File Share Encryption

If I buy a new Macintosh now, it will come with OS X 10.8 Mountain Lion, which PGP WDE supports. If I wait a couple weeks, it will probably come with Mavericks. Does anyone know about Mavericks compatibility?

Gratefully,

Dan

I would also like to know whether/when Symantec Whole Disk Encryption is/will be supported on Mac OS 10.9.

Thanks,

   - Nathan

http://www.symantec.com/docs/TECH174563  details the supported platforms for Symantec Encryption Desktop.  OS X 10.8.5 has recently passed QA for the newest Symantec release, version 10.3.1.

We do not currently have a set timetable for Mavericks support as we do not release tentative schedules for support of new platforms or expected releases.   You can subscribe to the article above, and you will be notified via email when changes are made to the article.

Has anyone tried to test the current software on Mavericks yet?

We have ordered several new notebooks and they will be shipping with 10.9 from the factory.  Depending on the hardware configuration we may not be able to downgrade to 10.8.5 successfully.

The real question is when true 10.9 support is coming, and whether or not it will be as hilariously delayed as it was for Windows 8 support.

My guess is that Symantec won't disappoint us in seizing an opportunity to embarass itself.

DO NOT install PGP encryption on a device that has OS X Mavericks unless you wish to corrupt a hard drive. Ive tried decrypting with PGP 10.3, then installing mavericks; it corrupts the OS. Ive tried installing Mavericks then installing PGP; it corrupts the OS. If you are working on a Mac that was encrypted, or you plan to encrypt with PGP, I suggest you leave Mavericks alone until Symantec answers the cries of distress from end-users. 

Thanks for the andedotal report!

Unfortunately, I worry that new hardware changes in the new notebooks will preclude us from downgrading to 10.8.5, which would in turn preclude us from using PGP.

Again.

I'm beginning to realize that ever since we purchased PGP we've been in a perpetual state of "waiting" while Symantec pretends to catch up to everyone else so we can use them.  In the time that we've had our licences, we've spent more time waiting for the products to be updated so they would be compatible than we have actually using the products.

Shameful, Symantec. Shameful.

Oh, and hey Symantec employees!  Those of you who continue drinking the yellow kool-aid and parrot Symantec's justification for why products take so long to get updated (e.g. "quality testing", "vendor's fault, not ours") should be ashamed as well.  It's one thing to be part of a broken system and still strive for change, but it's quite another to just beleive the lies and repeat them to others.

Everyone else manages to get their "quality" testing done on a timely basis.  How come Symantec gets to be the exception?

Thank you all for your comments, and especially your warnings. I bought my computer just in time it seems - it came the day before the Mavericks announcement. My sympathy to those who were brave enough to try Mavericks and PGP WDE

I completely agree. As a result, our organization is taking a second look at File Vault.

On the Windows side we already transitioned to TrueCrypt a loooong time ago.  In our testing it was faster and more reliable than Symantec WDE both in installation and in usage.  Plus it's 100% free and the peer community supports it better than Symantec supports its paying customers.

If TrueCrypt ever starts supporting WDE on the Mac side Symantec is toasted as far as it's disk encryption products go.

As it stands right now we're probably just going to end up permanently transitioning to File Vault and letting our Symantec licenses expire.  PGP Desktop is still slicker overall for Email encryption but the main reason we paid for it was to have "one software to rule them all" for our encryption.  If we're going to have to split up support into different software packages anyway we'll just transition to GPG options for email once PGP Desktop stops working for us past our license expiration.

Now cue a Symantec employee posting that:

A) They can't comment on future releases due to SEC trading rules blah blah blah... You know what? No other vendor has a problem talking about upcoming release dates or features in hardware or software.  How can they manage the SEC rules and you guys can't?

B) 10.9 Just came out and support is expected in Q2CY14 (Developer builds? What are those?).  Then Q2CY14 will come around and there will be some reason why it has to slip to Q3CY14. (More corporate restructuring, "quality testing", neutrinos, whatever).  If we're lucky, by the time OS XI comes out we'll get official support for 10.9, but don't expect it to be compatible with the latest point release avaiable at the time!  Gotta give'em a quarter or three to catch up to those.

Do I sound bitter? Yeah, it's because I am.

We. Are. Not. Getting. Our. Money's. Worth.

None of us are.

