Jamf Nation Community

Hi-

Thanks for the info. We don't *have* to use it, but it's what they currently have so I was going to see about sticking with it. The key escrow is a good point...

Thanks!

I am currently deploying this and I don't have an issue with it. I usually let it install by policy and it works fine. There is a KB article on this and it is set up from that. I have scripted it to set the accounts up and start encryption after it is installed.

I have just started using Safeguard 6.00 and the same procedure is working with it. It still does not store keys and is a manual process. But I am stuck with it as we use it for our windows machines we are stuck with it because of this.

I needed this because of the Windows clients and company wide policy for laptop encryption without any consultation...nice!

I have the following (its not great, I just haven't had time to improve it)
*Installs at via a script after Imaging
*launch daemon and script creates the sgn admin account (any booting weirdness requires a fat finger then after its fine)
*login hook runs a SGN login script as the user which creates their sgn account with a default password, always makes sure everytime logging in there are 5 recovery accounts.
*Recovery accounts are outputted to a text file only root has access to.
*Extention attribute in inventory reads the recovery accounts and passwords for the users for emergency.
*Full disk encrypt manually at the moment
*Help the user change their default sgn password and carryout training.
*Log out hook to run a script as root to delete any sgn account for admin or root account if I have logged in as them.

If anyone is interested please let me know and I will post it. My method is far from perfect.

I can't take the credit for the script. It was written by the top tech guy Frank Melber in Utimaco (Now part of Sophos)

Just a side note, I have had this from day1, I mean I was one of the first and even wrote documentation and sent it to Jamf litteraly after they announced their sgn webinar etc.

Unfortunately looks like Frank from Utimaco hasn't given this script for Sophos to share with their customers (very important for those recovery accounts) BAD FRANK

Looks like Jamf didn't go through my documentation, pull out relevant bits to share with the whole Jamf community as promised.

I would be interested in your script that makes the user accounts up. I have a process that sets the admin up the default user and one recovery officer and the starts encrypting. But I would like to improve it if possible.

Anyone working with automating the user account setup for SSO on SG 6?

Hi MikeF

Below is a how i create the recovery accounts. I use a local login hook which runs mutiple scripts and acts as wrapper. See Mike Bombichs login-wrapper.sh

http://www.afp548.com/netboot/mactips/scripts.html

ps where it says "see password manager" this is refering to an internal password manager system i use. You need to put your required passwords in these fields

This works in SGN 05.50.01. Sorry i haven't had time to look at the latest version and test it out.

#!/bin/sh

# comment in for debug output
# set -x

# configuration
NUM_RECOVERY_USERS=5
DATE=`date "+%d-%m-%y_%H.%M"`
DUMP_FILE="/var/tmp/recovery_users"
DUMP_FOLDER="/var/tmp/Sophos_SafeGuard"
# setup absolute paths to all binaries we use
SGADMIN="/usr/bin/sgadmin"
WC="/usr/bin/wc"
GREP="/usr/bin/grep"
ECHO="/bin/echo"
USER="$1"
# TODO: get admin credentials, e.g. from file, or stdin ...
ADMIN="see password manager"
PWDADMIN="see password manager"



# creating the user account if it doesn't exits on the machine with a default password.
"${SGADMIN}" --add-user --type user --user "${USER}" --password 3TUBbEny --confirm-password see password manager --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}"

# check input
if [ -z "$1" ]; then
        ${ECHO} "Error, no username given. Usage: '`basename $0` username'"
        exit 1
fi

# setup regex for finding user
REGEX_USER="^| user: ${USER}.*| type: .* | created: .* | modified: .* |$"

# setup regex for finding recovery users
REGEX_RECOVERY_USER="^| user: .* | type: recovery | created: .* | modified: .* | recovers: ${USER}.*|$"

