Currently on the client computer, the status shows "nothing received yet".
Currently on the Enterprise Console, under Policy compliance, it says awaiting policy from concole.
I have rebooted both machines (server and client). I have searched but have surprisingly found NOTHING on this "error". Event viewer shows nothing on the client.
Any other way to troubleshoot this issue?
SafeGuard 5.61.0.25
Enterpirse Console 5.2.1.197
CBeyer,
How far into the encryption have you gone? Are you using POA? If so, did it enable sucessfully on restart? Ensure that there is also no conflicting software such as virus protection, there is a KB that also discusses possible conflicts with software. are you also able to ping the Sophos server from that computer?
We had a simliar error inside our oganization when we deployed Sophos to three systems, we later found after trial and error of installing applications that our endpoint protection was blocking the sending and reciving of the packets to Sophos. It could be a place to start.
The encryption has, to my knowladge, not even started. The "push" from the server to the client seems to work and the install (run silently) seems to complete. The gear icon shows up and a reboot later, I can access the status by right-clicking...
Last Policy Received, Last Key Received and Last Certificate Recevied all read: nothing accepted yet
We are not using POA. The only virus protection on the machine is Sophos. I would find it unuseful if that was the software blocking it, but we did disable all of Sophos' services and that didn't seem to produce any different results.
Curious, if it is the Sophos client blocking the transmission of the SafeGuard software.. wouldn't that be seen somewhere in an event or log file in the Enterprise Console?
Hello CBeyer,
SDE (Sophos Disk Encryption, that's the version bundled with SEC) is integrated with SAV/SESC, thus the SDE install/operation is not only not blocked but depends on (some of) the endpoint services (Message Router and Agent IIRC).
If the client has not yet received the policy it won't start the encryption - that the status is reflected in SEC suggests that the communication between client and SEC is in principle working. I don't have a client available to test but the problem could be similar to the one described in Managed computer's status is missing, incorrect or 'awaiting policy from console'. It does not mention the adapter for encryption though which is named SEA. Is this your first client or do you have an already working one?
Christian
This is the first client we have pushed the Encryption to, it's our guinea pig! I have seen the article you linked to, but I don't have a "working" client to pull the AdapterStorage folder from.
We have a license for Sophos Complete Security Suite. I don't see anywhere on my Downloads and Upgrades screen a mention of Sophos Disk Encryption (that page is calling it SafeGuard Easy) and when I push the encryption out via the console, SafeGuard Easy 5.61 is installed. So, im not sure what Sophos Disk Encryption is (unless I'm just reading the acronyms wrong).
I would agree on a communication error, howwever, receiving updates to the endpoint protection is not an issue, it seems to lie solely with the SafeGuard installation. The client can ping the Sophos Server. I am logged in as the Domain Admin which, obvously, should have full and complete access to everything. I don't see anything in the event viewers, but I'll take another look and see if I notice anything concerning communication.
Thanks for the assistance!
Hello CBeyer,
SafeGuard Easy is more or less unmanaged and included like the stand-alone AV products. SafeGuard Enterprise comes with full (and user-aware) management. The Full Disk Encryption included with SEC is something in-between. The core functionality is the same for all flavours but FDE/SDE gives you some basic management features including key backup and challenge-response recovery.
Did you check whether the mentioned AdapterStorage and registry items are present?
Issues with policy or status exchange between server and client usually aren't logged to an event file and sometimes the only indication of a problem is the absence of certain exchanges :smileyhappy:.
Basically I see three options:
Christian
OK, as far as the linked article goes... none of the instances occurred.
- I do not have another machine to copy from as this is the first machine we have installed Encryption on.
- There is no HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Remote Management System\ManagementAgent\Adapters, in fact, there isn't even a SOPHOS folder under HKEY_LOCAL_MACHINE\SOFTWARE\
- The dll files are in the correct spots, at least the ones for SAV and AutoUpdate, we don't have the Firewall activated
I uninstalled the SafeGuard program and went to reinstall.
