Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 19 subscribers
  • Views 10593 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User based policies

SMI

Hi,

it would be great to have policies on per-user basis. In conjunction with application control it would be a great feature. Right now application control becomes a concern in our company. We have many users using many different computers and so it would be a create advance if I could apply a application control policy on certain users or user groups.

Regards

Marcus

:28847


This thread was automatically locked due to age.
  • 0

    Hi,

    It's a good idea to have user based policies and I think Sophos have it on the future feature list. 

    As a possible hack/workaround for the short term, I can think of two methods to implement something that might work.

    Centrally polices can be linked to either a distribution point (CID) or a SEC group.  I.e. they can be linked to a CID using the XML config in the CID (see ExportConfig and ConfigCID artticles), so you'd need to have the computer switch CID based on user such that it brought down a config.  The other option, which might be worth looking into first is to move the computer into a different SEC group based on the user logging in.

    I'm not sure if you expect to have a policy per user or a policy per type of user.  A policy per user could quickly get out of hand, but a couple of Application control policies that are assigned per user type could work.

    As an example.. you could create 2 App Control policies in SEC, I'll call them AppCAdminPol and AppCUserPol.  In this example, admins might have AppC disabled; users would have a number of applications blocked.  Create 2 SEC groups, I'll call them AdminGroup and UserGroup, link AppCAdminPol To AdminGroup and AppCUserPol to UserGroup.

    Then as a user login script, you could set the registry key that sets the SEC group registry key, as mentioned here:

    /search?q= 24835

    and restart the Sophos Agent, within seconds, the machine should move in SEC and be sent policies of the new group.

    The only wrinkle in the plan is, the need to restart the Agent service and set the key, both of which would require admin rights: So this approach may not be that effective as using login scripts the script would run with the rights of the logging in user.  Are your users at least local admins?

    I suppose another approach is you could setup a scheduled job on the clients that at certian times performs the same thing, to set a different policy based on time.  Not sure if this would help you but worth mentioning as this could run as system and have enough rights.

    I guess if depends how badly you need this and if the above ideas are worth looking into.

    Hope it offers something.

    Regards,

    Jak

    :28851
  • 0

    Hi Jak,

    i will have a look at you proposals. Right now it is not possible to move around computers because we have it synced with our active directory.

    Concerning the per user policies it came to my mind a similar processing as with the computers being synced with the AD.

    Why not sync certain AD groups with the EC and have a tree with OUs and user group within. So assigning policies to ad group objects?

    Regards

    Marcus

    :28861
  • 0

    On the user login script, you could even setup an administrative template in group policy that pushed the registry key per user.

    .\setup.exe [otherswitches] -g "\ServerName\Servers\2003 computers"

    Setup.exe writes a reg key with this "path" here

    HKLM\Software\[wow6432node]\Sophos\Remote Management System\ManagementAgent

    String value of "GroupPath", with the value in this case of "\ServerName\Servers\2003 computers".

    /search?q= 24835

    :38667
Unfiltered HTML