Endpoint Security Full Disk Encryption for Mac 3.1 Release Notes Revised: February 6, 2009 This Release Notes document provides essential operating requirements and describes known issues for Endpoint Security Full Disk Encryption for Mac 3.1. Review this information before installing this product. Note - Before you begin installation, read the latest available version of the release notes. There may be an updated version of this document and of the other documents you received with your copy of Full Disk Encryption. You can access the latest version at: www.checkpoint.com/support In This Document About This Document page 1 About Full Disk Encryption page 2 New in This Release page 2 Fixed in This Release page 2 System Requirements page 3 Hardware and Software Limitations page 3 About File Systems/Volumes page 4 Account Requirements page 5 Languages Supported in Full Disk Encryption page 5 Profiles From Other Check Point Products page 5 Important: Do Not Modify the.pkg file page 5 General Recommendations page 5 Known Issues in this Release page 6 FYI page 7 Documentation Feedback page 7 About This Document This document contains information about Endpoint Security Full Disk Encryption for Mac version 3.1, such as system requirements and limitations in this release, and what problems have been fixed since the previous release. Endpoint Security Full Disk Encryption for Mac 3.1 release is also referred to as Full Disk Encryption 3.1, Full Disk Encryption, or FDE throughout this document. In this document, the abbreviation N/A means Not Applicable. HFA stands for Hotfix Accumulator. Copyright 2009 Pointsec Mobile Technologies AB, a Check Point Software Technologies company. All rights reserved 1
About Full Disk Encryption About Full Disk Encryption Full Disk Encryption secures desktop and laptop computers from unauthorized physical access by providing both boot protection and full disk encryption. New in This Release In this release, the following has been added or changed: User Account Acquisition: This method allows Full Disk Encryption user accounts to be created from existing Mac user accounts. This method is completely transparent to the user, who continues to use the same user credentials. When user account acquisition and single sign-on are used together, passwords can be managed centrally, and users log on one time with one password to gain access to the Mac, Full Disk Encryption, and network resources. Single Sign-On/Password Synchronization: When single sign-on (SSO) is enabled for a Full Disk Encryption user account, the user must authenticate only during preboot. The user is then logged in automatically to the Mac OS X. Single sign-on ensures that the Full Disk Encryption password is always synchronized to the Mac password. Endpoint Security WebRH support: If you have Endpoint Security webrh, a separate Check Point product, you can provide users with Remote Help using webrh instead of the Full Disk Encryption Management Console. External Status Indication Command Line Utility: This command line utility allows you to retrieve encryption status from each mounted volume. Customized Graphics in Preboot: You can change the banner and background images displayed in preboot and the preboot screen saver image to, for example, your company s logo. Fixed in This Release The following issues have been fixed and verified: Table 1 Fixed in This Release 455383 (665) Reuse of update profile caused temporary user s username and password to be reset 455362 Recovery media format was incorrect in the Administrator s Guide 455353 Japanese keyboard could not be enabled in pre-boot when using Japanese locale in OSX 10.5.x If you used a previously used update profile to change a temporary user s account, the username and password for that user reverted to their original values, that is, the values they had before the temporary user was prompted to change them when he first logged on. This has been fixed in this release. The required format for recovery media was documented as HFS in the Endpoint Security Full Disk Encryption for Mac Administrator s Guide. The correct format is HFS+. This has been fixed in this release. When using the Japanese language locale in Leopard (10.5.x), the enabled keyboard layouts were not detected correctly. For this reason, when using the Japanese locale, only the English language layouts were available in preboot. This has been fixed in this release. 455301 User account name case sensitivity User account names were not case sensitive. This has been fixed in this release. 455234 Duplicate group names on a single client A client accepted an update profile containing a group name that already existed on the client. This has been fixed in this release. Endpoint Security Full Disk Encryption for Mac 3.1 Release Notes. Last Update February 6, 2009 2
