Wednesday, March 4, 2009

New Version of Checkpoint FDE for Macs

Last night I got a chance to try out the latest version of Checkpoint Full Disk Encryption for Mac, version 3.1.0 build 171. The software is just over a month old and looking at the release notes has a few interesting features like Single Sign On and User Account Acquisition. With SSO, a user only has to log in once to get into their machine, and they don't have to use the workaround that I was using (OS X account auto-login). User Account Acquisition makes it easy to add user accounts to the Pre-Boot Environment without having to manually create an account on each workstation. The user logs in once as normal, and their credentials are sucked into the Pre-Boot Environment. From then on the user can use those credentials in the Pre-Boot Environment. Unfortunately, the whole thing didn't go as smoothly as I would have liked. Here is the harrowing tale of my installation nightmare from last night.

I downloaded the software from Checkpoint User center. I opened up the DMG and ran the .pkg file inside. I went through the usual stuff about license agreements and an overview of the installation process.

After agreeing to the license agreement, I was asked to select the drive that I want to install this on. I only have one drive on my macbook, so it was an easy choice. Once I selected the drive, I clicked continue and the installation began. Software was installed and then I was asked to provide my license file.

Next comes the familiar process of creating two user accounts. These screens will seem familiar if you've installed Pointsec on a Windows machine. If not, then just know that you need to create two administrator accounts. This time around I didn't create an account corresponding to my OS X username because I want to try out the user acquisition feature.

One thing that is unique about installing FDE on a Mac is that it asks you if you want to encrypt your entire disk or if you want to select volumes for encryption. This differs from the Windows side where Pointsec automatically selects all of your partitions for encryption and then asks you if you want to change that setup. I selected Encrypt entire hard disk, and chose AES for my encryption algorithm. At this time it looks like AES is the only encryption option. However they must be planning to change that at some point otherwise they wouldn't have a screen asking me which algorithm I want to use.

Finally I was asked to provide a path for the recovery file. I gave it a path and clicked finish. A very quick installation later, I was able to reboot the computer. That is when things got a little weird for me.

After the reboot I authenticated in the Pre-Boot Environment with one of the admin accounts I created. The computer appeared to boot as normal. Something had changed though because I was brought to the login screen. My computer had been set up to auto-login with my account. It was my way of getting a single sign on environment with the previous version of FDE. Oh well, FDE must have set it back for security reasons. So I logged in and nothing happened. I sat and looked at a blue screen for about 10 minutes. Finally I had to power down the machine to reboot it. This went on for several tries. I was really worried that I was going to have to reload my machine from scratch. In a last ditch effort, I booted into single user mode and followed the directions to mount the root file system. I was looking for an application extension bundle, but I wasn't able to find anything. I rebooted the computer. After logging in at the Pre-Boot Environment and logging in at the OS X log in screen, I got my desktop. OK, cool. I'm not sure why that happened because the only thing I did in single user mode was run fsck and then mount the root file system. Either way, I'm back looking at my desktop. OK fine, I'm going into the Management Console to poke around.

It doesn't look much different from the previous version, except that there is a new folder for User Account Acquisition. The weird thing I'm noticing is that I can't seem to change any of the settings. I can't make adjustments to the password policy and I can't turn on User Account Acquisition. So I called up support to ask them about it. While I was on hold, I kept poking around and it looks like you need to create another group before you can turn on User Account Acquisition. That makes sense to me because you don't want to automatically create users in the System group. So I created a group called users and made changes to the password settings there. Once that group was created, I went back and I was able to turn on User Account Acquisition. I also made sure to enable Single Sign on for the Users group. Alas, when I clicked OK to save the changes I was told that I need to set an acquisition group. Hmmm. I tried renaming my Users group to Acquisition, but that didn't do it for me. Then I noticed that User Account Acquisition has a subfolder called Select Group. I went in there and found options for selecting the group where my Users will be created. However, I wasn't able to select my users group. I suspected that maybe because I hadn't saved my changes yet, that group wasn't available to me. So I turned off User Account Acquisition and clicked OK to save my changes. I exited the Management console and went back in. Now I was able to select my Users group for Acquisition. Around this time the support person came back on the line and I told her what happened. She said that I should have been able to change settings right away and that adding a user group shouldn't have made a difference.

Once I had set up User Account Acquisition, I rebooted the computer. As expected, I was not asked to authenticate in the Pre-Boot Environment and was instead taken to the OS X login screen. I selected my account and logged in. Then I rebooted again. This time I was taken the Pre-Boot Authentication screen and I was able to log in with my OS X credentials. Sweet.

Unfortunately I was back in the blue screen of forever hell. I was able to get into my desktop by booting into safe mode though. After booting into safe mode I rebooted again into regular mode. Is this sounding ridiculous yet? But now, finally, I am able to achieve single sign on and have a reasonable boot time.

I'll be honest with you, I need to do some more testing. I'd like to know if the problems I witnessed were specific to my machine or if this would happen on any computer. I can't imagine that Checkpoint saw problems like this during Quality Assurance testing and still released the product. On the other hand, I haven't done anything unusual with my machine (no Boot Camp or FileVault stuff) and it is only about 9 months old. So if I had these problems I would worry that another use would have the same problems. And I am not about to put my users through this level of hell to get their disk encrypted.

Update: After the encryption process was complete, I rebooted my machine and found myself dealing with the blue screen of forever again. I was able to boot into safe mode again though. A reboot after safe mode worked properly. Then I did a full shutdown. The machine worked properly when it was powered back on too. So it seems that when the encrypting process changes state I have to go through the safe boot hoops, but once it stabalizes I don't need to worry about it.

No comments: