Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 27623 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enforce Data Exchange (only) on USB Removable Media for all users of a PC

gsmdit

Hi there,

We're having some problems with a basic setup and wonder if more experienced users could point us in the right direction.

We have SafeGuard Management Center 7, but a mix of 6 and 7 clients, used previously to encrypt laptops so all working fine.

Our new objectives:

For most desktop Win 7 PCs we now wish to enforce encryption of USB removable media;

We want the policy to apply to any user of that PC, as almost any of our PCs can be used by any of our users;

We do not want POA, or volume encryption, only Data Exchange, and that to only apply to removable media, so file-based not volume-based;

We have enabled generation of Group Keys as we wish to use Group Keys so users in-house can seamlessly exchange USB devices and files;

SGPortable can be used for external recipients.

We have no problem getting the PreInstall, Client, and the Config onto the PCs.

The problem:

How to assign all our users to a PC or ideally to an OU?  It seems only possible to assign individual users to a PC.  If I create a group of users and assign that group, the users are individually enumerated in the assignment.

Then when attempting to save the configuration after adding the users, I get an error such as attached,

"You have already assigned a max of 0 user(s).  Please remove 110 object(s)"

We have 250 available DE licences, so even if the license is per user, this doesn't make sense.  (Although we thought the license was per device?). 

After going round in circles with this one for some days now, I'm getting confused between AD groups, Safeguard groups, group keys, OUs etc...

All we want to do is assign everybody to each configured PC in the simplest possible way (i.e. groups) all using the same group key.

If someone could point out where we are going wrong, this would be much appreciated.  Thanks in advance,

Dave T

:55823


This thread was automatically locked due to age.
  • 0

    Hi Dave,

    the machines that should be covered by SafeGuard Data Exchange to protect your removable media, do you also have the SafeGuard Device Encryption (POA) module installed on those?

    Cheers,

    ChrisD

    :55831
  • 0

    Hi Chris

    No, not installed - and we don't really want POA on these PCs - some PCs may be used by potentially anyone in the organisation.

    We have no issue getting Data Exchange working for one or two assigned users - the hole in our knowledge (and the documentation which we have plouged through) is

    1. how to assign Groups of users to a PC (e.g. Domain Users - or a custom "All Staff" group)?

    2. how to avoid the error message regarding assigning max numbers of users.

    Thanks

    Dave

    :55833
  • 0

    Hi Dave,

    I am not sure I follow. If you only have Data Exchange installed then there will be no POA and the authentication is handled entirely by Windows.

    Whenever a new user logs onto a machine with Data Exchange a user account is automaticly created in the management center and assigned against that machine. If you want Data Exchange to work for all users of the machine you can always add the machine itself to the group you have the data exchange policy assigned to. That way any user who logs onto that machine will inherit the policy.

    Hopefully that helps a little - not sure what that error could be though.

    :55835
  • 0

    Hi David,

    there is no need to distribute every single user to every single machine. The users auto enroll themselves during the first logon to the SafeGuard Data Exchange computers:

    In a scenario where SafeGuard Device Encryption (incl. POA) is used, the first user to log on in Windows is automatically registered in the SafeGuard POA. At first, no other Windows user can log on at the SafeGuard POA. Further users must be imported with the assistance of the first user.

    When the Device Encryption (incl. POA) is not installed, the registration process for new Users changes slightly:

    To allow new user registrations for every user (w/o the registered owner being present), change the policy "Specific Machine Settings | User Machine Assignment (UMA) | Allow registration of new SGN Users for" from "Owner" to "Everybody".

    Policy hint: Defines who is able to import another SGN user into the SafeGuard POA and/or UMA (by disabling the pass-through to the operating system).

    Note: For endpoints that do not have the Device Encryption module installed the "Allow registration" of new SGN users for for setting must be set to "Everybody" if it should be possible on the endpoint to add more than one user to the UMA with access to their key ring. Otherwise users can only be added in the Management Center.

    After changing the policy and synchronizing the changes to the Clients, Users that login to a SafeGuard Data Exchange Client for the first time will be automatically listed as a "SafeGuard User" and have access to their encryption keys if the Client version is 6.10 or 7.0.

    Hope that helps,

    ChrisD

    :55838
  • 0

    Ok - thanks both, that helps enormously - I was unaware of the existence of the policy "Specific Machine Settings" and UMA.

    Looks like a working implementation now.

    One further question though: - as stated, we don't want POA, so users logging on to a configured workstation for the first time are presented with a dialogue to complete Sophos logon (see attachment).  It's not ideal if they can choose Cancel...

    Is there any way of enforcing this first time logon, or passing the Windows credentials they just used to log on with?

    Thanks again,

    Dave T

    :56171
  • 0

    Hi Dave,

    I would really recommend to use the SafeGuard Credential Provider - or do you have any issues with it so it cannot be used?

    The SafeGuard Authentication Application `(that you can see on the screenshot) acts as a kind of surrogate for the SafeGuard Credential Provider and takes over the required actions (like registering a new user or logging on a user to the Key Ring) in case that the SafeGuard Credential Provider is not used.

    Have a nice weekend,

    Chris

    :56176
  • 0

    Hi Chris

    Thanks again for the further info.  We don't have any issues (yet) with Credential Provider - as this is another feature we never heard of!  I  will do a custom install and test behaviour.

    thanks

    Dave T

    :56218
  • 0

    Ok, making progress here, the Credential Provider seems to manage different users on the same PC, users now just have to wait for SafeGuard Authentication Service notification to complete after logon.

    That leads on to the next 2 issues, one minor one major:

    Minor issue 1: Windows 7 users are now presented with a SafeGuard icon AND a normal WIn7 icon, see attachment.  Any way to remove the normal Win7 icon and leave only the SGN icon?  More pressing, is there any difference to the logon should they choose the Win7 icon?

    Major issue 2: If a user locks a PC and walks away, no-one else can log on, Switch User fails by allowing the next user to log on and then immediately logging them off.  As stated in the original post, we have some PCs shared by many users, but this locks a PC to one user.

    Is this expected behaviour?  Is there a workaround?

    Forcing logoff by policy in Win7 is not a trivial task; hard booting to allow next user logon is not acceptable; educating users to logoff is an endless task...

    Thanks for the advice so far, but we're not out of the woods yet!

    Regards

    Dave T

    :56242
  • 0

    Hi gsmdit,

    1/ Please see Knowledge Base Article 114190 SafeGuard Enterprise: How to hide credential providers from the Windows Logon User Interface using Windows Group Policy

    2/ Fast user switching is not supported and must be disabled. (Extract from the SafeGuard Enterprise 7.0 release notes)

    On Windows XP, Fast User Switching (FUS) gets disabled when a 3rd party GINA (like the SGGINA.dll of SafeGuard Enterprise) is installed on the system. On operating systems that are using a credential provider instead of a GINA (Windows Vista, W7,W8, W8.1) FUS is prevented by the Authentication Service of SGN (SGNAuthService). 

    A consequent cryptographic separation between the key-material of different users is one of the paradigms of SafeGuard Enterprise. By allowing more than one logged on user at a time, this would not be possible and a separation could just be access right based and with that, less secure.

    Regards,

    ChrisD

    :56243
  • 0

    Thanks again Chris for the swift response, let me address these 2 points and I will confirm we are ready to go,

    regards

    Dave T

    :56245
Unfiltered HTML