# check if user ${USER} exists
${SGADMIN} --list-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}" 
        | ${GREP} -E "${REGEX_USER}" > /dev/null 2>&1
if [ $? -ne 0 ]; then
        ${ECHO} "Error, user '${USER}' does not exist."
        exit 1
fi

# count recovery users for user ${USER}
ACTUAL_RECOVERY_USERS=`${SGADMIN} --list-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}" 
        | ${GREP} -E "${REGEX_RECOVERY_USER}" | ${WC} -l`

# how many additional recovery users do we need?
declare -i DIFF="${NUM_RECOVERY_USERS} - ${ACTUAL_RECOVERY_USERS}"

if [ ${DIFF} -gt 0 ]; then

hostname>"${DUMP_FILE}"
${ECHO} "Creating recovery users for user '${USER}':" >> "${DUMP_FILE}" 2>&1
        ${SGADMIN} --add-recovery-users --authenticate-user "${ADMIN}" --authenticate-password "${PWDADMIN}" 
                --user-to-recover "${USER}" --count "${DIFF}" >> "${DUMP_FILE}" 2>&1

# make the Sophos_SafeGuard folder
mkdir "${DUMP_FOLDER}"

# Pausing 5 seconds
sleep 5

# changing ownership, read, write and execute permissions of the Sophos_SafeGuard folder so that new txt files can be written to it
chmod -R 777 "${DUMP_FOLDER}"

# moving the recovery users file to the Sophos_SafeGuard folder
mv "${DUMP_FILE}" /"${DUMP_FOLDER}"/recovery_users_"${DATE}".txt

# for security changing ownership, read, write and execute permissions of the Sophos_SafeGuard folder and all files within it so that only root and group admin have access
chown -R root:admin "${DUMP_FOLDER}"
chmod -R 770 "${DUMP_FOLDER}"

# pausing 5 seconds
sleep 5

if [ $? -ne 0 ]; then
                ${ECHO} "Error, '${SGADMIN}' exited with error code '$?'."
                exit 1
        fi
        ${ECHO} "Successfully created ${DIFF} recovery users for user '${USER}'. Additional information can be found in '${DUMP_FOLDER}'"
fi


exit 0

@MikeF @tkimpton I noticed post is from 2012 so wanted to ask if you have improved upon this process. I am currently in the middle of a Sophos Deployment and wanted to automate as much as possible. Our Process is as follow....

1. Install, Fuse, Sophos SGE during post imaging
2. Manually drag config ZIP file onto sophos preferences
3. Enter Local admin account & user's account pw for encryption (usually admin and the the user's of the machine PW, which I don't think its good practice, but somehow feel for AD purposes is setup this way. if someone can explain this better, I would appreciate it.

what I would like to accomplish is a practice where I can implement workflow for our imaging techs, where less manual work is involved, and less end-user interaction upon deploying the machine.

I've looked around at the Activate Sophos, script, but that doesn't answer the dragging of the Config zip file manual process.

This seems to work right in version 6.1. I am pretty sure I can get this working but won't be able to try till Tuesday. I will let you know then. The activate sophos script you found was for a previous version. I will try and let you know. I have several VMS setup for this. So that helps with testing.

Now with 6.1 the encryption is file vault 2 and it is just managing keys. I am still evaluating if it is worth using this as JAMF does a pretty good job. They do have some nice enterprise features that let me have my windows pcs manage from same server. And that is the only reason I am looking at it.

OK in version 6.1 I have been able to do this by installing the Sophos SafeGuard DE.pkg.

Also my ssl cert for the server being used. Then with composer I took the configuration file and packaged it to put on the machine. And deploying it I installed it using this command. sgdeadmin --import-config /private/tmp/SGN61PROD.zip

After a reboot it checks with my server and then prompts for password to start encryption.

Right now we are not using the file encryption product so we don'r need fuse. I experimented with it before and it works but we are not using it now.

@MikeF thanks Mike. I am going to try this.

@MikeF Thanks for that, looks a lot easier. If get time to look at this at my new place i will do.