Sophos SafeGuard 5.5

jarednichols
Honored Contributor

So I've never worked with SafeGuard before and am curious as to how folks are deploying it. I've tried a login policy for right after Imaging that will call jamfHelper to fs mode, install Sophos, then run the activateSophos script as provided in the resource kit, but I always get an error 31 upon reboot as if the product isn't completely installed.

Anyone run into this? What does your workflow look like?

Thanks!

2 ACCEPTED SOLUTIONS

jhbush
Valued Contributor II

My company looked at this products and scrapped it. After talking with Sophos they have no way to escrow the keys like on Windows which is where we use it presently to encrypt XP machines. That functionality isn't expected for at least another year. JAMF has a white paper somewhere and when I was doing the POC it worked fine by following their document. We also looked at PGP based encryption, but that breaks on every firmware update according to our pilot group we had a few months back. Considering all of the changes that Apple makes these days without documenting it we are sticking with FV2 for now. This is just my opinion and your employer may be mandating this product so you might not have a choice.

View solution in original post

jarednichols
Honored Contributor

So I got this working. I followed the white-paper and what is left out is something I just reported to Taylor at JAMF support yesterday.

My issue stemmed from the fact that I was compiling my 10.7 builds so that I'd get a bootable system. (See all those discussions about NetBoot producing a system that only had a bootable Recovery partition.)

When I was compiling, Sophos would error during the compile. Essentially, due to the compiling of the image, Casper Admin was ignoring the "install on boot" flag of the Sophos package. So, I was trying to kludge around it. What I did instead was the answer marked here:

https://jamfnation.jamfsoftware.com/discussion.html?id=3841

Essentially, you compile only your base OS and updates, then drop that resulting DMG into a new configuration. Now I'm not compiling my entire configuration (makes testing way faster) and Casper Admin now respects that "install on boot" flag that the Sophos package has. Upon the machine's first boot, jamfHelper automatically pops up and installs Sophos SafeGuard.

Follow Jason Halvorson's instructions in that link and you'll be sailing smooth. Major ups, Jason.

View solution in original post

14 REPLIES 14

jhbush
Valued Contributor II

My company looked at this products and scrapped it. After talking with Sophos they have no way to escrow the keys like on Windows which is where we use it presently to encrypt XP machines. That functionality isn't expected for at least another year. JAMF has a white paper somewhere and when I was doing the POC it worked fine by following their document. We also looked at PGP based encryption, but that breaks on every firmware update according to our pilot group we had a few months back. Considering all of the changes that Apple makes these days without documenting it we are sticking with FV2 for now. This is just my opinion and your employer may be mandating this product so you might not have a choice.

jarednichols
Honored Contributor

Hi-

Thanks for the info. We don't *have* to use it, but it's what they currently have so I was going to see about sticking with it. The key escrow is a good point...

Thanks!

MikeF
Contributor II

I am currently deploying this and I don't have an issue with it. I usually let it install by policy and it works fine. There is a KB article on this and it is set up from that. I have scripted it to set the accounts up and start encryption after it is installed.

I have just started using Safeguard 6.00 and the same procedure is working with it. It still does not store keys and is a manual process. But I am stuck with it as we use it for our windows machines we are stuck with it because of this.

tkimpton
Valued Contributor II

I needed this because of the Windows clients and company wide policy for laptop encryption without any consultation...nice!

I have the following (its not great, I just haven't had time to improve it)
*Installs at via a script after Imaging
*launch daemon and script creates the sgn admin account (any booting weirdness requires a fat finger then after its fine)
*login hook runs a SGN login script as the user which creates their sgn account with a default password, always makes sure everytime logging in there are 5 recovery accounts.
*Recovery accounts are outputted to a text file only root has access to.
*Extention attribute in inventory reads the recovery accounts and passwords for the users for emergency.
*Full disk encrypt manually at the moment
*Help the user change their default sgn password and carryout training.
*Log out hook to run a script as root to delete any sgn account for admin or root account if I have logged in as them.