System Requirements Table 1 Fixed in This Release 455220, 454075 Problems with System Passwords Policies Allow Embedded Space Characters and Allow Leading or Trailing Characters 455196 Keyboard layout input locales were removed in preboot when removed in the OS X System Requirements If you set the System Passwords Policies Allow Embedded Space Characters and Allow Leading or Trailing Characters to Yes, these settings were shown as set to No in the Password Rules in the user account wizard. In addition, embedded spaces could not be used in Full Disk Encryption password fields and during password changes in preboot, regardless if Allow Embedded Space Characters was set to Yes. These problems have been fixed in this release. Keyboard layouts did not remain in preboot when removed in the OS X, which could result in the user not being able to log on in preboot because the necessary characters no longer existed. This has been fixed in this release. This section describes operating system, memory, and disk space requirements and limitations, as well as other system software that is required. Operating System, Memory, and Disk Space Table 2 Operating System, Memory, and Disk Space Operating system Memory Disk Space Mac OS 10.4.5-10.4.11, 10.5.x At least 512 MB RAM 50 MB inside file system, where Full Disk Encryption is installed. Note: The disk encryption process does not require extra space on the hard disk. A file share for central management repository (used for central storage of profiles and recovery files) is required. A new partition (32MB) is created automatically in an existing area specified by Apple for preboot purposes. Third-Party Software Requirements In order to install Full Disk Encryption, you must have Java Runtime Environment 1.5 or later installed on target Macs. Hardware and Software Limitations This section describes hardware and software limitations. Hardware Limitations Full Disk Encryption works only with Intel-based Macintosh computers. The following Macs are not supported: PowerPC-based Macs imac (first revision) Endpoint Security Full Disk Encryption for Mac 3.1 Release Notes. Last Update February 6, 2009 3
About File Systems/Volumes Mac Mini hardware Encryption of F/W or USB disk devices is not supported. Only internal disks can be encrypted. Encryption of new disks added to the system after the initial Full Disk Encryption installation is not supported. You must uninstall and then reinstall Full Disk Encryption. Software Limitations Apple RAID driver has not been tested and is not supported. Boot Camp Assistant cannot be used to install Boot Camp multi-boot functionality AFTER Full Disk Encryption has been installed, however, using Boot Camp Assistant to enable multi-boot BEFORE installing Full Disk Encryption may work. This is, however, currently not supported. Hibernation is blocked. That is, Full Disk Encryption does not support safe sleep. This means that when Full Disk Encryption is installed, only normal sleep mode is active. This may cause loss of data if the battery is empty or removed. Imaging: You cannot generate an anonymous image with Full Disk Encryption pre-installed. About File Systems/Volumes Partitioning the Disk To install Full Disk Encryption, the disk must be partitioned using the GUID Partition Table (GPT) scheme. Use the Disk Utility tool to see which partition scheme is used on a disk. Maximum Number of Volumes Protected You can select a maximum of thirty-two volumes to be protected by Full Disk Encryption. Resizing Partitions Never use any disk partition editing software with Full Disk Encryption installed on the workstation. If you need to resize a partition, remove Full Disk Encryption completely first and then resize the partition. Disk Utilities Do not use disk utilities to change file systems or resize any volumes on the hard disk if Full Disk Encryption is installed. Doing so may lead to an unusable system. Required Format for Recovery Disk Disks to be used as recovery media must be HFS+ formatted. Use the disk utility to reformat non-hfs formatted disks. Endpoint Security Full Disk Encryption for Mac 3.1 Release Notes. Last Update February 6, 2009 4
Account Requirements Account Requirements User Account requirements for Installation and Uninstallation In order to install or uninstall Full Disk Encryption, the user account executing the action must be authorized to perform certain steps of the installation, hence you will be prompted for your password during installation. In cases in which a separate administrator account has been created, you will be asked for the password for that account. Languages Supported in Full Disk Encryption Full Disk Encryption supports English in the preboot environment, in the Full Disk Encryption Management Console, and in the menu bar application. Profiles From Other Check Point Products Profiles from other Check Point products, such as Pointsec PC, are not compatible with Endpoint Security Full Disk Encryption for Mac. Therefore, do not attempt to use such profiles with this product. Important: Do Not Modify the.pkg file Do not modify the Full Disk Encryption Install.pkg file in any way. Modification of this file invalidates the supportability of the product. General Recommendations To avoid problems during installation/uninstallation, we strongly recommend that you ensure that The system is connected to a power source. Do not attempt installation/uninstallation on battery power. You do not force a power-off during