Overview

This article lists the Release Notes for SafeGuard Enterprise 8.30.

The following sections are covered:

• Requirements
• Windows (Client and Backend)
  • Client
  • Server/Management Center
  • Noticeable Changes / New Features
  • Known Issues
    • SafeGuard Management Center
    • SafeGuard Enterprise Server
    • SafeGuard Data Exchange Client
    • SafeGuard Synchronized Encryption
    • SafeGuard File Encryption
    • General
    • Compatibility
    • Token/Smart card
    • Not supported
    • Limitations
• Anti-Virus products tested with the SafeGuard Enterprise
• Mac OS X Device Encryption Client
  • Limitations
    • Directory users
    • Inventory reporting
    • Limitations on macOS 10.13
    • Apple Open Directory
    • Encryption
  • Known issues
• Mac OS X File Encryption Client
  • Noticeable changes
  • System requirements
  • Compatibilty and upgrades
  • Particularities and limitations
  • Known issues
• Feedback and contact

Applies to the following Sophos products and versions
SafeGuard BitLocker Client 8.3
SafeGuard Cloud Storage 8.3
SafeGuard Data Exchange 8.3
SafeGuard Enterprise Server 8.3
SafeGuard File Encryption 8.3
SafeGuard Management Center 8.3
SafeGuard Synchronized Encryption 8.3
SafeGuard Web Helpdesk 8.3
Sophos SafeGuard Disk Encryption for Mac 8.3
Sophos SafeGuard File Encryption for Mac 8.3

Requirements

Platforms supported	32 bit	64 bit	Recommended available disk space	Recommended minimum RAM
SafeGuard Client (Windows)
Windows 8.1 Pro, Enterprise Edition			100MB	2GB*
Windows 10 RS3, Windows 10 RS4, Windows 10 RS5, Windows 10 19H1, Windows 10 19H2 Pro, Enterprise, Education Windows 10 Enterprise 2015 LTSB, Windows 10 Enterprise 2016 LTSB, Windows 10 Enterprise LTSC 2019			100MB	2GB*
SafeGuard Client (Mac OS X)
Mac OS High Sierra (OS X 10.13)			100MB	4GB*
Mac OS Mojave (OS X 10.14)			100MB	8GB*
Mac OS Catalina (OS X 10.15)			100MB	8GB*
SafeGuard Management Center
Windows 8.1 Pro, Enterprise Edition			1GB	1GB*
Windows 10 RS3, Windows 10 RS4, Windows 10 RS5, Windows 10 19H1, Windows 10 19H2 Pro, Enterprise, Education Windows 10 Enterprise 2015 LTSB, Windows 10 Enterprise 2016 LTSB, Windows 10 Enterprise LTSC 2019			1GB	1GB*
Windows Server 2012 / Server 2012 R2			1GB	2GB*
Windows Server 2016			1GB	2GB*
Windows Server 2019			2GB	4GB*
SafeGuard Enterprise Server
Windows Server 2012 / Server 2012 R2			1GB	2GB*
Windows Server 2016			1GB	2GB*
Windows Server 2019			2GB	4GB*

Windows Small Business Server and Windows Server Essentials are not supported. 

* Not all of this memory is used by SafeGuard Enterprise.

Windows (Client and Backend)

Client

• Internet Explorer Version 10 or higher
• Supported Web browsers for password encrypted files are MS Internet Explorer 11, MS Edge (Windows), Chrome (Windows, Android, OS X), Firefox (Windows, Android, OS X) and Opera (Windows, Android, OS X)
• .NET Framework 4.5

Server/Management Center

• .NET Framework 4.5
• Internet Explorer Version 10 or higher

SafeGuard Database

The supported SQL Server versions can be found here.