If anyone is interested please let me know and I will post it. My method is far from perfect.

I can't take the credit for the script. It was written by the top tech guy Frank Melber in Utimaco (Now part of Sophos)

tkimpton
Valued Contributor II

Just a side note, I have had this from day1, I mean I was one of the first and even wrote documentation and sent it to Jamf litteraly after they announced their sgn webinar etc.

Unfortunately looks like Frank from Utimaco hasn't given this script for Sophos to share with their customers (very important for those recovery accounts) BAD FRANK

Looks like Jamf didn't go through my documentation, pull out relevant bits to share with the whole Jamf community as promised.

jarednichols
Honored Contributor

So I got this working. I followed the white-paper and what is left out is something I just reported to Taylor at JAMF support yesterday.

My issue stemmed from the fact that I was compiling my 10.7 builds so that I'd get a bootable system. (See all those discussions about NetBoot producing a system that only had a bootable Recovery partition.)

When I was compiling, Sophos would error during the compile. Essentially, due to the compiling of the image, Casper Admin was ignoring the "install on boot" flag of the Sophos package. So, I was trying to kludge around it. What I did instead was the answer marked here:

https://jamfnation.jamfsoftware.com/discussion.html?id=3841

Essentially, you compile only your base OS and updates, then drop that resulting DMG into a new configuration. Now I'm not compiling my entire configuration (makes testing way faster) and Casper Admin now respects that "install on boot" flag that the Sophos package has. Upon the machine's first boot, jamfHelper automatically pops up and installs Sophos SafeGuard.

Follow Jason Halvorson's instructions in that link and you'll be sailing smooth. Major ups, Jason.

MikeF
Contributor II

I would be interested in your script that makes the user accounts up. I have a process that sets the admin up the default user and one recovery officer and the starts encrypting. But I would like to improve it if possible.

williape
New Contributor

Anyone working with automating the user account setup for SSO on SG 6?

tkimpton
Valued Contributor II

Hi MikeF

Below is a how i create the recovery accounts. I use a local login hook which runs mutiple scripts and acts as wrapper. See Mike Bombichs login-wrapper.sh

http://www.afp548.com/netboot/mactips/scripts.html

ps where it says "see password manager" this is refering to an internal password manager system i use. You need to put your required passwords in these fields

This works in SGN 05.50.01. Sorry i haven't had time to look at the latest version and test it out.

#!/bin/sh

# comment in for debug output
# set -x

# configuration
NUM_RECOVERY_USERS=5
DATE=`date "+%d-%m-%y_%H.%M"`
DUMP_FILE="/var/tmp/recovery_users"
DUMP_FOLDER="/var/tmp/Sophos_SafeGuard"
# setup absolute paths to all binaries we use
SGADMIN="/usr/bin/sgadmin"
WC="/usr/bin/wc"
GREP="/usr/bin/grep"
ECHO="/bin/echo"
USER="$1"
# TODO: get admin credentials, e.g. from file, or stdin ...
ADMIN="see password manager"
PWDADMIN="see password manager"



# creating the user account if it doesn't exits on the machine with a default password.
"${SGADMIN}" --add-user --type user --user "${USER}" --password 3TUBbEny --confirm-password see password manager --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}"

# check input
if [ -z "$1" ]; then
        ${ECHO} "Error, no username given. Usage: '`basename $0` username'"
        exit 1
fi

# setup regex for finding user
REGEX_USER="^| user: ${USER}.*| type: .* | created: .* | modified: .* |$"

# setup regex for finding recovery users
REGEX_RECOVERY_USER="^| user: .* | type: recovery | created: .* | modified: .* | recovers: ${USER}.*|$"

# check if user ${USER} exists
${SGADMIN} --list-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}" 
        | ${GREP} -E "${REGEX_USER}" > /dev/null 2>&1
if [ $? -ne 0 ]; then
        ${ECHO} "Error, user '${USER}' does not exist."
        exit 1
fi