An an aside, I'd like to note the following:

Symantec just TODAY updated the support article for OS X with the following warning:

***Mac OS X 10.9 - Mavericks ***  - Symantec Encryption Desktop is *NOT* compatible.  Attempting installation with Symantec Encryption Desktop could result in an unbootable system.  It is not necessary to encrypt the Mavericks system with Symantec Drive Encryption to run into this issue.  Simply installing the software could result in this state.

Are you freaking serious!? Simply *installing* the software can render the system unbootable and you're posting this information 5 days after GM seeds and 2 days after general availability?  This issue never cropped up on ANY OF THE OTHER BETAS!?

We're not talking about "oh, this and that doesn't work quite right" or "you can use email encryption but don't use FDE" level issues.  We're talking about catastrophic system failure from just even installing the software.

That's the kind of thing you tell people about BEFORE they get a chance to find out the hard way.

Thanks to all who supplied information on this topic, Symantec and colleagues.

For the rest, when I can get WDRT & reporting functionality from TrueCrypt or FileVault2 (by which I mean seamless secure unlocking and reporting, no tinkertoy solutions) then I'll consider switching. If one doesn't need enterprise features, I have no idea why one would use SED for encryption. Ugly raging posts here only serve to make ppl want to turn away from supporting this platform; they might not be able to do so unilaterally, but every meeting they're in will generate 'is it worth it' discussions.

We basically tell our people who have information that must be encrypted - don't expect to be on the cutting edge:

1. When a new O/S comes out, don't upgrade until we tell you.
2. Don't buy a new machine that requires a new O/S, until we've told you that O/S is ok.

With the enterprise featues of this software, its easy enough to develop a list of people to email as new O/S come out.

This is absolutely "spot on". You don't need to do an update immediately a new OS is released - and if my experience with un-authenticated LDAP users in 10.7 is anything to go by, I'd wait before storing any sensitive or confidential data on a brand new OS.

I found a good posting on the subject here on whether to upgrade or not from Oxford University's IT security team leader:

http://blogs.it.ox.ac.uk/oxcert/2013/10/29/cruelty-to-cats-apples-new-security-support-policy/

Essentially you need to do the risk assessment for yourself.

I just hope we don't have to wait as long for Mavericks support as we did for Windows 8!

 

It wasn't too bad, just SuperDupered back to preinstallation state. Then uninstalled PGP and tried again.

I never risk on anything that is duplicated backed up reduntantly copied !!

Using FileVault on the Mavericks Disk while I work out what else is broken or no longer functional and needs fixing updating dumping.

I will use PGP when its up again, use MountainLion disk when its important to play with encrypted disks in the interim.

I don't have a corporate IT department to keep safe so can afford to mess about myself with new software OS's  :)

As far as I am aware Symantec WDE is the only encryption system that works with an OS X system with bootcamp. Maverickks was under development for almost a year. It's inexecusable that Symantec can't keep up.

Symantec Encryption Desktop 10.3.0 MP1 is due out in a month and it will have a fix for the unbootable system on OSX Mavericks. We plan for full OS X 10.9 Mavericks support with Symantec Encryption Desktop 10.3.2 which should coming out in mid-January to February 2014 timeframe.

We plan for full Mac OS X Mavericks support with our next release update which is coming out in first part of next year.  We will have some fixes in the 10.3.0 MP1 release which is upcoming next month. I am sorry for any trouble that this causes, but we did have some last minute fixes that we had to do in preperation for the final release of Mac OS X Mavericks and due to the holidays this is when we will have this release vehicle (10.3.2) available for our customers.

Over two months? Man, that's tough to hear. I know encryption isn't easy to implement but i'd thought we'd have a fix atleast soon. Oh well, thanks for the update. 

What is the urgent? Best practice is see how works new system. Inclusive manufacturers observe it. Don't upgrade for upgrade.

 

Symantec Encryption Desktop 10.3.1 MP1 was released yesterday and is now compatible with Mac 10.9 OSX.  Here are the release notes.

http://www.symantec.com/business/support/index?page=content&id=DOC6698

 

Thank You

Anthony

Sorry, but for me at least, it is NOT compatible.  When the OS X instaler attempts to boot, it goes into the enles panic cycle.  This is with MP1 installed on the 10.8.5 system.

Bill, since OS X 10.9 is a 'major release' you will probably need to decrypt your 10.8.5 system, uninstall PGP, perform the upgrade to 10.9, and reinstall/reencrypt, as has been the norm for all other major OSX version upgrades (ex 10.7->10.8).