Noticeable Changes / New Features

• Added support for macOS 10.15 (Catalina)
• Added support for Windows 10 November 2019 Update (also known as Windows 10 19H2, Windows 10 version 1909)
• Encryption keys of a machine with a Sophos endpoint that supports reporting a health state, can now also be automatically removed when using Location Based Encryption.
• It is now possible for a security officer that has been promoted from Active Directory to authenticate and allow an action when additional officer authentication has been defined.
• The “About” box now shows the installed modules and the versions of the driver and the modules.
• BitLocker Password Protector can now also be configured as primary logon method.
• Changes in the HTML5 Wrapper (“Password Protect a File”)
  • Supports putting more than one file in one HTML5 encrypted file
  • Password rules are now displayed
  • Support for Safari
• OpenSSL components are upgraded to version 1.1.1
• Bitlocker Challenge/Response module has been removed 
• Improved Outlook Add-In (32bit MS Outlook only)
  
  

Known Issues

SafeGuard Management Center

• There are some GUI layout problems on machines configured for resolutions other than 96 DPI.
• Management Console log events may not be created when calling similar functionality concurrently via the SafeGuard API.
• Clients which have been registered as members of a domain, will not be updated properly in the SafeGuard Management Center, if they are moved to a Windows Workgroup.
• Starting a new remote desktop session to a computer where a Management Center or Server upgrade is in progress will cause the upgrade to fail. The new remote desktop session will execute RunOnce registry entries to delete the Local Cache and the SafeGuard registry entries.
• User auto-registration of SafeGuard 6.0 Clients.
  When the SafeGuard Client has version 6.0 and users log on using the format name@domain or domain\name, then auto-registration of these users leads to a problem with the Active Directory synchronization later. Instead of moving the auto-registered user to the correct organizational unit, the Active Directory synchronization instead will generate a duplicate user object. This issue can be solved by importing new users into the Management Center before they do their first logon on the Client. Another workaround would be to correct the pre-Windows 2000 user name of the user in the auto-registered folder in the Management Center (via Context Menu > Properties). If a duplicate user object already exists, the one imported from Active Directory should be deleted.
• When the database schema is automatically upgraded during the first start of an upgraded Management Center, a backup is created. If there is an automatic backup scheduled, this needs to be adapted again afterwards. DPSGN-4728
• File Encryption policies still offers as placeholder, this is in there for compatibility reasons with older clients, but will no longer have an effect for SafeGuard 8.1 or newer Clients. DPSGN-13725

SafeGuard Enterprise Server

• A reboot is required before re-installing the SafeGuard Server
  Although there is no explicit message to do so, a reboot is required after uninstalling SafeGuard Server components and before reinstalling them. (DEF49516)
• The method CreateDirectoryConnection does not run on a SafeGuard Server alone. The machine must also have the SafeGuard Management Console installed for this API.
• Slow upgrade process of SafeGuard Server and Management Center. DPSGN-3884
  The upgrade of the SafeGuard Server and Management Center may take a long time. Do not cancel or interrupt the upgrade process.
• When using Internet Explorer on a Server 2016 / 2019 to open the WebHelpDesk Website, it needs to be ensured that https://" and/or "https://" are added to the "Trusted sites".

SafeGuard Data Exchange Client

• Not all options are shown when operating a device as Portable Device.
  When operating a removable media in Portable Device mode, some of the options of SafeGuard DX are not available in Windows Explorer. Overlay icons indicating a file's encryption status are missing as well as the menu option introduced by SafeGuard DX in a file's context menu. Nevertheless any applicable encryption policy is enforced for files that reside on the removable device, regardless whether it is referenced via the Portable Device tree or the assigned drive letter.
• User elevation for encrypted executable.
  If an encrypted executable or installation package is started and requires a user elevation, it may happen that the elevation doesn't take place and the executable is not started.
• Access to key ring after closing a remote session (RDP).
  A user's key ring is no longer accessible after an established remote session has been closed. The client machine has to be rebooted in order to restore full access to the user's key ring. Just logging off and on is not sufficient to regain access to the key ring.