# count recovery users for user ${USER}
ACTUAL_RECOVERY_USERS=`${SGADMIN} --list-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}" 
        | ${GREP} -E "${REGEX_RECOVERY_USER}" | ${WC} -l`

# how many additional recovery users do we need?
declare -i DIFF="${NUM_RECOVERY_USERS} - ${ACTUAL_RECOVERY_USERS}"

if [ ${DIFF} -gt 0 ]; then

hostname>"${DUMP_FILE}"
${ECHO} "Creating recovery users for user '${USER}':" >> "${DUMP_FILE}" 2>&1
        ${SGADMIN} --add-recovery-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}" 
                --user-to-recover "${USER}" --count "${DIFF}" >> "${DUMP_FILE}" 2>&1

# make the Sophos_SafeGuard folder
mkdir "${DUMP_FOLDER}"

# Pausing 5 seconds
sleep 5

# changing ownership, read, write and execute permissions of the Sophos_SafeGuard folder so that new txt files can be written to it
chmod -R 777 "${DUMP_FOLDER}"

# moving the recovery users file to the Sophos_SafeGuard folder
mv "${DUMP_FILE}" /"${DUMP_FOLDER}"/recovery_users_"${DATE}".txt

# for security changing ownership, read, write and execute permissions of the Sophos_SafeGuard folder and all files within it so that only root and group admin have access
chown -R root:admin "${DUMP_FOLDER}"
chmod -R 770 "${DUMP_FOLDER}"

# pausing 5 seconds
sleep 5

if [ $? -ne 0 ]; then
                ${ECHO} "Error, '${SGADMIN}' exited with error code '$?'."
                exit 1
        fi
        ${ECHO} "Successfully created ${DIFF} recovery users for user '${USER}'. Additional information can be found in '${DUMP_FOLDER}'"
fi


exit 0

wmateo
Contributor

@MikeF @tkimpton I noticed post is from 2012 so wanted to ask if you have improved upon this process. I am currently in the middle of a Sophos Deployment and wanted to automate as much as possible. Our Process is as follow....

  1. Install, Fuse, Sophos SGE during post imaging
  2. Manually drag config ZIP file onto sophos preferences
  3. Enter Local admin account & user's account pw for encryption (usually admin and the the user's of the machine PW, which I don't think its good practice, but somehow feel for AD purposes is setup this way. if someone can explain this better, I would appreciate it.

what I would like to accomplish is a practice where I can implement workflow for our imaging techs, where less manual work is involved, and less end-user interaction upon deploying the machine.

I've looked around at the Activate Sophos, script, but that doesn't answer the dragging of the Config zip file manual process.

MikeF
Contributor II

This seems to work right in version 6.1. I am pretty sure I can get this working but won't be able to try till Tuesday. I will let you know then. The activate sophos script you found was for a previous version. I will try and let you know. I have several VMS setup for this. So that helps with testing.

Now with 6.1 the encryption is file vault 2 and it is just managing keys. I am still evaluating if it is worth using this as JAMF does a pretty good job. They do have some nice enterprise features that let me have my windows pcs manage from same server. And that is the only reason I am looking at it.

MikeF
Contributor II

OK in version 6.1 I have been able to do this by installing the Sophos SafeGuard DE.pkg.

Also my ssl cert for the server being used. Then with composer I took the configuration file and packaged it to put on the machine. And deploying it I installed it using this command. sgdeadmin --import-config /private/tmp/SGN61PROD.zip

After a reboot it checks with my server and then prompts for password to start encryption.

Right now we are not using the file encryption product so we don'r need fuse. I experimented with it before and it works but we are not using it now.

wmateo
Contributor

@MikeF thanks Mike. I am going to try this.

tkimpton
Valued Contributor II

@MikeF Thanks for that, looks a lot easier. If get time to look at this at my new place i will do.