Sophos SafeGuard Disk Encryption 5.50.1 for Mac Release Notes
Supported Hardware and Configurations
Hardware (Intel-based only)
MacBook Pro
MacBook Air
Mac mini
Mac Pro
EFI32 (firmware)
EFI64 (firmware)
With the following terminal command, the EFI firmware can be verified:
"ioreg -l -p IODeviceTree | grep firmware-abi"
The return value should be "firmware-abi" = <"EFI64" > or "firmware-abi" = <"EFI32" >.
Operating system
10.5 (Leopard) recent patch level, 32bit kernel, 32bit/64bit user mode
10.6 (Snow Leopard) recent patch level, 32bit/64bit kernel, 32bit/64bit user mode
Updates from 5.50 to 5.50.1 are supported without decrypting the hard drive.
Bootcamp Support
It is required to set up a machine with a Bootcamp partition prior to installing Sophos SafeGuard Disk Encryption. It is not supported to set up or remove Bootcamp after installing Sophos SafeGuard Disk Encryption. Note that it is not supported to change/resize the partition layout after installing SafeGuard.
If the default operating system is changed from OS X to Windows it cannot be set back to OS X neither with Windows Bootcamp Control Panel nor with OS X Startup Disk Utility. This has to be done using the functionality provided by Sophos SafeGuard Disk Encryption.
You can set the default boot system to OS X in the following ways:
1. via user interface:
Open SafeGuard Disk Management.
Open the Edit menu and select Boot this operating system by default. It is required to authenticate as an OS X Administrator.
2. via Terminal
Open a Terminal and enter “sudo sgadmin --set-boot”. Note that OS X Administrator authentication is required.
Unsupported hardware, configurations and operations
PowerPC based hardware
Operating system
10.4 and prior
Bootcamp + SafeGuard Enterprise/SafeGuard Easy for Windows
SafeGuard Enterprise for Windows does not support Apple hardware and cannot be installed in a Bootcamp/Windows environment. This restriction is valid until explicitly stated otherwise in the SafeGuard Enterprise for Windows documentation.
The following LIMITATIONS apply to the product:
Sophos SafeGuard Disk Encryption for Mac does not support multi-boot systems, this means multiple installations of OS X on the same Mac.
Do not install the software on systems with more than 50 partitions.
We recommend not to encrypt more than five partitions simultaneously.
Keyboard: The keyboard translation code only deals with normal keys and keys with a shift modifier. Non-numeric keypad keys cannot be guaranteed to give the same character sequence when the keyboard is changed from one layout to another. So only use "0-9" from that block. It is due to EFI only returning a US ANSII character equivalent and no modifier keys. During translation, the normal keyboard key takes precedence over the numeric keypad key. This affects the non-numeric keys on the numeric keypad, this means the '=', '/', '', '-', '+' keys. These keys may translate into a different character due to the keyboard layout. For example, on a German keyboard the numeric keypad '' key will translate into the keyboard '(' character. The code has been developed and tested with the following keyboards: US, French, German. There is no guarantee that other keyboards work.
Partitioning: After Sophos SafeGuard Disk Encryption for Mac has been installed it is not possible/supported to change the partitioning layout. This means it is not allowed to change anything with "gpt" or "diskutil". If someone repartitions the machine, this machine will be lost and will need to be reinstalled.
Formatting: Formatting of encrypted partitions is not supported. If you want to remove all data, we recommend that you delete the files or decrypt the partition, format it and encrypt it again. Note that only HFS+ partitions are supported for encryption.
Target Disk Mode: The usage of Target Disk Mode is not supported, if both the local machine and the target disk are encrypted. It is supported, if the local machine is not encrypted and the target disk is, or if the local machine is encrypted and the target disk is not.
diskutil from a system started via network boot: Do not use diskutil from a system started via network boot while local partitions are encrypted. In this case diskutil does not recognize the encrypted partitions and wants to initialize them. Doing so results in data loss.
Erasing partitions: Erasing a partition while an initial encryption or a final decryption operation is performed is not supported. Also, erasing encrypted partitions is not supported. Partitions have to be decrypted first and can then be encrypted again.
