Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 5 subscribers
  • Views 4837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

POA password management from Enterprise Console

tk330

I've taken a new position and was handed the repsonsibility of the Sophos EndPoint administration so please bear with me as I am new to this software.  I was not part of the installation.

We are a multi-office company with laptops utilizing Sophos Endpoint with Full Disk Encryption managed through the Enterprise Console (version 5.1.0.1839).

We have users travelling to other offices and wishing to use the laptops onsite instead of travelling with their own.  There are also floater laptops available at the offices that we use as backup and for use in conference rooms etc...

The issue we are having is that the POA password is set for the single owner.  When that owner is out of the office, noone can use the laptop. 

We do a have general POA user set in the policy, used for IT support purposes.

My thought is to make the POA user password something generic so we can give it to users so they can boot the laptop.  Is it possible to manage/change the password for the POA user int he policy?  If I change the generic POA password monthly, will the new password get sent when the policy updates? Is it possible to have multiple POA users in the policy, maybe a different password for each office location? 

After reading the forums, I did notice there is a separate SafeGuard Management Center with more features.  Am I able to install this to manage encryption or am I stuck with the Enterprise Console with less features?

:41017


This thread was automatically locked due to age.
Parents
  • 0

    Hello tk330,

    as you've seen SEC offers only very basic management for SDE. The Management Center requires a license of the full product.

    we do a have general POA user set in the policy

    There's one user per policy, thus you'd have to group endpoints accordingly giving each location its own POA user, like with all other policies the settings are sent to the clients whenever a policy is changed. Are the traveling users logging in with their own (roaming) account? Please note that when using the service account the user will not be enrolled (see Sophos Enterprise Console 5.2 w/SafeGuard 5.60 Setting up for PCs with Multiple users).

    Encryption protects data on the laptops and POA is is an essential part. "Common" passwords tend to leak and while POA with a common account is better than no POA it is an additional risk. Thus you should perhaps restrict its use to the floater laptops, in addition make sure that as few data as possible is left on the laptops. There's IMO too much attention paid solely to encryption and to little to the accompanying measures. A laptop might bear some identification tag and when it's lost or stolen it might not be too hard to elicit such a common password by social engineering.

    Having said this, a full featured product offers more features (though because of this it might not simplify management) but these might not be indispensable.

    Christian

    :41121
Reply
  • 0

    Hello tk330,

    as you've seen SEC offers only very basic management for SDE. The Management Center requires a license of the full product.

    we do a have general POA user set in the policy

    There's one user per policy, thus you'd have to group endpoints accordingly giving each location its own POA user, like with all other policies the settings are sent to the clients whenever a policy is changed. Are the traveling users logging in with their own (roaming) account? Please note that when using the service account the user will not be enrolled (see Sophos Enterprise Console 5.2 w/SafeGuard 5.60 Setting up for PCs with Multiple users).

    Encryption protects data on the laptops and POA is is an essential part. "Common" passwords tend to leak and while POA with a common account is better than no POA it is an additional risk. Thus you should perhaps restrict its use to the floater laptops, in addition make sure that as few data as possible is left on the laptops. There's IMO too much attention paid solely to encryption and to little to the accompanying measures. A laptop might bear some identification tag and when it's lost or stolen it might not be too hard to elicit such a common password by social engineering.

    Having said this, a full featured product offers more features (though because of this it might not simplify management) but these might not be indispensable.

    Christian

    :41121
Children
No Data
Unfiltered HTML