See article HOWTO82296:http://www.symantec.com/docs/HOWTO82296

If it wasn't for the sudden demise of BootCamp support with OS X 10.9 and SED 10.3.1 MP1, I'd test it on my MacBook Pro to confirm before posting a response. I tried to test on one of my OS X VMs, but for some reason I'm having issues getting the virtual disk to instrument.

Dear community, Please point me to where the download for the current version of WDE can be found; I do not have any licenses yet and would like to use the trial download provided before deciding whether or not to buy the product. Currently only the 10.3.1 release is available, but according to the information provided by Symantec the newest Apple MacbookPro machines need the MP1 release of the version. Thank you very much, BR Peter

Peter,

Typically what I do is;

1.  Go to "Symantec.com", click "Products A-Z".  

2.  Select your preferred product and click "Buy Now", after which it will display some product information.  If you look closely, you'll see a "Try it Today".  Click on that.  

3.  You then be greeted with a blurb by Symantec that "you are being directed to....".  Click on the "Download Now".

4.  A "Terms & Conditions" disclaimer will appear.  Click on "I Agree".

5.  A SymAccount Login will appear.  Seeing as you're posting on this blog, you've got the login, so login.

6.  After you login, a list of OSs and their related Symantec product(s) will appear.  Choose the version you want.  Voila!!  You have your download.

Granted, this may not be the correct way, but it works for me.

Good luck.

Fflegionnaire1

Hello, Thank you for the quick reply; your instructions worked up to the point where I download the software: Available is only "Symantec Encryption Desktop Corporate 10.3.1", this software is not compatible with OSX Mavericks. How can I use the MP1 version? Best regards, Peter

You will have to wait for the next GA release of the product which is due any time now, if you do not currently have a support contract. Once that is available, the trial should be updated to 10.3.2 which will include the fix.

If you do have a serial you'll need to go to fileconnect and download the MP1 version.

I have noted that 10.3.1 MP1 supports Mavericks (OS 10.9) but not BootCamp, which I use constantly for work. The Support page at http://www.symantec.com/business/support/index?page=content&id=TECH174563 updated 2013-12-6 (or a month and a half ago) states "Starting with the release of Symantec Encryption Desktop 10.3.2, Symantec Encryption Desktop will not be compatible with Apple BootCamp on any Apple Mac OS X systems." I understand there were some changes to BootCamp with 10.9 Mavericks. Does this absolutely preclude encryption of the BootCamp partition? Is there some encryption solution for it? I am not sure this really works as an encryption solution if only half the disk can be encrypted.

Again gratefully,

Dan

Unfortunately the demand for bootcamp support isn't what it used to be. That said there are feature requests out there with development to support it. I think there is the possibility of support in the future but it's unclear what the timeline is. I have a number of customers with cases associated with that feature myself, so development is aware people are still interested in support for it.

What I can say is we are in the process of totally re-engineering the product so there are a number of changes in the works that might lead to a solution.

Adam

Hi Adam:

 

I just downloaded 10.3.2 and am attempting to install on a newly upgraded MacBook Pro running OS X 10.9.1

 

The program installs OK, but when I open Encryption Desktop I can not add any users under Disk->Add User.  Both options are grayed out.  

If I click on PGP Disk, and then Encrypt a Disk..., no Disks show in the list of Disks to Encrypt.  This machine was running 10.3.2 with OSX 10.8 previously.  I unencrypted the disk, remoted the old version of PGP Desktop. Upgraded to Mavericks, installed all updates, and then downloaded and installed SymantecEncryptionDesktop10.3.2.   

No Bootcamp is involved.  

Can you please offer some assistance?

Sincerely,

Lee

Lee,

Make sure you have installed all the firmware updates on your mac. Internally to support we have found that it functions as expected provided all the firmware updates have been applied.

Is the machine you are using customized in some fashion such as non-apple supplied SSD drive, that sort of thing?

Regards,

 

Adam

Adam:

 

I finally did get it going.  I found out that someone had turned on Filefault unbenownst to me.

 

The OS was hosed up too, so I had to do a wipe of the drive and a reinstall of Mavericks, then everything seemed to behave. 

So for those asking, we are now running Symantec PGP Whole Disk Encryption on a MacBook Pro with and Apple SSD, running Mavericks 10.9.1.

