Safeguard Enterprise in Image

Vojta,

Do you mean after the drive is already encrypted? Or do you mean to drop the MSI files into the image for installation later?

My ultimate goal is to have any new deployment (imaging) encrypted so I want the client to be installed and start the encryption process once it joins the domain and receives the policy. But I know the client is not recommended to be in the image...

Thank you for the extra information. Sophos doesn't recommend installing the SGN Client before an image is taken. You can technically do it, but you will be reducing the additional security countermeasures built into the software. For the best protection, lay down the image first, then kick off the SGN Client installer MSIs. The installer doesn't take that long so I'm trying to figure out how much time you will be saving.

If you are concerned about remote devices picking up a package over low bandwidth or adding bandwidth consumption, then you can include the SGN Client MSI in your image and delete it after the install completes. My only concern with doing that is if a SGN Client update is available, then your image will be out dated and will require the new MSI to get current again.

Vojta,

Are you able to use something like Microsoft MDT 2010 or ConfigMgr to deploy your new machines rather than an image?

You could do like what David said below but instead of adding it to your image, you can just add a new package to your console and add it to your task sequence (+ CommandLine switches etc for unattended/silent install).

If you have slow WAN links in place you can add distribution points to provide a local source for the packages.

Thanks for the tips, we have management system in place, even Sophos packaged up for distribution - that's not the problem. We don't have full imaging process automated as it's actually being done in the distribution center that doesn't have domain access and the only ability the DC has is to lay down the image that is refreshed every 3 months. That image then travels to the end user and the layering process continues mostly done via GPO. Here is the issue, I don't want to put Sophos in GPO as it doesn't apply to everybody (only the NEW IMAGES). Thus we use LANDesk to push it out as a package but here is the challenge, it sometimes gets forgotten. I'm not gonna get into politics now, the best solution for me is to have the client in the image, this question is not about how to layer it.

Hi Vojta,

When you wrote, "have the client in the image" do you mean that you want the SGNClient.msi and the Client Configuration package already installed AND the drive encrypted OR have only the installers built into the image but not executed until after sysprep is completed?

David,

I understand the encryption cannot be done in the image so I was just looking at having it installed and when eventually the PC joins the domain and receives SGN server policy it will start encrypting.

Cheers,

Vojta

Vojta,

Technically you could do that, but your BOOT keys no longer be unique. While that may solve one problem, it could create another when you need to slave the drive for data recovery. Of course you can use WinPE or Lenovo RnR for data recovery making my point moot.

There are also security counter measures to attacks on FDE encryption that we put into the installation which will be removed by imaging. If the installation was imaged before the SGNClient.msi did it's first reboot, you may be able to get away with it (with the same BOOT key). Once the system is up and into Windows, it will grab the security policies based on it's location in your Directory and then watch the drive spin. Technically it may work but I don't believe it's currently supported.