This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Moving from non-OU client structure to Importing from active directory in Sophos SafeGuard with existing auto-registered (non-active directory method of being added) clients

Hello,

I was curious if Sophos SafeGuard was capable of migrating from manual auto-registered clients to importing clients from active directory. Can you do both at the same time? Would you get duplicate entries? Any information around the migration process or quirks importing from active directory would be helpful. Thank you 



This thread was automatically locked due to age.
Parents
  • Hi  

    You can import an existing organizational structure into the SafeGuard Enterprise Database through an Active Directory. Please check this article for more information. If a computer or user is auto-registered while an Active Directory (AD) sync is performed, two objects may be generated in the SafeGuard directory. This can be solved by deleting the object that was added by the AD sync and leaving the one in the ".Auto registered" folder. The next AD sync will correctly move the object from the ".Auto registered" folder into the desired organizational unit. Let me know if you have any further queries. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Does that mean that I would have to hand remove each duplicate entry under the AD tree after the first sync? Is there a script to search for duplicates and safe removal? As we support many clients and manual removal would be excessive. 

  • Hi  

    This can be done by running a few queries in SQL database( Safeguard ) for which I would suggest you to open a support case and PM me the case details. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • How about macOS computers bound to the active directory alongside Windows computers? Are there any ill effects to Macs in the imported OUs that have local users and FileVault (managed by SafeGuard)? We bind Macs to AD for admin elevation and administrator login access for technicians (After bypassing the FileVault login screen... it's not our intention to add technicians as authorized FileVault users with boot login). Our goal is to allow any user to login to a bound computer if they have AD access for Windows and only FileVault authorized users at boot and anyone in AD after FileVault/Boot login (same as Windows) for macOS. 

    Thank you all for answering my inquiries so quickly!

  • Hi Eric - I bind my macs to AD as a computer object, not as a user. My machines then exist in AD (for the benefit of SafeGuard) but the users log on locally with their own account rather than establishment account.

    There was a politics issue to this too - "We" didn't want to rock the boat with the way they accessed their device, more of a soft-touch management.

    Our setup works well though - I can still manage the Macs by policy I SafeGuard and as you mentioned, their local user is imported into the SafeGuard directory so we have some view over that too.

    Our important difference though (I'm assuming) is that we ONLY do DE, we do NOT to FE. I think if you have gone done that route (or intend to) then I would recommend much tighter integration and bind the Macs and users to your primary directory (AD) 

    You may want to consider alternatives like NOMAD too - It's like a "soft" bind for the Macs. You get many benefits but without some of the downsides! 

Reply
  • Hi Eric - I bind my macs to AD as a computer object, not as a user. My machines then exist in AD (for the benefit of SafeGuard) but the users log on locally with their own account rather than establishment account.

    There was a politics issue to this too - "We" didn't want to rock the boat with the way they accessed their device, more of a soft-touch management.

    Our setup works well though - I can still manage the Macs by policy I SafeGuard and as you mentioned, their local user is imported into the SafeGuard directory so we have some view over that too.

    Our important difference though (I'm assuming) is that we ONLY do DE, we do NOT to FE. I think if you have gone done that route (or intend to) then I would recommend much tighter integration and bind the Macs and users to your primary directory (AD) 

    You may want to consider alternatives like NOMAD too - It's like a "soft" bind for the Macs. You get many benefits but without some of the downsides! 

Children