Not able to encrypt drives running El Capitan with Symantec Encryption Desktop 10.4

book

Article ID: 163314

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server

Issue/Introduction

Apple has introduced a new security feature as of Mac OS 10.11 (El Capitan) called System Integrity Protection (SIP). Symantec Encryption Desktop version 10.3.2 and previous did not support encrypting of these systems. Starting with Symantec Encryption Desktop 10.4, it is now possible to encrypt a system running El Capitan. In order to encrypt the system running El Capitan, however, the SIP feature must first be disabled.

Security configuration information is stored in NVRAM rather than in the file system itself and is only configurable by booting to the recovery partition and using the csrutil command from terminal.

Resolution

To check if SIP is running, run the following command:

$ csrutil status


The following is returned if SIP is enabled:

$ System Integrity Protection status: enabled.

To enable or disable System Integrity Protection, boot to the Recovery OS and run the applicable command from the Terminal. Symantec recommends performing these steps when the endpoint reboots immediately after installation to allow an auto-encrypt policy, if enabled, to be followed without error:

Normal use of the system can then resume.

  1. Boot to Recovery OS by restarting your machine and holding down the Command and R keys at startup.

  2. Launch Terminal application from the Utilities menu.

  3. Enter the following command:

    $ csrutil disable

  4. A message stating SIP was successfully disabled should appear.

  5. Reboot the machine and configure disk encryption per normal. Click the Apple Icon on the top-left corner, then select Restart.

  6. Once encryption has started you may re-enable SIP by running the following command from the Recovery OS again:

    $ csrutil enable

  7. Reboot machine

  8. Check status after logging in by running:

    $ csrutil status

Once SIP has been disabled, Drive Encryption should then be possible. If CoreStorge is still enabled, encryption will not be possible. In order to disable CoreStorage, see article HOWTO109622.