Moving from non-OU client structure to Importing from active directory in Sophos SafeGuard with existing auto-registered (non-active directory method of being added) clients

Question

Hello, 
 I was curious if Sophos SafeGuard was capable of migrating from manual auto-registered clients to importing clients from active directory. Can you do both at the same time? Would you get duplicate entries? Any information around the migration process or quirks importing from active directory would be helpful. Thank you

Shweta · Accepted Answer

Hi EricWoelfel 
 You can import an existing organizational structure into the SafeGuard Enterprise Database through an Active Directory. Please check this article for more information. If a computer or user is auto-registered while an Active Directory (AD) sync is performed, two objects may be generated in the SafeGuard directory. This can be solved by deleting the object that was added by the AD sync and leaving the one in the ".Auto registered" folder. The next AD sync will correctly move the object from the ".Auto registered" folder into the desired organizational unit. Let me know if you have any further queries.

Shweta · Answer

Hi EricWoelfel 
 This can be done by running a few queries in SQL database( Safeguard ) for which I would suggest you to open a support case and PM me the case details.

MichaelMcLannahan · Answer

Yes it is. You could also modify perms to only allow the account you're using to read from that particular OU.

MichaelMcLannahan · Answer

It really depends on how you want to control policies/management. 
 If your whole estate is to be encrypted - it might make more sense to have everything sync'd, but I think especially true if you intend to use File Encryption as well as disk. 
 With FE you'll want groups of users/computers to be able to decrypt/encrypt files. This in turn will need carefully management when Bob moves into Finance from HR and she has to have her perms changed. Without group "awareness" in SafeGuard - You'll need to manually sort this so she does/does not have perms/access to something she needs. 
 With just DE I feel this (in my opinion) is less of an issue. The disks are encrypted. Users may or may not share computers - this wouldn't impact groups (to the same degree) 
 
 So - In my VERY simple mind...Group sync is more relevant to FE and not DE.....

MichaelMcLannahan · Answer

Hi Eric - I bind my macs to AD as a computer object, not as a user. My machines then exist in AD (for the benefit of SafeGuard) but the users log on locally with their own account rather than establishment account. 
 There was a politics issue to this too - "We" didn't want to rock the boat with the way they accessed their device, more of a soft-touch management. 
 Our setup works well though - I can still manage the Macs by policy I SafeGuard and as you mentioned, their local user is imported into the SafeGuard directory so we have some view over that too. 
 Our important difference though (I'm assuming) is that we ONLY do DE, we do NOT to FE. I think if you have gone done that route (or intend to) then I would recommend much tighter integration and bind the Macs and users to your primary directory (AD) 
 You may want to consider alternatives like NOMAD too - It's like a "soft" bind for the Macs. You get many benefits but without some of the downsides!