SafeGuard Synchronized Encryption

• SafeGuard Outlook Add-in: When sending more than one encrypted file (for example, textfile.txt and spreadsheet.xls) the file contents could get interchanged. The Texfile.txt includes the Excel content and spreadsheet.xls includes the textfile content. DPSGN-7503
  This issue can be avoided by installing the recommended MS Office Updates.
  Update for Microsoft Outlook 2010 (KB3114570) 32-Bit Edition --> Microsoft Outlook 2010 (14.0.7165.5000) SP2 MSO (14.0.7165.5000).
  Update for Microsoft Outlook 2010 (KB3114756) --> Microsoft Outlook 2010 (14.0.7166.5000) SP2 MSO (14.0.7166.5000).
• Under certain circumstances the Outlook Add-In might take to long to load and automatically gets disabled by Outlook.
• Files do not get encrypted when uploaded using the Send to Dropbox option of the context menu. This happens, because the application that performs the upload (Dropbox.exe) is configured as ignored application and therefore the file encryption status does not change. DPSGN-6326
• Defining web browsers as in application is not recommended. Because of the variety of existing browsers and their plugins this might cause compatibility issues. DPSGN-9673
• Encryption of files fails in a OneDrive synchronization folder if a new file is created using the Windows Explorer Extension (for example, right mouse click|New|Microsoft Word Document|). DPSGN-6091
• Using ZIP files in Office documents.
  If a ZIP archive included in an encrypted Office Document, is moved out of the document it will contain plain files, regardless of encryption policy. Reason: When a ZIP file is drag and dropped into, for example MS Word, then the ZIP file will be read by Word and therefore it is unencrypted in Word. When the ZIP file later on is drag and dropped out from Word into a directory, Win Explorer (not authenticated application) takes over and the file will be created unencrypted. Workaround: Encrypt the file manually (context menu of the file). DPSGN-9179
• Password encryption / decryption with MS Edge browser is not working on Windows computers with a single core processor.
• In MS Office documents embedded objects (for example, MS Excel objects in MS Word) requires the definition of the corresponding application as in application as well. DPSGN-7085

SafeGuard File Encryption

• EFS is not supported. The EFS attribute can neither be set nor removed from files or folders and access to EFS encrypted files is denied. DPFEE-1149
• Encrypted MS Office files stored on SharePoint get decrypted when they are modified. DPSGN-13628
• NTFS Compression is not supported, files will be automatically decompressed.
• Sophos recommends the use of SSD drives for best possible performance.
• SafeGuard file encryption modules are not compatible with MarkAny's file filter driver cbfltfs.sys. Using both products together can result in BSODs or a not starting operating system. 
• UAC virtualization is not supported, which can result in compatibility issues with 3rd party software (applies to all file encryption modules).

General

• Fast user switching is not supported and must be disabled.
• The Windows 10 feature Improved Boot Up Experience is not supported and can cause several issues on clients that are part of a workgroup, it therefore needs to be disabled see SafeGuard File Encryption, SafeGuard BitLocker Client: Login to SafeGuard Credential Provider fails to unlock the User's keyring on Windows 10 (version 1709) when the machine is part of a Workgroup for details.
• Direct modifications to the original Sophos product MSI Installer Packages are not supported.  
• SafeGuard 6.0 Clients cannot auto-register new users who log in with an alternate user principle name (UPN) suffix. It is recommended to use NetBIOS usernames on SafeGuard 6.0 Clients or older.
• Internet Explorer Warning when downloading SGPortable
  SafeGuard Cloud Storage automatically uploads SGPortable.exe to the Cloud. However, if downloaded with Internet Explorer, its Smart Screen Filter may block the download. Please ignore the warning, that SGPortable.exe is not trusted and accept the download anyway. After download SGPortable.exe reports that MSVCP71.dll is missing. Downloading this DLL from the internet will finally resolve the problem.
• SafeGuard Enterprise is not fully compatible to using Windows accounts with an empty password. If a computer is member of a workgroup (i.e. not in a domain) and the last user tile on the logon screen represents a user with an empty password at all, any password entered in the Safeguard credential provider for this user will successfully log on this user. Moreover, if a wrong password is entered for a different user, this can result in the user with the empty password being logged on instead of the selected user.
• The SafeGuard Credential Provider used to logon to the OS offers  Username and Password fields in the Set up a PIN dialog on Windows 10. Workaround: Use the SafeGuard Token tile for logon with Token. DPSGN-5823
• File Tracking events are note reported when writing files on optical media fails, if the medium is burned in mastered mode. The File Tracking feature supports the Live File System format only and not the Mastered Disc Format.  DPSGN-9709
• BitLocker recovery keys are not rotated after use if the recovery is not done using the Management Center or WebHelpDesk (for example, using Sophos Secure Workspace). DPSGN-9902