When I click on Protect Computers in the Enterprise Console, I am given 2 options, Protection Software (nothing in here indicates there is any kind of encryption) or Encryption (nothing indicates I have a choice to install SafeGuard of the "pre-bundled" FDE/SDE). I choose Encryption, it asks me for username and password and after a minute or so, the client reboots. Once the client is back up, the gear icon for SafeGuard Easy 5.61 appears, I can right click and choose either Syncronise (which does nothing) or Status (which leaves me with a bunch of "nothing received yet" messages). I reboot the client again, the Synchronise option is now GONE and the status option gives the same "nothing received yet" messages.
On the Enterprise Console, when looking at the client computer, Policy Compliance is "awaiting policy from console" and Full Disk Encryption is set to No.
I'll contact support if there is nothing else this thread can think of...
Thanks for all the help so far.
OK, all the keys are present, even one for SEA (SafeGuard Enterprise).
I have to admit, it's all very confusing. It's clear that on the client machine, SafeGuard Easy is installed, yet the key in the registry clearly says SafeGuard Enterprise. No where in the Enterprise Console on the server is there a mention of FDE or SDE.
You are saying that Protection comes first, which is the case here, as the Protection was installed first, but you also make it sound like Encryption (FDE/SDE) should have been installed with that... this is not the case. No encryption is installed when I push the protection out. I am not given any options to comply with Full Disk Encryption when just the protection is pushed. When I choose Protect Computer and choose Encryption Software, it doesn't even tell me what that software is, it just installs (and seemingly fails without any warning or error or event log). Hair pulling out tpye stuff here!
Anyway... thanks for assistance so far. I'll see what contacting support can provide.
Hello CBeyer,
part of this reply (warning: may contain rigmarole) applies also to your Update Manager question on the EndUser board.
Practically all major AV vendors (fancied they) have to expand and diversify their portfolios. Like others, Sophos - apart from developing new products - acquired several products or product lines. One of them is encryption (formerly Utimaco). Central management is essential so naturally whatever you acquire has already some sort it implemented and in addition the products might overlap to some extent. You might continue to market them independently (at least for some time) and keep the brands but more often then not the final goal is to integrate them into one suite (either a single offering or a modularized solution). Of course you have to keep an eye on the competition, your balance sheet and last but not least changes and trends and devise a suitable strategy.
To get to the specific part: Over time several products/features or "stripped-down" versions (perhaps as starter drug) have been integrated or included at low or no cost (BTW: Integrated/Simple NAC aka Compliance Control is being "retracted"). It's part beefing up the Product (EndUser) and part "advertising" another one (e.g. the Web Appliances). In case of SafeGuard version 5.61 of the basic Device Encryption has been modified to be deploy- and manageable by SEC. Note that this is neither "Easy" (which lacks management but offers additional modules and configuration options) nor "Enterprise" (which not only has far more features but a user-based management as well). I assume it could technically be installed along with the other parts of SESC, but it requires exclusive use of the machine so you definitely don't want it to sneak in with a Protect Computers.
As it is some kind of "hack and mash" and not a new product line neither expect it to be in step with the full products nor that it is perfectly honed (e.g. consistent design and naming) - that's not to deride it, the core is the same for all incarnations and the imperfections are cosmetic and no cut backs have been made in quality. For now it is called Full Disk Encryption in SEC, not very specific for Windows XP and above and a single 5.61 Recommended version.
As for SafeGuard Easy - you license all (selected) SEC features for a certain number of users. A computer is either managed by SEC or not. For the unmanaged ones you get the equivalent SafeGuard Easy - and, as Sophos grants you the current versions with your license, it is 6.0.1.
The install itself didn't fail - it's an internal communication problem which is occasionally seen with other components as well. Often the reboot or a simple Comply with ... solves the issue - obviously not in your case though. If that's any consolation, once it works it uses to continue to do so.
Christian
