Configuring Sophos SafeGuard Enterprise Disk Encryption

Sophos® SafeGuard® Enterprise disk encryption is supported on Microsoft® Windows endpoint computers with an Imprivata single-user computer or Imprivata shared kiosk workstation agent.

Supported Sophos SafeGuard Enterprise Configurations

Imprivata OneSign desktop authentication support for Sophos SafeGuard Enterprise disk encryption is based on the operating system of the Windows endpoint computers. See the Imprivata OneSign Supported Components matrix to verify that Imprivata OneSign supports your Sophos version.

Endpoint Computers
  • Microsoft BitLocker® with pre-boot authentication (PBA) managed by SafeGuard is supported on Windows endpoint computers:
    • By default, BitLocker authenticates users before loading the operating system. Users are required to enter a password manually to authenticate. See Windows Desktop Authentication WorkflowsWindows Desktop Authentication Workflows.
    • Streamlining the authentication workflow requires additional BitLocker and Sophos configuration to use one of the following:
      • Trusted Platform Module (TPM) compatible hardware.
      • TPM compatible hardware and a startup key.
      • A startup key that is stored on a USB removable device only.
    • BitLocker uses the startup key stored on the TPM, USB device, or both to authenticate the user. When you configure the environment to use one of these options, there is no user interaction with BitLocker.

    After the Windows desktop opens, Sophos SafeGuard Enterprise disk encryption does not affect the Imprivata OneSign login/logout workflow or the desktop lock/unlock functionality.

    NOTE: For more information about BitLocker, see the Microsoft documentation.

    Streamlining the Authentication Workflow

    Requirements

    To streamline the desktop authentication workflow:

    • Make sure that you have access to the SafeGuard Management Center.
    • Use Microsoft Server Manager to add the Group Policy Management Console (GPMC).

    NOTE: For more information about installing the GPMC, see the Microsoft documentation.

    Configuring BitLocker and Sophos to Streamline Windows Desktop Authentication

    By default, BitLocker prompts users to enter a password before starting the operating system on Windows endpoint computers. The following steps detail how to configure the environment to automatically use a BitLocker startup key, which streamlines the desktop authentication workflow.

    This process includes the following steps:

    To create the Sophos authentication policy:

    1. From the SafeGuard Enterprise (SGN) Server, log into the SafeGuard Management Center.
    2. Open the Policies directory.
    3. Right–click Policy Items and click New > Authentication.
    4. Enter a policy name and click OK.
    5. Select the new authentication policy on the Policy Items list.
    6. On the Authentication tab, go to the BitLocker Options section.
    7. Select an authentication option for the BitLocker Logon mode:
      • If the endpoint computers do not have TPM compatible hardware, select USB Memory Stick.
      • If the endpoint computers have Trusted Platform Module (TPM) compatible hardware, select one of the following:
        • TPM
        • TPM + Startup Key
    8. Save the authentication policy.

    NOTE: Although you can select TPM + PIN, users are prompted for a BitLocker PIN in addition to the BitLocker startup key, which is stored on the TPM hardware. This option provides an additional security layer, but requires user intervention.

    To assign the authentication policy:

    1. In the SafeGuard Management Center, open the Users and Computers directory.
    2. Select the Active Directory group that represents the computers to which the authentication policy applies.
    3. Click Policies.
    4. Drag-and-drop the authentication policy from Available Policies to Policies.
    6. Right-click the authentication policy and click Save.

    The policy takes affect the next time the SGN Client queries the SGN Server for policy changes.

    To create the Group Policy Object (GPO) for BitLocker:

    1. From the Windows Server, open the Group Policy Management Console.
    2. Locate the domain that includes the Windows endpoint computers and do one of the following:
      • Right-click the domain and click Create a GPO in this domain and Link it here.
      • Right-click an existing GOP and click Edit.
    3. In the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
    4. Right-click Require additional authentication at startup and click Edit.
    5. In the Require additional authentication at startup window, select Enabled.
    6. Do one of the following:
      • If the enterprise includes Windows endpoint computers without TPM compatible hardware, select Allow BitLocker without a compatible TPM.
      • If the enterprise includes Windows endpoint computers with TPM compatible hardware, configure Settings for computers with TPM as required by the Sophos authentication policy. For example, if you configured the Sophos authentication policy for TPM + Startup Key, open Configure TPM start up key and select Require start up key with TPM. For more information about the TPM options, see the help that is available in the Require additional authentication at startup window.

      The GPO takes affect during the next Group Policy refresh interval.

    Windows Desktop Authentication Workflows

    By default, BitLocker requires users to enter a password before loading the operating system.

    NOTE: The following workflows apply to a Sophos deployment that is synchronized with the same user directory domain controller as the appliance.

    Endpoint Computers

    The user logs into a Windows endpoint computer three times:

    1. The Windows endpoint computer starts.
    2. The user enters the BitLocker password.
    3. BitLocker authenticates the user. The locked Windows desktop opens with the Imprivata Login to Windows dialog.
    4. The user logs into Imprivata OneSign with a user name and password, proximity card, fingerprint, or ID token. The Windows desktop opens with the Sophos SafeGuard Logon dialog.
    5. The user enters the Sophos credentials and clicks OK. The Sophos SafeGuard successful logon dialog opens.
    6. The user clicks OK.
    7. The Windows desktop opens.

    After the desktop opens, Imprivata OneSign continues to manage the desktop lock and unlock functionality.

    Endpoint Computers

    The user logs into a Windows endpoint computer three times:

    1. The Windows endpoint computer starts.
    2. The user enters the BitLocker password.
    3. BitLocker authenticates the user and the locked Windows desktop opens.
    4. The user unlocks the desktop and enters the Windows domain credentials.
    5. The user logs into Imprivata OneSign with a user name and password, proximity card, fingerprint, or ID token.
    6. The Windows desktop opens.

    After the desktop opens, Imprivata OneSign continues to manage the desktop lock and unlock functionality.