Compatibility

• Sophos SafeGuard LAN Crypt is not compatible with SafeGuard 8.3.
• Synchronization of keyring is possible with Sophos Mobile Control 8.0 an newer versions (requires at least Sophos Secure Workspace 8.5 on the mobile device).
• Synchronization of BitLocker recovery keys requires at least Sophos Mobile Control 8.0.
• SafeGuard Enterprise has not been tested in conjunction with an installed Novell Client for Windows. Restrictions may apply as there is no intercommunication between the logon components of both products.
• AbsoluteSoftware Computrace.
  SafeGuard Device Encryption fails to install on machines which have AbsoluteSoftware Computrace with activated track-0 based persistent agent installed.
• Compatibility to imaging tools has not been tested and is therefore not supported by Sophos.
• Windows Defender: The Controlled Folder Access feature is not supported and can interfere with SafeGuard. 
• BitLocker Management is not supported on Apple's Boot Camp 

Token/Smart card

• Disconnecting an USB smartcard reader is not detected properly when using the Gemalto .NET smartcard middleware.
  In this case, the desktop will not be locked automatically. This does not apply to pulling the smartcard from the reader, which works as expected. (DEF66637)
• Smart Card/Token PIN with special characters does not work with some middlewares (DPSGN-3674).
  Defining a PIN that contains special characters (for example, ä, ü, ö) might lead to issues with several middlewares.

Not supported

• The SafeGuard Client does not support logon with Microsoft accounts (formally known as Windows Live ID).
• The SafeGuard Client does not support the Windows 8.1 / Windows 10 logon methods like PIN and Picture, MS Hello, Virtual Smartcards, MS Passport, etc.
• Microsoft Azure based SQL database and Azure based Active Directory
• If BitLocker is managed by SafeGuard, it is not allowed to manage it in parallel via MBAM (Microsoft BitLocker Administration and Monitoring), the manage-bde command line tool, Group Policies (besides the settings listed in the ReleaseNotes) or the Windows Control Panel.
• Only the Bitlocker Logon modes listed in the authentication policy in the Management Center are supported. 
• The BitLocker C/R dialog in UEFI cannot be used with touch screens as it has no on-screen keyboard. The dialog has to be used with a physical keyboard.
• When storing the BitLocker startup key on a SafeGuard Data Exchange (DX) encrypted USB stick, then it won't be possible to use it to unlock the boot volume. This is because the unlock is executed before Windows starts and at this phase no DX filter driver for decryption of the key exists.
• The fingerprint reader Validity VFS5011 is not supported by the SafeGuard Client for logon.
• Defining File Encryption rules for a domain DFS is not possible.
• The encryption of files in a Box cloud storage folder is no longer possible due to changes in the Box client. DPSGN-14331
• Google Drive file stream is not supported. The local file cache location must be excluded from file encryption to avoid data corruption. DPSGN-15116
• The auto-detection of OneDrive / OneDrive for Business as Cloud Storage provider does not work in the latest versions of Onedrive. A workaround is described in KB125710

Limitations 

• BitLocker configuration via GPOs.
  Only BitLocker group policies settings (GPOs) mentioned below, should be configured if BitLocker is managed by SafeGuard. Required settings are automatically applied during the installation of the client.

• Require additional authentication at startup
• Allow BitLocker without a compatible TPM
• Enable use of BitLocker authentication requiring pre-boot keyboard input on slates
• Configure minimum PIN length for startup
• Turn on TPM backup to Active Directory Domain Services

All other BitLocker group policies must be left to default. Otherwise they might be overruled by SafeGuard policies or even lead to conflicts with the SafeGuard BitLocker management. 

