fact that I was compiling my 10.7 builds so that I'd get a bootable system. (See all those discussions about NetBoot producing a system that only had a bootable Recovery partition.)
When I was compiling, Sophos would error during the compile. Essentially, due to the compiling of the image, Casper Admin was ignoring the "install on boot" flag of the Sophos package. So, I was trying to kludge around it. What I did instead was the answer marked here:
https://jamfnation.jamfsoftware.com/discussion.html?id=3841
Essentially, you compile only your base OS and updates, then drop that resulting DMG into a new configuration. Now I'm not compiling my entire configuration (makes testing way faster) and Casper Admin now respects that "install on boot" flag that the Sophos package has. Upon the machine's first boot, jamfHelper automatically pops up and installs Sophos SafeGuard.
Follow Jason Halvorson's instructions in that link and you'll be sailing smooth. Major ups, Jason.
Posted on 03-14-2012 08:16 AM
My company looked at this products and scrapped it. After talking with Sophos they have no way to escrow the keys like on Windows which is where we use it presently to encrypt XP machines. That functionality isn't expected for at least another year. JAMF has a white paper somewhere and when I was doing the POC it worked fine by following their document. We also looked at PGP based encryption, but that breaks on every firmware update according to our pilot group we had a few months back. Considering all of the changes that Apple makes these days without documenting it we are sticking with FV2 for now. This is just my opinion and your employer may be mandating this product so you might not have a choice.
Posted on 03-14-2012 08:35 AM
Hi-
Thanks for the info. We don't *have* to use it, but it's what they currently have so I was going to see about sticking with it. The key escrow is a good point...
Thanks!
Posted on 03-14-2012 11:54 AM
I am currently deploying this and I don't have an issue with it. I usually let it install by policy and it works fine. There is a KB article on this and it is set up from that. I have scripted it to set the accounts up and start encryption after it is installed.
I have just started using Safeguard 6.00 and the same procedure is working with it. It still does not store keys and is a manual process. But I am stuck with it as we use it for our windows machines we are stuck with it because of this.
Posted on 03-15-2012 09:49 PM
I needed this because of the Windows clients and company wide policy for laptop encryption without any consultation...nice!
I have the following (its not great, I just haven't had time to improve it)
*Installs at via a script after Imaging
*launch daemon and script creates the sgn admin account (any booting weirdness requires a fat finger then after its fine)
*login hook runs a SGN login script as the user which creates their sgn account with a default password, always makes sure everytime logging in there are 5 recovery accounts.
*Recovery accounts are outputted to a text file only root has access to.
*Extention attribute in inventory reads the recovery accounts and passwords for the users for emergency.
*Full disk encrypt manually at the moment
*Help the user change their default sgn password and carryout training.
*Log out hook to run a script as root to delete any sgn account for admin or root account if I have logged in as them.
If anyone is interested please let me know and I will post it. My method is far from perfect.
I can't take the credit for the script. It was written by the top tech guy Frank Melber in Utimaco (Now part of Sophos)
Posted on 03-15-2012 10:00 PM
Just a side note, I have had this from day1, I mean I was one of the first and even wrote documentation and sent it to Jamf litteraly after they announced their sgn webinar etc.
Unfortunately looks like Frank from Utimaco hasn't given this script for Sophos to share with their customers (very important for those recovery accounts) BAD FRANK
Looks like Jamf didn't go through my documentation, pull out relevant bits to share with the whole Jamf community as promised.
Posted on 03-16-2012 06:22 AM
So I got this working. I followed the white-paper and what is left out is something I just reported to Taylor at JAMF support yesterday.
My issue stemmed from the fact that I was compiling my 10.7 builds so that I'd get a bootable system. (See all those discussions about NetBoot producing a system that only had a bootable Recovery partition.)
When I was compiling, Sophos would error during the compile. Essentially, due to the compiling of the image, Casper Admin was ignoring the "install on boot" flag of the Sophos package. So, I was trying to kludge around it. What I did instead was the answer marked here:
https://jamfnation.jamfsoftware.com/discussion.html?id=3841
Essentially, you compile only your base OS and updates, then drop that resulting DMG into a new configuration. Now I'm not compiling my entire configuration (makes testing way faster) and Casper Admin now respects that "install on boot" flag that the Sophos package has. Upon the machine's first boot, jamfHelper automatically pops up and installs Sophos SafeGuard.
Follow Jason Halvorson's instructions in that link and you'll be sailing smooth. Major ups, Jason.
Posted on 03-16-2012 12:46 PM
I would be interested in your script that makes the user accounts up. I have a process that sets the admin up the default user and one recovery officer and the starts encrypting. But I would like to improve it if possible.
Posted on 04-25-2012 12:02 PM
Anyone working with automating the user account setup for SSO on SG 6?
Posted on 04-26-2012 07:04 AM
Hi MikeF
Below is a how i create the recovery accounts. I use a local login hook which runs mutiple scripts and acts as wrapper. See Mike Bombichs login-wrapper.sh
http://www.afp548.com/netboot/mactips/scripts.html
ps where it says "see password manager" this is refering to an internal password manager system i use. You need to put your required passwords in these fields
This works in SGN 05.50.01. Sorry i haven't had time to look at the latest version and test it out.
