Deploying SafeGuard Enterprise to Workgroup PCs

Hi Cabaday,

Let me try to answer your questions:

“1) How is user creation handled for workgroup environments? All of the guides seem to concentrate on importing user and computer objects from Active Directory, which I'm not doing. This deployment has many stand-alone workgroup computers and has no intention of deploying AD.”

When a new user logs on to SafeGuard Enterprise once their endpoint has contacted the SafeGuard Enterprise Server, they are registered and automatically displayed in the Users and Computers area of the SafeGuard Management Center under their respective workgroup.

If the workgroup object does not yet exist, the user and computer object report into Root -> Auto registered. You can manually create your workgroups along with a structure for managing policy items. (Click on Root -> New -> Create new workgroup (auto registration)).

“2) Where should I start with troubleshooting why BitLocker encryption never starts?”

In the SafeGuard Management Center, select a machine that you want to encrypt and use the RSoP function to verify that an encryption policy applies to the machine. Hint: Although, default encryption policies are created in every environment (and placed on the root node), the default Full Disk Encryption policy is set to “No Encryption” to prevent accidental encryption of all machines.

If an encryption policy is assigned and encryption is enabled in the policy, check the Reports section of the Management Center for any hints on why the machine does not encrypt.

"3) Any best practices for workgroup deployments? I don't seem to find any best practice documents that talk about workgroups."

There is no Best Practice Guide for workgroup environments available.

If you’’’’re working with multiple workgroups and want to apply different policies to the endpoints depending on the workgroup membership, I’’’’d suggest to manually create the workgroup objects in SafeGuard Management Center (see above) and apply the policies on workgroup level rather than root level.

Hope that helps,

Chris

Hi ChrisD,

I've sucessfully encrypted a Windows 8.1 device using SafeGuard (using BitLocker) and set a POA password. However, when I log in as a normal user it never seems to register that user with the SafeGuard server. It shows that user as an SGN Guest in the client status. When I expand the computer information in the SafeGuard Enterprise Console, on the Users tab it only shows the Administrator account. Is there a setting I missed somewhere that tells it to auto-register other new users?

Thanks!

Hi cabady, 

sounds good - and yes, you're probably missing a policy setting :).

Please see my latest reply in http://community.sophos.com/t5/Sophos-SafeGuard-products/Enforce-Data-Exchange-only-on-USB-Removable-Media-for-all-users/td-p/55823 

Cheers,

ChrisD

Hi ChrisD,

That link doesn't seem to work. I get an "invalid paramter" error. 

Thanks!

Whoops, same here.... sorry - should have checked the link.

Anyway, here is the relevant part from the thread: 

Re: Enforce Data Exchange (only) on USB Removable Media for all users of a PC
Options
‎Wed 18-Feb-2015 12:17

Hi David,
 
there is no need to distribute every single user to every single machine. The users auto enroll themselves during the first logon to the SafeGuard Data Exchange computers:
 
In a scenario where SafeGuard Device Encryption (incl. POA) is used, the first user to log on in Windows is automatically registered in the SafeGuard POA. At first, no other Windows user can log on at the SafeGuard POA. Further users must be imported with the assistance of the first user.
 
When the Device Encryption (incl. POA) is not installed, the registration process for new Users changes slightly:
 
To allow new user registrations for every user (w/o the registered owner being present), change the policy "Specific Machine Settings | User Machine Assignment (UMA) | Allow registration of new SGN Users for" from "Owner" to "Everybody".
 
Policy hint: Defines who is able to import another SGN user into the SafeGuard POA and/or UMA (by disabling the pass-through to the operating system).
Note: For endpoints that do not have the Device Encryption module installed the "Allow registration" of new SGN users for for setting must be set to "Everybody" if it should be possible on the endpoint to add more than one user to the UMA with access to their key ring. Otherwise users can only be added in the Management Center.
 
After changing the policy and synchronizing the changes to the Clients, Users that login to a SafeGuard Data Exchange Client for the first time will be automatically listed as a "SafeGuard User" and have access to their encryption keys if the Client version is 6.10 or 7.0.
 
 
Hope that helps,
ChrisD

Cheers,

Chris

Hi David,

So I'm deploying BitLocker Encryption with SGN. I ended up with the BitLocker POA screen as opposed to the Sophos POA prompt. I've set the "Allow registration of new SGN users for" to Everybody but when I log in I'm still listed as a Guest.

Where do I actually add the users? 

Also, with the BitLocker POA, what credentials will be used at power on? Is it always the password that I was initially asked for when SGN enabled BitLocker? Or will the BitLocker POA password get updated once a new SGN User is registered in the UMA?

Sorry for so many questions, I'm new to the product!

Thanks so much!

Anyone else have any idea? I'm not sure what I'm missing. Even on another machine, after I set up BitLocker and do the initial encryption under the Administrator account, when I log in as another user (who has admin rights, but is a Microsoft account), I'm always listed as an SGN Guest on the Sophos SafeGuard Client Status.

I wish there was a guide for proper setup of SafeGuard in a non-Active Directory environment!