• When enabling the SafeGuard policy BitLocker Logon mode with the setting TPM + PIN (default), consider that tablet PCs require an external keyboard to enter the TPM PIN during Pre-Boot phase. The on screen keyboard cannot be used to enter the PIN. It is recommended to use a TPM only policy for such devices.
• BitLocker encryption dialog keeps reappearing on Windows Slate computers (for example, MS Surface Pro 5) - DPSGN-3922
  On Windows Slate computers, the BitLocker encryption dialog keeps reappearing and encryption does not start. This occurs when the group policy setting Enable use of BitLocker authentication requiring pre-boot keyboard input on slates is not set and TPM+PIN or password authentication is mandated by the authentication policy. Enabling the group policy setting or changing the authentication policy resolves this issue. 
• Virtualization platform support.
  The SafeGuard Client only supports VMware Workstation and Player as virtualization platform. All other platforms like VMware ESX/ESXi Server, Microsoft Virtual PC, Microsoft Hyper-V are not supported. VirtualBox is incompatible with SafeGuard 8.3 and might cause BSODs (IRQL_NOT_LESS_OR_EQUAL).
• Takeover of BitLocker data drives in standalone mode
  When the SafeGuard Client is run in standalone mode, then already encrypted BitLocker data drives are taken over in the moment when the client config package is applied. In order that this can succeed, all data drives must be unlocked before the client config package is applied. Locked data drives are ignored which means that their recovery password won't be written to the key backup file.
• Rotation of the recovery password.
  The recovery password is changed automatically for managed clients once a recovery is executed. For standalone clients the recovery password remains unchanged after a recovery, but it can be changed manually be uninstalling the client config package and installing it again.
• Windows 8.1 / Windows 10 fast startup option affects some behavior of SafeGuard Enterprise
  If the new Fast startup option in Windows 8.1 and higher is turned on as Microsoft recommends, some behavior in SafeGuard Enterprise is affected. For system services like the SafeGuard Authentication service the fast startup is technically seen identical with hibernation. So all SafeGuard Enterprise functionality triggered by the boot process is affected and needs a restart instead of shutdown/boot. One example is the registration of new users as SafeGuard user during first Windows logon after machine boot process. In order to have the self-enrollment enabled upon next boot a warm-boot has to be initiated or a complete shutdown/cold-boot has to be forced.
• According to the recommendation of Intel, also Sophos recommends, to disable Intel Rapid Start Technology when using software-based encryption.  
• Recovery of unmanaged BitLocker volumes not supported for standalone configurations - DPSGN-3901
  Access to BitLocker-encrypted volumes which have not been taken over by SafeGuard (i.e., when no SafeGuard encryption policy for them exists) cannot be recovered via the SafeGuard Management Center. This issue is limited to standalone client configurations.
• Trusted application configuration breaks when update changes application path. DPSGN-3720
  Some application updates change the absolute path of their executables. In these cases, SGN's policy configuration for trusted applications needs to be updated as well. For example,
  Symantec Anti-Virus installs to a directory path containing its version number. The configuration for SafeGuard trusted applications needs to be changed to point to the new path where the executable is found.
• Microsoft Internet Explorer fails to download encrypted files from Dropbox - DPSGN-2088
  Files encrypted with SafeGuard Cloud Storage cannot be downloaded using Microsoft Internet Explorer.
• FIPS mode not supported on Windows 8 clients. DPSGN-1257
  SafeGuard Enterprise does not support managing BitLocker encryption on Windows 8 clients with enabled GPO setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Recovery of such clients, using the SafeGuard Management Center, is not possible. Note that FIPS mode on Windows 8.1 and Windows 10 clients is supported.
• User workflow is affected when uploading encrypted files using a browser
  • Encrypted documents that are uploaded using a browser end-up encrypted on the server. This may break some functionality users are used to (for example, document preview, server-side document indexing, in-browser editing etc.).
  • The plain content of encrypted documents can’t be accessed by server-side processes. This, for example prevents servers from indexing documents and thus breaks/limits search capabilities.
• MS Office 365 offers direct storing of files in the cloud (OneDrive). If this functionality is used and the Office 365 apps, for example, MS Word, are defined as In application you have to configure the path \Microsoft in the application