This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to store Sophos Central recovery key in both Sophos Central and Active Directory

We are using Sophos Central and also have an Active Directory domain.  Is there ANY way for the following scenarios to work?

Scenario 1 (non-domain beginning)

Non-domain computer gets installed with the Sophos client, including the encryption component.  After installation, the computer is added to a group that has the encryption policy linked to it, so that Bitlocker is started and the encryption progresses.  The option to retrieve the key shows in Sophos Central.  How do we get that key to also backup to Active Directory so that the key exists in both AD and Sophos Central?  If we retrieve the key in Sophos Central (which automatically changes the key after that), how to make that change automatically show in Active Directory.

Scenario 2 (domain beginning)

Domain joined machine is using Bitlocker policies for encryption, and the key exists in Active Directory.  Sophos is installed, but since the computer encryption was not done in Sophos Central, it does not see a recovery key or even show the computer is encrypted.  How do we get the key to show in Sophos Central as well?  Is there any way to have Sophos Central see that the machine is actually encrypted?

It seems like it's either one or the other as far as the key visibility, which doesn't seem right considering Sophos Central is an enterprise solution, yet Sophos does not seem to have the documentation needed to clear things up.  Any help would be great.



This thread was automatically locked due to age.
Parents
  • I believe, at least with SafeGuard this is NOT possible - it's one or the other. You can't have two products "managing" the same thing. This was the case with SafeGuard by design and I'm unsure if it's changed for Central, I would imagine not. Can I ask why you want to use two systems ? Is it for redundancy? 

  • Yes, it was for redundancy.  Our institution is currently considering ending it's contract with Sophos due to past support issues with Big Sur, Cisco VPN, among other things.  I personally like Sophos Central for the most part, but the documentation for Sophos products can leave some things to be desired.  Currently, we have a scenario on campus where some will do the encryption in Sophos Central while others create GPOs in Active Directory.  Having the encryption keys located in both locations would be a great thing to have for sure.  It's also a little frustrating that they list the ability to Sync with Active Directory, but it doesn't seem to "sync" with common functionality like encryption keys. 

  • Thanks for the reply. Yes, I had similar wishes too for redundancy but it's by design. You rarely see two different products "manage" the same device. One must be the "master" otherwise what happens when both try to rotate he key at the same time? Who wins - why - what if the right key is used but the wrong server has provided a slightly out of date key? SafeGuard wasn't ever a Sophos product - it belonged to a German company - Utimaco. You can still see references to this in the registry/file paths etc.. With the greatest of respect to Sophos, I don't feel they ever knew the product THAT well and you could tell this in support and documentation. Still a good product - but one support lacked in a little I feel. Central though is I feel a different ball game. I know what you mean ref support for other products/OS. I feel though although it took Sophos a little too long to support Big Sur (other than EAP) it was in the same boat as LOADS of other 3rd parties. Apple changed many things right at the last moment and gave very little time between testing and release - and with significant architecture and system changes.  Feel free to drop me a PM if you'd like to discuss further - I may be in the same sphere as yourself and have had similar/identical challenges! I would recommend getting in contact with your AM at Sophos and explain how you feel so at least they're aware.

Reply
  • Thanks for the reply. Yes, I had similar wishes too for redundancy but it's by design. You rarely see two different products "manage" the same device. One must be the "master" otherwise what happens when both try to rotate he key at the same time? Who wins - why - what if the right key is used but the wrong server has provided a slightly out of date key? SafeGuard wasn't ever a Sophos product - it belonged to a German company - Utimaco. You can still see references to this in the registry/file paths etc.. With the greatest of respect to Sophos, I don't feel they ever knew the product THAT well and you could tell this in support and documentation. Still a good product - but one support lacked in a little I feel. Central though is I feel a different ball game. I know what you mean ref support for other products/OS. I feel though although it took Sophos a little too long to support Big Sur (other than EAP) it was in the same boat as LOADS of other 3rd parties. Apple changed many things right at the last moment and gave very little time between testing and release - and with significant architecture and system changes.  Feel free to drop me a PM if you'd like to discuss further - I may be in the same sphere as yourself and have had similar/identical challenges! I would recommend getting in contact with your AM at Sophos and explain how you feel so at least they're aware.

Children
No Data