Unmounted partitions and encryption/decryption: Starting initial encryption or final decryption for partitions that are not mounted is not supported. Unmounting a partition while it is encrypting or decrypting is also not supported. Doing so may result in data loss.
OS upgrades (like from 10.5 to 10.6) are not supported: It is necessary to decrypt the partitions of your Mac first and then to uninstall Sophos SafeGuard Disk Encrpytion for Mac. Afterwards, you can upgrade the operating system, install the product and encrypt the partitions again.
Deep Sleep: When Sophos SafeGuard Disk Encryption for Mac is installed the hibernation feature "Deep Sleep" is not supported and is disabled. Some applications do not auto-save their data when the sleep mode is activated. In case the sleep mode is used for an extended period while not being connected to power and such an application is open with unsaved data, data might be lost.
To upgrade from a Beta3 installation: the user account that initiates the upgrade must either be in the Administrator group or the following command must be executed prior the installation: sudo chmod a+r /.com.sophos.
Bad sectors: We recommend not to install the product if there are bad sectors on your hard disk. Initial encryption does not stop when bad sectors are encountered, but a log entry is created in the kernel log.
Initial encryption/final decryption on data partitions: Before you begin to encrypt a data partition ensure that all files on this partition are closed. Make sure that all files on the data partition to be decrypted are closed while decryption is performed.
Installing Sophos SafeGuard Disk Encryption for Mac
Click Continue. Follow the steps.
Sophos SafeGuard Disk Encryption for Mac places an icon on the right-hand side of the menu bar. Clicking the icon gives you access to the Sophos SafeGuard Disk Encryption user and disk management functions.
Uninstalling Sophos SafeGuard Disk Encryption for Mac
To uninstall Sophos SafeGuard Disk Encryption for Mac, use the uninstaller package Sophos SafeGuard Uninstaller.pkg in /Library/Sophos SafeGuard. You need to decrypt the hard drive first.
Configuring Sophos SafeGuard Disk Encryption
After the installation of the software you have to add SafeGuard users and specify which volumes of your Mac are to be encrypted.
Creating the first Sophos SafeGuard Disk Encryption Admin user
There must always be one Admin user. The first user created must be an Admin user. This is enforced by the user management and is the prerequisite for all administration tasks. When users are deleted it is not possible to delete the last Admin user, if more than one has been created.
Enter the password in the Password and Confirm Password field. Sophos SafeGuard Disk Encryption accepts only passwords with eight or more characters. Checking the Show Password option makes the entered password visible.
Now you can proceed with creating other users.
Encrypting a partition
Sophos SafeGuard Disk Encryption lets you encrypt the hard disk or partitions of your Mac. Every disk management task (encrypt/decrypt/pause/resume) requires an authentication as a SafeGuard Admin.
Choose Partitions in the management pane. All partitions available are displayed.
Click Encrypt right beside the partition you want to encrypt.
Encryption of the selected partitions starts immediately. To enhance encryption speed, check the Fast Mode option in the lower left corner of the Disk management pane.
Encryption/decryption can be paused by clicking the Pause button on the right end of the progress bar. To resume encryption, click the Resume button, which is displayed when the encryption has been paused. For both actions, you must authenticate as a SafeGuard Admin.
Paused encryption/decryption tasks are resumed automatically after you restart your Mac.
For a detailed description see the Sophos SafeGuard Disk Encryption User help manual.
Time Machine backups
The following components of Sophos SafeGuard Disk Encryption should be excluded from Time Machine Backups:
/Library/Sophos SafeGuard
Technical support
You can find technical support for Sophos products in any of these ways:
Visit the SophosTalk forum at and search for other users who are experiencing the same problem.
Visit the Sophos support knowledgebase at
Download the product documentation at
Send an email to, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages.
Copyright © 2010 - 2011 Sophos Group. All rights reserved. SafeGuard is a registered trademark of Sophos Group.
All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.
Disclaimer and Copyright for 3rd Party Software
Portions of this software are copyright © 2010 The FreeType Project ( All rights reserved.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (
Gladman AES
Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved.
The free distribution and use of this software is allowed (with or without changes) provided that:
This software is provided 'as is' with no explicit or implied warranties in respect of its properties, including, but not limited to, correctness and/or fitness for purpose.