Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 11406 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard - Best Practices for shared computers?

John_in_MA

Hello-

I'm implementing Safeguard disk encryption for a client, and I'm struggling with how to handle machines that are shared by multiple users. This client has a pool of laptops that never leave the premises, but are shared among a group of users when they're at work. Essentially I need any AD user to be able to start up any laptop at any time. 

I understand that I can add users to POA by having the "owner" log onto POA with the pass-through authentication turned off, then have the secondary user log onto Windows. But this isn't really feasible for a large and dynamic group of users.

One thought I had was to create an AD account with limited rights, and make it the POA "owner" of all the laptops. All users would use this account for POA, but would not use the pass-through authentication... then the "real" user would log in within Windows. One problem I'm seeing with this.... I don't see a way to force pass-through to off via policy, users would have to manually de-select it.

The other possiblity which would work, is to just turn off POA. But I don't love that idea.

My ideal situation for these laptops would be a "standalone" installation of Safeguard that has a static password and/or username to boot the computer, having nothing to do with AD. Is there a way to accomplish that?

I should also add I that was planning to use Sophos Enterprise Console to manage the encryption, but I have a feeling I'm limiting my configuration options by doing so. I have not seen the separate Safeguard Management Center, but I suspect it has more configuration options. Can anyone tell me if that's true?

Thanks!

:40043


This thread was automatically locked due to age.
  • 0

    Hi John,

    I have the exact same scenario here where I work.  So I will tell you what works for me.  I am sure others will chime in with a response.

    I have my Default Machine Settings Policy set underneath the Power On Authentication (POA) group of settings - the policy item to set is: "Import for new users allowed for:" - setting is:  "Everybody".

    Now I have SafeGuard Enterprise and it is set to synchronize with Active Directory.  So when I add a computer to Active Directory I will do a manual synchronization process so that SafeGuard Enterprise Management Console will have the new computer object.  I have an Active Directory group which basically has all AD Users as members.  So in the SafeGuard Management Center console I will go to Computers and Users.  Under the Computers section I will select the new computer and then click the Users tab.   I will then drag the user group onto the computer objects "Users" tab.  It will ask if I want to make selected users "Owner" and I choose "No".

    This works fairly well for us.  We have a 90 password change policy and users who share PCs and roam from office to office.  Some do this with desktops and some with shared laptops.

    Now the catch is getting at least one user setup as a SafeGuard User on the laptop and/or desktop.  Then for others to log onto the desktop/laptop - typically the unit will already be logged on by a SafeGuard User.  So HOPEFULLY the desktop and/or laptop will be at the Windows logon screen.  Then at that point another user who has never logged onto the laptop and/or desktop will become synchronized and will be a SafeGuard user.

    The only headached I have from time to time is there might be the one user who hasn't logged onto a PC in quite some time - say 120 days or so since they last logged in.  Since our passwords change every 90 days - if that user has not logged into the laptop/desktop to get an update security certificate and security key - the SafeGuard client at the POA screen will only know the old password for that user - not their current new password.

    What helps there is to make sure you get Local Self Help recovery option enabled.  So hopefully they will remember the answers to their security questions and answers.  My problem here is our users forget they have the capability to "recover" their password so they will end up trying their password so many times that they lock the workstation at the POA screen.

    But we do have some users who are good about using LSH.

    The only thing about the LSH recovery is it is machine specific and does not roam from one PC to the next.  So if you enable and setup LSH on PC #1 - then the user goes to PC #2 - they will have to setup LSH for that PC.

    But with us we have about 100 PCs on our network with 10 offices in 4 counties.  I am a one man IT Department and this setup has worked well for me though occassionally I will have logon issues to deal with for users who have forgotten their password or locked their workstation.  It isn't too bad and believe me - my time has to be well spent in other areas than dealing with locked workstations and resetting of passwords.

    So with this setup - I don't have many problems or issues.  Most of our PCs are on and at least on the Windows logon screen - so if a user has not logged onto a PC is 120 or longer - since they are loggin on at the Windows screen - their credentials on that PC will get updated by the Sophos SafeGuard Client synchronization process.

    I hope it helps.  And maybe others will have a better solution than what I am doing as well.  But that works for me here.

    :40045
  • 0

    Thanks very much for the reply. I'm still not sure where we will go from here, in my case I'm going to present my client with their options and see what they want to do.

    Thanks again!

    :40497
  • 0

    Dealing with same issue.

    We have decided to create a "group" POA users with pass-through turned on. This can be done via Authentication policy by selecting "Enforce pass-through to Windows" (Authentication > Logon Options > Passthrough to Windows).

    Another option is (like taekwanleap already mentioned), manually attach users to these computers.

    :40809
Unfiltered HTML