Transcription
SafeGuard Enterpriseadministrator helpProduct version: 8.0
Contents1 About SafeGuard Enterprise.41.1 What's New.72 Installation .112.1 SafeGuard Enterprise components.112.2 Getting started.132.3 Setting up SafeGuard Enterprise Server.172.4 Setting up SafeGuard Enterprise Database.202.5 Setting up SafeGuard Management Center.332.6 Testing communication.442.7 Securing transport connections with SSL.462.8 Registering and configuring SafeGuard Enterprise Server.502.9 Creating configuration packages.532.10 Setting up SafeGuard Enterprise on endpoints.552.11 Installing the encryption software on Windows.582.12 Installing the encryption software on Mac OS X.702.13 About upgrading.742.14 About migrating .772.15 About uninstallation.803 SafeGuard Management Center.833.1 Logging on to the SafeGuard Management Center.833.2 SafeGuard Management Center user interface.843.3 Language settings.863.4 Check database integrity.863.5 Working with policies.863.6 Working with configuration packages.924 Managing Mac endpoints.964.1 Create configuration package for Macs.964.2 About SafeGuard Native Device Encryption for Mac.964.3 About SafeGuard File Encryption for Mac.1014.4 Troubleshooting.1104.5 Inventory and status data of Macs.1125 Modules.1132
5.1 Synchronized Encryption.1135.2 Manage full disk encryption.1395.3 Location-based File Encryption.1505.4 Cloud Storage.1605.5 SafeGuard Data Exchange.1665.6 SafeGuard Full Disk Encryption.1745.7 SafeGuard Configuration Protection.2246 Recovery.2256.1 Synchronize full disk encryption keys with mobile devices .2256.2 Recovery for BitLocker.2256.3 Recovery key for Mac endpoints.2276.4 Virtual Clients.2286.5 Repair a corrupted Management Center installation.2306.6 Repair a corrupted database configuration.2317 Advanced management .2337.1 Security recommendations.2337.2 Working with multiple database configurations (Multi Tenancy).2357.3 SafeGuard Management Center - advanced.2397.4 SafeGuard Enterprise Security Officers.2517.5 Managing the organizational structure.2667.6 Keys and Certificates.2747.7 Company Certificate Change Orders.2837.8 Licenses.2857.9 Tokens and smartcards.2907.10 Scheduling tasks.3057.11 Auditing.3137.12 Policy types and their fields of applications.3467.13 Troubleshooting.3837.14 SafeGuard Enterprise and self-encrypting, Opal-compliant hard drives.4028 Technical support.4059 Legal notices.4063
SafeGuard Enterprise1 About SafeGuard EnterpriseSafeGuard Enterprise is a comprehensive data security solution that uses a policy-based encryptionstrategy to provide reliable data protection on workstations, network shares, and mobile devices.It allows users to securely share information and work with files on Windows, Mac OS X, iOS,and Android devices with the help of the Sophos Secure Workspace app.In the SafeGuard Management Center, you manage security policies, keys, and certificates usinga role-based administration strategy. Detailed logs and report functions ensure that you alwayshave an overview of all events.On the user side, data encryption and protection against unauthorized access are the main securityfunctions of SafeGuard Enterprise. SafeGuard Enterprise can be seamlessly integrated into theuser's normal environment.Synchronized Encryption - application-based File EncryptionSynchronized Encryption is built on two assertions – that all data is important and must be protected(encrypted) and that encryption should be persistent wherever the data is located. In addition,important data should be encrypted automatically and transparently so that a user need not bebothered with having to decide whether or not to encrypt a file based on its perceived importance.This very basic premise, that all data is important and must be protected, ensures that all data isencrypted seamless without user intervention. This allows the user to remain productive, havetheir data secure and follow their existing workflows, see Synchronized Encryption (page 113).Location-based File Encryption Cloud StorageCloud storage services are useful to help users access their data, wherever they are, onwhatever device they're using. Improving productivity of users is important, but it’s equallycritical to ensure your sensitive information stays secure once it moves to the cloud. SafeGuardEnterprise automatically and invisibly encrypts/decrypts files as they are uploaded ordownloaded from cloud services. Encrypts files uploaded to cloud storage services Allows secure data sharing everywhere Automatically detects and supports most popular cloud storage services such as Box,Dropbox, OneDrive and Egnyte Reads encrypted files using our free Sophos Secure Workspace app for iOS and AndroidFile EncryptionEncryption isn’t only for making sure data stays safe from prying eyes outside your business.It’s also useful for enabling secure collaboration and controlling files inside it. SafeGuard4
