Sophos SafeGuard with AutoLogon

We are using Win10 machines in a Domain. Trying to create kiosk mode where the machines auto-logo to a Domain account.

Installed is Safeguard Enterprise 8.30.0.76

I have created the Domain account on the machine such that the Windows 10 logon screen shows 4 accounts; Kiosk-user , Other user, Domain\Kiosk-user (with Sophos icon) & Other user (with Sophos icon).

But there is no way for me to use Auto-Logon from sysinternals or "control userpasswords2" to login to the Domain\Kiosk-user (with Sophos icon).

Please advise.

Parents
  • I'm afraid this is not possible and others have tried before. There are very few compatible Credential Providers that work with Sophos SafeGuard other than their own, which means the user MUST login with the Sophos icon/cog. If there's no user and you're hoping to use autologin - that is not supported by SafeGuard as it bypasses the Credential Provider. Annoying, but can a user not log into them remotely/locally and then keep them on kiosk mode? Any autologin account is obviously an increased security risk, so it may be worth thinking of other solutions for this?

  • Thanks for the reply. I did read the few posts all the way from 4 yrs to 9yrs ago.

    Can you define or expand "There are very few compatible Credential Providers that work with Sophos SafeGuard other than their own" ?

    As literally most of the applications we are using is web-based, the only fear we have is users saving stuff on the desktop (or other places) via Chrome or browser.

    The only resource the users need is a connection to the shared printer (MFD) which requires a Domain user (the MFD tracks printing via Domain ID) which is the main reason for the usage of Domain in these few machines.

  • Morning!

    Back in the day we used to have GINA to process your login. This could be easily bypassed/hacked so MS introduced Credential Providers. An "application" that allowed a user to sign in and authenticate and then if needed  pass this auth onto other apps in a transparent manner. The Windows Credential Provider is that head/shoulders icon. However, some people use a SmartCard to login with, others can use a Fingerprint or Windows Hello - All Credential Providers. Sophos has its own Credential Provider - the "cog". Logging in with this then makes the session transparent to the user - they don't need to authenticate with SafeGuard again - that's now been done. 

    However - if you DON'T use the Sophos CP-  SafeGuard doesn't know who you are. You can appreciate that when you can encrypt and decrypt files by policy (and therefore user policy) this is an issue. If SafeGuard doesn't know who you are - how can it allow you to encrypt or decrypt any content securely? 

    You can hide the other providers so users only see the Sophos cog to log in with - this is neater but this led to issues when I tried it. Random auth popups during the users session, and things did just not work correctly. It was easier/safer to just tell my users "always log in with the Sophos cog!"

    SafeGuard Enterprise: How to hide Credential Providers from the Windows Logon User Interface using Windows Group Policy (sophos.com)

    As I said - I wouldn't go down this route - but it's an option.

    I can't find the article where they DID list their compatible providers (a few smartcards on a Lenovo as I recall?) when you could use another Credential Provider and it would work/pass through to SafeGuard. SafeGuard has now declared an EOL, so I'm not confident they'll add any functionality at this stage now sadly.

    I hope that helps a little?

  • Thanks again...

    Then in this case, as I mentioned I can see 4 user icons on my Windows Login, Is there a way to limit only 2 ?
    - other users (non-Sophos)
    - Domain\Kiosk-user (Sophos)

    The main reason is that I have set a local security policy that only Domain admins, Local administrator & Domain\Kiosk-user are allowed to login locally.

  • Yes, you can hide them - but do test it carefully, I didn't have great results! 

  • Thanks....coz one of the main issues we have is users "clicking" on the wrong icon thus logging into the non-Sophos account.

  • I think user education is the best policy to be honest - but test with hiding the others and that the session isn't affected and things work as you expect!

  • But doesn't it become a loophole and cause for accidents if users are able to enter their "non secure" accounts ?

  • Sophos will pass through the creds to Windows so it might not be quite as bad as that, but yes - that's what I experienced. Odd requests for auth and it was not a good experience. I didn't try that hard to resolve it though but felt that once you're disabling key functionality in Windows for another product to work better-  you're not in a good place! 

Reply
  • Sophos will pass through the creds to Windows so it might not be quite as bad as that, but yes - that's what I experienced. Odd requests for auth and it was not a good experience. I didn't try that hard to resolve it though but felt that once you're disabling key functionality in Windows for another product to work better-  you're not in a good place! 

Children
No Data