So I am currently past being on my last limb with Sophos Safeguard. Every time there is an issue that I fix, another one arises.
So here is the situation. I was given multiple old end user machines and was instructed to get Safeguard off of them. The problem is, I am obviously not able to simply decrypt/uninstall without doing the following:
a. Adding the machine in question to the ".Decrypt Computer" and/or ".Uninstall SafeGuard" group via our Safeguard Management Center.
When checking the Computer in question, I see that the last time the machine communicated with the server was all the way back in 2016 (must've been sitting in the back room for a while or something).
Now I know what you're probably thinking here; "Right click the safeguard icon and click on synchronize". I did so. I also know the next think that you are thinking; "Make sure that the certificate is still valid by checking it within the MMC". I did so, the cert is still valid.
Next, for the heck of it, I checked IIS > Start Page > Server Name > Sites > Click on Bindings > select port 443 and click edit. I see that the same non-expired cert is binded.
"Okay.." I thought to myself. Let's check that "SGNSCC (Or whatever name it's called) that shows me the connection status, pingability to the server, etc...I realized this is from 2016.. The version of Sophos that this has (Sophos 7) does not even have that function to direct me in the right direction as to where to go from here.
I tried one more thing... I uninstalled the configuration package from the workstation, and created a new configuration package within the Management Center. I thought that maybe this configuration package was made with a new SSL Certificate (Not sure if that has anything to do with it, but like said, I am completely at my wits end).
Seeing that Safeguard 7 is not supported anymore, I was hoping that anyone here might know of other options.
Hi Philip - I would create a configuration package WITH the policy assigned to it.
This is not normally best practice - especially with an encryption policy. You want the machine to verify it CAN communicate with the server BEFORE it starts to encrypt. Encrypting by policy before the communication has taken place means that potentially a machine could encrypt without having stored the recovery key.
However - in this case I would include the decrypt policy WITHIN the configuration. I've had a few machines that have refused to accept the "new" configuration and allow decryption.
Give me a shout if you're still having issues - Don't worry we can resolve this!