Tue 17-Apr-2012 09:12
I am running Sophos Safeguard 5.6 and using full volume based device encryption on laptops. I am pretty sure the answer to this is no but thought I would ask the question anyway. We have a product called fastpass that allows our network users to reset/unlock or change their own password with the normal (answer and few security questions scenario) my question is really for remote users. If they take their laptop home and forget their password they can reset it through the website or the product also installs into the windows GINA and puts a button on the login screen. However this would mean nothing to the POA stage right? as it will always want the previous network password.. and in the past when a network password has been reset and I use our admin login to get past their POA screen to avoid the C/R stage - when it gets through to windows and you try to log them on with their new password, Sophos still wants to know their old windows password anyway which they dont know? The only way I have found is to delete their Cert on the management server.
Could anybody please respond to let me know what you have found to be the best method for rolling out device encryption and the various scenario's that come with it. Just looking for some advice really as we are about to roll out a lot of Laptops for users to start working from home. Thank you
Fri 20-Apr-2012 16:39
Updating the password other than locally on the laptop will cause the passwords to be out of synch. In your scenario, you would just need the user to do a screen lock and unlock after the password resets in order to re-synch the passwords before logging off VPN or rebooting/shutdown.
Thu 26-Apr-2012 15:47
The place where I work I just got done doing a POC deployment and we're headed to the live rollout stage soon. The best way to handle those scenarios where the user can't log in remote and needs to is to have a backup POA user in place and do a challenge/response for it's logon for issues. Only they're in you can resync any policies or password changes as long as the server is available to the system, even over the internet. We had our .NET developers create a self-service web on our private intranet page for this that basically submits and checks AD password, checks group memberhsip for user to make sure they're allowed to do this (if no throw a failure error), if yes issue new cert with new password and add them to the hostname. SOPHOS has an API that facilitates this. Our policy will be to have users reset/resync their accounts with AD if anything gets out of sync or has issues and get the new SG policy.