administrator helpEnterprise goes beyond simple folder permissions and guarantees that only the right peoplecan read the right files while still allowing IT to manage files and backups. Configures file encryption for shared folders Makes sure only certain users or groups are able to access data Doesn’t require any interaction from your users Provides an extra layer of protection if/when your corporate servers move to the cloudData ExchangeSafeGuard Enterprise automatically and transparently encrypts files on removable media suchas USB sticks, memory cards and CDs/DVDs. Share encrypted data on removable media easily across your organization without impactingyour users Using a portable application and password, easily and securely share encrypted removablemedia with users not using SafeGuard Enterprise Removable media whitelisting makes encryption management easier and more flexibleFull disk encryption For UEFI platforms, use BitLocker managed by SafeGuard Enterprise for disk encryption. Forthese endpoints SafeGuard Enterprise offers enhanced Challenge/Response capabilities. Fordetails on the supported UEFI versions and restrictions to SafeGuard BitLockerChallenge/Response support, please see the Release Notes athttp://downloads.sophos.com/readmes/readsgn 8 eng.html.Note: Whenever the description only refers to UEFI, it is mentioned explicitly. For BIOS platforms you can choose between SafeGuard Full Disk Encryption and BitLockerencryption managed by SafeGuard Enterprise. The BIOS version comes with the BitLockernative recovery mechanism.Note: If SafeGuard Full Disk Encryption or SafeGuard Power-on Authentication is mentionedin this manual, it refers to Windows 7 BIOS endpoints only.The table shows which components are available.Windows 7 BIOSSafeGuard Full DiskEncryption with SafeGuardPower-on Authentication(POA)BitLocker with pre-bootauthentication (PBA)managed by SafeGuardYESYESSafeGuard C/R recoveryfor BitLocker pre-bootauthentication (PBA)5
SafeGuard EnterpriseSafeGuard Full DiskEncryption with SafeGuardPower-on Authentication(POA)BitLocker with pre-bootauthentication (PBA)managed by SafeGuardSafeGuard C/R recoveryfor BitLocker pre-bootauthentication (PBA)Windows 7 UEFIYESYESWindows 8.1 BIOSYESWindows 8.1 UEFIYESYESWindows 10YESYESWindows 10 Threshold2YESYESNote: SafeGuard C/R recovery for BitLocker pre-boot authentication (PBA) is only availableon 64-bit systems.SafeGuard Full Disk Encryption with SafeGuard Power-on Authentication (POA) is theSophos module for encrypting volumes on endpoints. It comes with a Sophos implementedpre-boot authentication named SafeGuard Power-on Authentication (POA) which supports logonoptions like smartcard and fingerprint and a Challenge/Response mechanism for recovery.BitLocker with pre-boot authentication (PBA) managed by SafeGuard is the component thatenables and manages the BitLocker encryption engine and the BitLocker pre-boot authentication.It is available for BIOS and UEFI platforms: The UEFI version additionally offers a SafeGuard Challenge/Response mechanism for BitLockerrecovery in case users forget their PINs. The UEFI version can be used when certain platformrequirement are met. For example the UEFI version must be 2.3.1. For details, see the ReleaseNotes. The BIOS version does not offer the recovery enhancements by the SafeGuard Challenge /Response mechanism and serves also as fallback option in case the requirements for theUEFI version are not met. The Sophos installer checks whether the requirements are met,and if not automatically installs the BitLocker version without Challenge/Response.Protect your MacsData on a Mac is as valuable as data on a Windows PC, which makes it vital to include Macs inyour data encryption strategy. SafeGuard Enterprise protects your Macs with file and diskencryption and ensures that the data on your Macs is secure at all times. It includes encryptioncapability for removable media, network file shares and cloud on Mac.6 Manage file or disk encryption for Macs in the same Management Center as all other devices Manage FileVault 2 encrypted devices
administrator help Works in the background without impacting performance Complete visibility and reporting on encryption statusFor Mac endpoints the following modules are available. They are also managed by SafeGuardEnterprise or at least report to the Management Center.Synchronized Encryption- application-basedSophos SafeGuard FileEncryptionSophos SafeGuard Native DeviceEncryption- location-based- FileVault 2 managementOS X 10.9YESYESYESOS X 10.10YESYESYESOS X 10.11YESYESYESmacOS 10.12YESYESYESSophos Secure WorkspaceEncryption keys from the SafeGuard Enterprise key ring can be made available in the SophosSecure Workspace (SSW) app managed by Sophos Mobile Control. Users of the app can thenuse the keys to decrypt and view documents, or to encrypt documents. These files can then besecurely shared between all SafeGuard Enterprise and SSW users. For more information, seethe Sophos Secure Workspace documentation.1.1 What's New Synchronized Encryption (page 113) Application-based file encryption Outlook add-in Integration with Sophos Central Endpoint Protection - remove keys on compromisedmachines Share key ring between Sophos SafeGuard Enterprise and Sophos Mobile Control Synchronize full disk encryption keys with mobile devices (page 225) Enhanced Authentication - the .Unconfirmed Users group (page 8) Improved Active Directory synchronization and autoregistration (page 9) Improve Sophos SafeGuard by sending anonymous usage data (page 9)7