#!/bin/sh
# comment in for debug output
# set -x
# configuration
NUM_RECOVERY_USERS=5
DATE=`date "+%d-%m-%y_%H.%M"`
DUMP_FILE="/var/tmp/recovery_users"
DUMP_FOLDER="/var/tmp/Sophos_SafeGuard"
# setup absolute paths to all binaries we use
SGADMIN="/usr/bin/sgadmin"
WC="/usr/bin/wc"
GREP="/usr/bin/grep"
ECHO="/bin/echo"
USER="$1"
# TODO: get admin credentials, e.g. from file, or stdin ...
ADMIN="see password manager"
PWDADMIN="see password manager"
# creating the user account if it doesn't exits on the machine with a default password.
"${SGADMIN}" --add-user --type user --user "${USER}" --password 3TUBbEny --confirm-password see password manager --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}"
# check input
if [ -z "$1" ]; then
${ECHO} "Error, no username given. Usage: '`basename $0` username'"
exit 1
fi
# setup regex for finding user
REGEX_USER="^| user: ${USER}.*| type: .* | created: .* | modified: .* |$"
# setup regex for finding recovery users
REGEX_RECOVERY_USER="^| user: .* | type: recovery | created: .* | modified: .* | recovers: ${USER}.*|$"
# check if user ${USER} exists
${SGADMIN} --list-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}"
| ${GREP} -E "${REGEX_USER}" > /dev/null 2>&1
if [ $? -ne 0 ]; then
${ECHO} "Error, user '${USER}' does not exist."
exit 1
fi
# count recovery users for user ${USER}
ACTUAL_RECOVERY_USERS=`${SGADMIN} --list-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}"
| ${GREP} -E "${REGEX_RECOVERY_USER}" | ${WC} -l`
# how many additional recovery users do we need?
declare -i DIFF="${NUM_RECOVERY_USERS} - ${ACTUAL_RECOVERY_USERS}"
if [ ${DIFF} -gt 0 ]; then
hostname>"${DUMP_FILE}"
${ECHO} "Creating recovery users for user '${USER}':" >> "${DUMP_FILE}" 2>&1
${SGADMIN} --add-recovery-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}"
--user-to-recover "${USER}" --count "${DIFF}" >> "${DUMP_FILE}" 2>&1
# make the Sophos_SafeGuard folder
mkdir "${DUMP_FOLDER}"
# Pausing 5 seconds
sleep 5
# changing ownership, read, write and execute permissions of the Sophos_SafeGuard folder so that new txt files can be written to it
chmod -R 777 "${DUMP_FOLDER}"
# moving the recovery users file to the Sophos_SafeGuard folder
mv "${DUMP_FILE}" /"${DUMP_FOLDER}"/recovery_users_"${DATE}".txt
# for security changing ownership, read, write and execute permissions of the Sophos_SafeGuard folder and all files within it so that only root and group admin have access
chown -R root:admin "${DUMP_FOLDER}"
chmod -R 770 "${DUMP_FOLDER}"
# pausing 5 seconds
sleep 5
if [ $? -ne 0 ]; then
${ECHO} "Error, '${SGADMIN}' exited with error code '$?'."
exit 1
fi
${ECHO} "Successfully created ${DIFF} recovery users for user '${USER}'. Additional information can be found in '${DUMP_FOLDER}'"
fi
exit 0
Posted on 07-04-2014 07:59 AM
@MikeF @tkimpton I noticed post is from 2012 so wanted to ask if you have improved upon this process. I am currently in the middle of a Sophos Deployment and wanted to automate as much as possible. Our Process is as follow....
what I would like to accomplish is a practice where I can implement workflow for our imaging techs, where less manual work is involved, and less end-user interaction upon deploying the machine.
I've looked around at the Activate Sophos, script, but that doesn't answer the dragging of the Config zip file manual process.
Posted on 07-04-2014 10:38 AM
This seems to work right in version 6.1. I am pretty sure I can get this working but won't be able to try till Tuesday. I will let you know then. The activate sophos script you found was for a previous version. I will try and let you know. I have several VMS setup for this. So that helps with testing.
Now with 6.1 the encryption is file vault 2 and it is just managing keys. I am still evaluating if it is worth using this as JAMF does a pretty good job. They do have some nice enterprise features that let me have my windows pcs manage from same server. And that is the only reason I am looking at it.
Posted on 07-09-2014 09:21 AM
OK in version 6.1 I have been able to do this by installing the Sophos SafeGuard DE.pkg.
Also my ssl cert for the server being used. Then with composer I took the configuration file and packaged it to put on the machine. And deploying it I installed it using this command. sgdeadmin --import-config /private/tmp/SGN61PROD.zip
After a reboot it checks with my server and then prompts for password to start encryption.
Right now we are not using the file encryption product so we don'r need fuse. I experimented with it before and it works but we are not using it now.
Posted on 07-09-2014 12:53 PM
@MikeF thanks Mike. I am going to try this.
Posted on 07-13-2014 10:18 AM
@MikeF Thanks for that, looks a lot easier. If get time to look at this at my new place i will do.