Thursday, June 19, 2008

Walkthrough Full Disk Encryption for Mac OS X

In the previous post, I talked about the release of Pointsec for Mac, which to my knowledge is the only Full Disk Encryption product available for the Mac. I also mentioned the installation process and how it differs from installing Pointsec for PC. I want to continue the discussion by walking through the menu options available once you've installed Pointsec for Mac on your machine.

I am a big fan of Pointsec for PC. I think that it is the easiest full disk encryption product to install and administer out there. Having said that, I also know that the large set of options available can be daunting for people when they first set it up. This probably wont be the case for people that set up Pointsec for Mac. Since the product isn't as full-featured as its cousin the main screen isn't as intimidating.

On the main page you have your Update Validation Password (which is used to authenticate update profiles that it downloads) and the paths that you set for the software to put recovery files and search for update profiles. That's it!

As I said, there aren't as many options because the software isn't as full featured. One of the features not present is the logging that you get with Pointsec for PC. When you install Pointsec on a PC you can remotely view the logs through the event viewer or the logs that get written to the server. You can verify that the installation went properly and that the disks are encrypting. You wont get that same assurance from Pointsec for Mac without visiting the desktop.

I also mentioned in the previous post that we don't have anything like Single Sign on or Windows Integrated Login with the Mac product. The only way I have found to get a single sign on environment is to have the Mac automatically log in after you authenticate with Pointsec. Smartcard support and the ability to customize the Pre-Boot Environment are also missing.

Under System Settings you'll find the mount points that were configured at setup time. Since you can't make any changes to these settings there really isn't anything to worry about here.

Finally we get to the System Passwords Policy. Just like with Pointsec for PC you can have a password policy for each group of users, but you can also have a master password policy for your system. So you might set up all of the groups for your organization with their appropriate password requirements. Then, if you have some computers that hold particularly sensitive data, you may set even stronger password requirements for those machines regardless of which users are logging into them. When I talk about Pointsec for PC I usually recommend setting the password policy to be as permissive as possible and let Active Directory be the password policy enforcer. However, since you're not going to be using Single Sign on with Pointsec for Mac, you won't be able to rely on an outside policy enforcer so you're going to have to do something with these settings. They are pretty self explanatory though.

I think in my next post I'm going to talk about creating a remote installation profile and see if that is much different from the process on Pointsec for PC.

No comments: