Will Safeguard Disk Encryption for Mac run on an OS X server, or only on a client OS?

Question, what operations is the MAC OS X server doing that you require data encryption on the OS partition?  This isn't always a good idea on a server because it prevents rebooting and can cause issues with other types of management software and backups as well as system state restore or bare metal restore operations, and some anti-rootkit and sanity checking software for mac os x server may not like the altered startup method.  Is physical theft of a server or it's storage volumes a real possability for this operation?  If so maybe better physical security is the way to go.

Also if you absolutely MUST have volume encryption my advice is to move any data, configs, etc, that you want protected that CAN be moved to a seperate volume and encrypt that instead and just mount the volume manually requiring your admin user password for SG6 after a reboot if you REALLY need that kind of security.  I don't see a reason why it shouldn't work but be warned that it may not install because it's a server and depending on how they did OS detection/rejection during install it, and you may not be able to get much if any support at all on this.  I haven't tried the install on an OS X server but yea there is extra considerations involved.

Hi Joel,

Thanks for your response.  I take your points.  Indeed I'd been asking myself what benefit there could be in encrypting the server OS, given a server is usually always booted and left on (as is mine), which makes FDE pointless, except for scenarios where the server might be stolen while it's switched off.  Also, it's housed in one of the company's highly secure server rooms, which is itself in a building with stringent perimeter access controls.

Within the company, I got the brief that all our Macs will need to have FDE.  I pointedly asked about whether the server needed to be FDE'd too, since it was in a physically secure environment.  I think my question then got misunderstood down the line, with the response that Macs must be FDE'd.  I took this to mean there would be no exceptions allowed (e.g. for servers).  On re-reading through the e-trail though, I think it's more obvious that my question was taken to mean as regarding the Mac client machines, not the server.

Anyway, I'll just concentrate on getting the Mac clients FDE'd for now.  If anyone later tells me the server must be FDE'd too, I'll go through the issues with them at that time. 

The client Macs do need to be FDE'd however, since they're in normal open plan offices and users often temporarily store data files on their desktops (which are in locally hosted Home folders - networked Homes for the Macs are a no-no here for various reasons).  They all connect to a shared RAID volume on the server, where they centrally store and work on their jobs data.

The main reason for me looking at SafeGuard as an FDE solution rather than Apple's FV2 is that the latter doesn't provide a temporary bypass for preboot authentication, meaning I couldn't ever reboot the machines remotely and continue working on them (which I need to do often during maintenance & troubleshooting, and mostly out-of-hours).  Otherwise, I'd have preferred the Apple FDE solution (assuming it was found to work OK), being native to the OS, and free.

I'm hoping to try SG on a client test Mac v soon.  Will let you know how that goes.

Thanks again for your comments.

Paul.

Servers typically don't need FDE honestly, if you're that concerned about someone physically running away with your server or it's drives then definately physical security is the way to go honestly.  Mac laptops are PRIME data theft targets and we're moving to encrypt all of them.  The servers are physically secured to prevent easy theft.  It's not that it can't be done but the type of people that PHYSICALLY steal servers are the types of data theft you can't really protect against because they'll use the old fashioned gun to the head to force your passwords and/or they have resources and equipment to circumvent physical security, possibly legally with a warrant and property seizure in which case a good lawyer is your best option.

I understand the tendancy to want to encrypt everything but in a servers case, especially for remote management, POA removes manageability without using an expensive IP KVM system or something like that.  I'm sure it will happen eventually but encrypting drives on servers isn't a big thing in enterprise unless you're an NSA/DoD based company because servers are hard targets for data theft and require more resources/physicaly access than is easily available.

Honestly if you're an apple company I'm sure you have a nice fleet of ipads/iphones, look into the SOPHOS MDM to enforce passcodes and data protection, those are MUCH more likely targets for data theft and actual data security breaches.