This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard Enterprise 8.x and management of "free range" systems

Installing environment where customer will need a "managed" environment, systems that are imaged, prepped for deployment "anywhere" and will never reach back into the environment at HQ and check in, they will be forever out in the wild as "free range", but encrypted of course :)

These systems won't ever be on the same network as the server, won't ever talk to the server after their first "check in" before they are given to someone to take with them and won't ever be seen again on the network until the system returns and is reimaged for the process all over again.

There have been some strong debates over unmanaged vs managed, the key recovery will be a process owned by a helpdesk scenario where if a user with one of these systems calls in for issues they'll have to be remotely supported and supportable, since the system can't use VPN or reach back into the home HQ network.

Hopefully others can chime in on settings or configurations that can lend a view one way or the other that may facilitate this process as easy as possible to support and move forward with.

Additionally, these endpoints will need to be upgraded remotely (which software on the systems will provide for remote desktop support from a different vendor) so if a client endpoint install can be transferred to the system and the configuration file upgraded (and scripted) that would be wonderful.  Even if a script of process isn't available if it's feasible I'll be building the process to support that option.

Thanks for all input.  These aren't things that are flexible described above, they are the situation that the customer is in and any suggestions to ask them to change will not be met with approval from the customer side.

 

Additional important notes: No AD is used, will be all local computer accounts on every system, no GPO



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hello Aileen,

    Yes we have a scenario specifically for that.

    If you go into the SafeGuard Management Centre > Tools > Configuration Package Tool > Standalone Client Packages you can create a configuration package from there for these types of machines. When these machines are configured as Standalone they still have all the same options as Managed, with the exception that they don't sync with the SafeGuard Server.

    In terms of the installation all three of the SafeGuard components (PreInstall, Client & Config) are msi files that can be easily distributed/ installed via script.
    The following should prove useful https://docs.sophos.com/esg/sgn/8-0/admin/win/en-us/webhelp/index.htm#concepts/ClientInstallCentralCommand.htm

    Ofcourse if you do need help developing a custom script you can speak to your account manager who can book in some time for our Professional Services department to create something bespoke for you.

    Please let me know if you have any questions on the above.

  • So, is the only true designation of Managed vs Unmanged the verification of whether the system is currently synced with the server?  In my testing I've been able to use them as Managed, because their first deployment of the software on a endpoint will be "managed" and they will talk to the server initially and as well when the system is returned.

    The install of the software I have already completed, but I appreciate the link.

    Custom scripting is not an area I will need assistance with, but again, the information is there. 

    However, perhaps my question about pattern of install/uninstall was more related to upgrading components at my endpoints when they are deployed, and not reachable by the server. 

  • Decided to come back and update this.  Discussion with our assigned SE and manager decided that we had to use a custom approach.  Managed systems at first for a single "sync" and then "sent out into the wild" after that.  We have ways to reach these systems remotely and uninstall/reinstall software as well as push any new configuration files from Sophos.  We just can't change any encryption on the fly since they can't reach the encryption server in the closed home environment.

    There is not always a one size fits all solution, and despite attempts to try to get us in a "standalone" vs "managed" in the mindset that is normal for Sophos, we had to go with a unique approach to manage assets. 

    The MSI was referenced when we were testing our procedure for automated uninstall/install of software so it was nice to see the link again.  There was just no way to manage the number of assets we need to deploy and keep track of as individual stand alone devices.

    Thanks.