SafeGuard Enterprise1.1.1 Enhanced authentication - the .Unconfirmed Users groupUsers who log on to SafeGuard Enterprise need to be authenticated against Active Directorybefore they have access to their key rings.Note: If you use BitLocker managed by SafeGuard Enterprise you need to allow registration ofnew SGN users for Everybody:1. In the Policies navigation area, create a new policy of the type Specific Machine Settingsor select an existing one.2. In the User Machine Assignment (UMA) section, go to the Allow registration of new SGNusers for setting and select Everybody from the drop-down list.3. Go to Users and Computers and assign the policy to your user groups.If users cannot be authenticated when they log on they will be moved to the .Unconfirmed Usersgroup. This group is displayed in the global root node and in every domain or workgroup.Possible reasons for which users cannot be authenticated when they log on are: The user provided credentials that do not match the credentials stored in Active Directory. The user is a local user on the endpoint. The Active Directory authentication server is not reachable. The user belongs to a domain that is not imported from Active Directory.Note: These users will be added to the global .Unconfirmed Users group that is displayeddirectly below the Root node in Users and Computers. The authentication failed due to an unexpected error. See also Sophos knowledgebase article 124328.Note: Only Active Directory users can be authenticated. This requires that Active Directory isconfigured properly.As long as users reside in the .Unconfirmed Users group they do not have access to their keyrings.If you click on an .Unconfirmed Users group, details of the users in the group are displayed inthe Unconfirmed Users tab on the right-hand pane, for example, the reason why the user hasbeen moved to this group.The Client Status dialog on the users' endpoints displays unconfirmed user under SGN userstate:.1.1.1.1 Confirm usersAs a security officer you have to verify users in the .Unconfirmed Users group. If they areauthorized users, you have to explicitly confirm them to allow access to their key rings. Withouttheir key ring users cannot access encrypted data.8
administrator helpTo confirm users in the .Unconfirmed users group:1. In the Management Center, select the .Unconfirmed Users group.Users who have not been authenticated against Active Directory are listed. You can click onindividual users to display detailed information in the right-hand pane.2. Verify if users are allowed to access the SafeGuard Enterprise key ring.3. If they are, select a user, right-click and click Confirm user in the context menu.You can confirm all users in the .Unconfirmed Users group by selecting the group itself andclicking Confirm all users in the context menu.Confirmed users will be moved to the correct Active Directory structure and will be able to accesstheir key ring.Note: Confirmation of users can also be performed via scripting API calls.1.1.1.2 Log events for unconfirmed usersEvents are logged when users are added to the .Unconfirmed Users group (event 2801) andwhen users have been confirmed successfully (event 2800). You can view a list of these eventsin the SafeGuard Management Center under Reports in the Event viewer.1.1.2 Improved Active Directory synchronization and auto-registration New customers are guided through the process of setting up a complete system by theSafeGuard Management Center Configuration Wizard. The initial import of the Active Directorystructure is done during initial configuration, see Start initial SafeGuard Management Centerconfiguration (page 35). Added computers and users will be moved to the right OU/ group automatically and willimmediately get the right policies and keys. A triggered AD synchronization is no longer neededin this case.1.1.3 Improve Sophos SafeGuard by sending anonymous usage dataSophos is continuously trying to improve SafeGuard Enterprise. Accordingly, clients regularlysend anonymized data to Sophos. This data is exclusively utilized for improving the product. Itcannot be used to identify customers or machines, and does not contain any other confidentialinformation. For more information, see Sophos knowledgebase article 123768.Sending data to Sophos is optional. Because all data is sent anonymized, the data collectionfunction is enabled by default.You can disable the function in the SafeGuard Management Center(Policies General Settin
Improve Sophos SafeGuard by sending anonymous usage data (page 9) 7 administrator help. 1.1.1 Enhanced authentication - the .Unconfirmed Users group Users who log on to SafeGuard Enterprise need to be authenticated against Act