 

Regards,

Lee

 

 

TrueCrypt already supports WDE on OS X from 10.4 to 10.8. The only problem is TrueCrypt will not support an OS X volume with a bootcamp partition.

Does Symantec Encryption Desktop 10.3.2 work with an OS X volume that contains a Bootcamp partition?

Thanks

Hi ershler,

No, support for BootCamp has been discontinued with Encryption Desktop 10.3.2. Please see the post upthread at https://www-secure.symantec.com/connect/forums/has-anyone-used-pgp-wde-symantec-drive-encryption-mavericks#comment-9731991.

Thanks!
...sue

 

Hi Sue, Thank you very much for the information; in case that a harddisk drive with OSX 10.9 or OSX 10.9.1 is already encrypted by Encryption Desktop 10.3.2, can the OSX operating system be upgraded to 10.9.2 without decrypting the contents of the harddisk drive first or will this lead to OSX not being able to start up? The user guide for 10.3.2 does not contain this information, it only informs about upgrading the Encryption Desktop software. Thank you. Best regards, Peter Schwep

Hi Peter,

As always, whenever you want to upgrade to a newer operating system (and this applies to Windows and Linux, too), you must decrypt your hard disk first. This is documented in the user's guide (page 28):

Upgrading the Operating System Software

If you are upgrading your computer to a new major release of the operating system (for
example, from Windows 8 to Windows 8.1 or on a Mac OS X system from 10.8.x to 10.9),
be sure to do the following:

 

1. Back up your keys and keyrings before uninstalling.
2. If you have used Symantec Drive Encryption, decrypt your disk before you uninstall Symantec Encryption Desktop.
3. Uninstall any previous versions of Symantec Encryption Desktop before upgrading to the new version of the operating system.
4. Once you have upgraded your version of the operating system, reinstall Symantec Encryption Desktop. Import your keys/keyring and, if necessary, you can then encrypt your disk.

Hope this helps!

...sue

Hi Sue, Thank you for the quick reply. This is not what I meant, I do not want to upgrade to a newer operating system. I am referring to updating from 10.9/10.9.1 to 10.9.2 - this is not a 'major release' as it's described in the user guide (I have read the guide thoroughly, let me assure you it that the information is not in there). Best regards, Peter Schwep

Hi Peter,

It's still considered "a newer operating system" to us, even though it's not considered a major release to Apple (or to Mac users!).

A "non major release" would be more like a service pack, and that's more appropriate in the Windows world, I think. (Something like Windows 7 SP2, for example. That would NOT require you to decrypt. But an upgrade from Windows 8 to Windows 8.1 DOES requires decryption and uninstallation. A small distinction there, too)

It's sort of semantics, I know, but the underlying format often changes and if you don't decrypt and uninstall Encryption Desktop or Drive Encryption, you can run into issues. (Yes, there are times when it works without this "dance" but we don't always know when, so the standard operating procedure and request is to follow these instructions and therefore you won't have any issues.)

I know that isn't what you wanted to hear, but it is a requirement. Semantics aside, 10.9.2 is a newer operating system or a major release, even if it *is* only a "dot release". :)

...sue

Hello Sue, That answers my question. Maybe I did ask the wrong question though, so I will ask a different one (which is directed at all users reading this): Has anyone had problems upgrading to 10.9.2 without decrypting first or: Was anyone successful? An answer in the terms of "Although you might very well run into issues, we tried it once or twice and the system booted just fine" or "Tried it and it did not work" will be perfect. The background is that I have a few systems I need to upgrade, but I have no test machine available because all machines have an already encrypted internal disk. I cannot do a test with OSX on an external disk since the password prompt at startup will ONLY boot the internal disk, but never the external one. Since all Macs have a non-removable internal disk, I cannot quickly remove the internal disk either. Thus I can only do the upgrade on the first machine and hope that it works, based on that I will or will not update the others the same way. I cannot decrypt the disks before upgrading since this violates the specific requirement that none of the data on the disk except for the OS files shall ever be on it in a not-encrypted state. BR Peter Schwep

I have not seen any customer attempts to do this thus far, which can mean one of two things; either no one has attempted it, or no one has failed yet in doing so. As you can imagine in support, people don't call us when things succeed, only when it fails. Our understanding of what is working is based on our internal QA and what we've experienced in support calls, which usually revolves around some type of failure.