the installation/uninstallation process. You back up all data before installing Full Disk Encryption. The whole hard disk is error-free before installing Full Disk Encryption. If a read error occurs on the disk because of faulty hardware during installation/uninstallation, the encryption process is stopped and the user is notified to uninstall and check the disk. You do not attempt to uninstall Full Disk Encryption during the encryption process when more than one volume is present. This action is not supported and causes data loss. (ID 454994) Compatibility Between Releases Full Disk Encryption Profiles Profiles created in versions of Full Disk Encryption prior to 3.1 cannot be used in Full Disk Encryption 3.1 and later. These profiles must be recreated in 3.1 or later when upgrading from a version prior to 3.1. Endpoint Security Full Disk Encryption for Mac 3.1 Release Notes. Last Update February 6, 2009 5
Known Issues in this Release Remote Help When in the process of upgrading Macs to Full Disk Encryption 3.1 or later, you must retain one installation of Full Disk Encryption at the currently installed version to be able to perform Remote Help. You can then upgrade this Mac after all other Macs in the system are upgraded. When upgrading to 3.1 or later from an earlier version, you must apply an update profile to the clients; this update profile should contain all the users that will be able to provide Remote Help. This update profile can be created, for example, by creating it based on the local settings of an upgraded machine on which these users are present. Enter credentials for the users (the credentials can be the same password or a new one). Then publish this profile so that client machines can apply it after they have been upgraded. Known Issues in this Release The following are known issues in this release: Table 3 Known Issues in this release 455632 20-character challenges in Remote Help are not supported in Full Disk Encryption for Mac. 455521 Changing password setting Enable Case Sensitivity to Yes requires users to log on using the exact case as the first login. 455520 Shared folders must be removed manually after uninstalling Full Disk Encryption. The 20-character challenge in Remote Help, which can be used in Full Disk Encryption for Windows, has not yet been implemented in Full Disk Encryption for Mac. Consider the following scenario: The password setting Enable Case Sensitivity is set to NO and the user logs on several times using a different case or combination of cases. The administrator then changes the setting to Yes. The user must now log on using the exact case sensitivity he or she used during the first login. Shared.ppc folders, (that is, Set, Update, Storage, and Install folders) must be removed manually after uninstalling Full Disk Encryption. 455305 No central log for Full Disk Encryption There is no central log for Full Disk Encryption. The normal system log collects Full Disk Encryption events. 455232 Recovery cannot be performed if first reboot is not completed. 455214 Recovery reported incorrectly as finished. 455186 Installation problems when not connected to the recovery share. 454994 Data loss when uninstalling Full Disk Encryption during encryption process when multiple volumes are present. 454853 Remote help with dynamic token does not work. If a recovery process is started before the first reboot during installation of Full Disk Encryption, the recovery process fails, and it is not possible to recover the Mac using the recovery file. If a recovery USB device is created from a recovery file on a file share where the Mac root user does not have read rights, the following occurs: When the recovery stick is booted, the Mac receives a black screen, and a crash log is generated. An erroneous message appears that says the recovery is finished. If there is no connection to the recovery share when performing the installation, the installation will fail without a clear error report. This makes an offline installation impossible (that is, installation cannot be initiated without access to the file share where recovery files are stored). Full Disk Encryption does not support uninstallation during the encryption process when more than one volume is present. This action causes data loss. A user providing Remote Help cannot authenticate with a dynamic token. The error message Error 13 Incorrect password/response/challenge displays. Endpoint Security Full Disk Encryption for Mac 3.1 Release Notes. Last Update February 6, 2009 6
FYI FYI This section contains information that may be valuable in certain situations. Table 4 FYI 461 The mouse is not functional in the login screen. Documentation Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: techpub_swe@checkpoint.com On some MacBook Pros of latest make, keyboard and mouse input is jumpy (that is, the machine pauses at regular intervals, causing input to pause). This behavior is also evident when the Apple Hardware Test application is used. This problem has been reported to Apple (Apple ID number: 5659846). Endpoint Security Full Disk Encryption for Mac 3.1 Release Notes. Last Update February 6, 2009 7