As Sue pointed out, it's not a recommended process to do, and I certainly wouldn't attempt it without a full backup of the data in the event things go wrong. This particular scenario is not something QA tests as its not "supported" functionality, so your mileage may vary rather drastically.

What I can tell you is that issues in the past with that particular scenario resulted in a gray with slash boot screen, rendering the machine unbootable until they decrypted it, which is why I strongly recommend you backup your data before attempting it if you choose to do so.

 

- Adam

Thanks Adam! Yes, Peter, we have only just recently certified 10.9.2 with Encryption Desktop/Drive Encryption so there may not be that many customers using the newer version of OS X yet. I don't know if anyone has tried to upgrade without decryption but, as Adam points out, we wouldn't necessarily hear if anyone succeeded... only if they failed.

...sue

In the past, I've only had success with encrypted dot upgrades using the full COMBO UPDATER and not the built in utility. I will try the same on 10.9.2 later today after I image my machine.

 

I'd like to report that I was able to successfully update from an encrypted drive on MBP Retina 10.9.1 to 10.9.2 using the combo updater.

1. Backup disk with CCC, Superduper or time machine (non bootable)

2. download 10.9.2 combo update from http://support.apple.com/kb/DL1726

3. If you want to be extra sure you have the correct file, check the SHA1 hash of the file you've downloaded by using the openssl sha command. Open terminal, enter "openssl sha1" with a trailing space, then drag the combo update to the terminal window and hit enter. You should get c06a63982b522e43997a05cedc04b0bdb1a10207 .

4. Open the combo update and follow the prompts.

Your milage may vary as always.

10.9.1 to 10.9.2 (and subsequent application updates on Mac OS X 10.9.2) works fine on SED 10.3.2 MP1 for me.

We have a list of supported Mac OS X versions with corresponding Symantec Encryption Desktop versions found here and maybe this helps (in the future). We try to update this as often as we have confirmed with testing that it works.

http://www.symantec.com/docs/TECH174563

Any update on Bootcamp compatibility? I am still on OS X 10.8.5 and WDE 10.3

Thanks,

Dan

Would there be anu updates regarding PGP WDE support for Bootcamp? Our Company currently supports 500+ Macs with Bootcamp and PGP WDE installed. With News symantec are currently ending support and future updates for this setup kind of really throws a spanner in our works. Any Information on this product would be greatly received.

 

 

 

Do you have a support case open for this? If so PM me a case number. If not, please open one.

Hey Mike!

Let me tell you the short version of Symatnec's answer:

No.

BootCamp support was the *only* reason my company purchased a couple licenses for this product, and when support was dropped, I escalated the issue all the way up to the Product Manager for Symantec's encryption products.  Based on that conversation, Symantec has no plans to support BootCamp at this time.  The short version is that Symantec does not have a solution that works with EFI style partitions, and their current code only works for MBR type partitions.  Even though this change was YEARS in the making, and was destined as the new standard for PC and Mac across the board, in true Symantec form, they waited until the last minute and then acted surprised when "the architecture changed".

My two measly licenses was not enough to put any weight into my complaint, so hopefully your 500+ licenses does better.

As for myself, we've migrated off PGP completely for both Windows and Mac.  I've found a way to get Bitlocker to work on the Windows side, and FileVault 2 for the Mac side, with a shared encrypted data partition for the two OS's to share.  This way, I'm using "native" solutions for both OS's and I don't have to worry about future OS updates from either company brining our encrypted world to it's knees.

If you are successful in getting Symantec to un-**** it's product and get it's act together, kudos to you.  Otherwise, I strongly suggest you find other solutions that don't involve Symantec for your FDE on OS X systems.

Unfortunately even with our 16,000 licenses, our plea for continued BootCampt support gathered no momentum...
 

Has anyone found a solution like WDE that allows each partition to see the other, but still works with Bootcamp? My employer uses Symantec and Checkpoint Pointsec PC. Checkpoint Pointsec PC has a Macintosh client, but I am not sure how it works with Bootcamp. I have been discouraged from switching but since we are planning to formally support Macintosh in the near future, it might make sense to switch.

Hi Atyoung. Ive opened a case the reference is 06736380. Hi Dylan even with your 16,000 Licence they still dont listen and Our 500+ Doesnt look good. We may have to just bin symantec altogether and possibly look into what Norkimo has done.