This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you all manage removable media?

I'm looking for some ideas on how to manage removable media. I can't be the only one that's noticed Sophos Central does not give full device IDs in logs or events. The only time I see the full ID is the first time it's blocked. For example, I go into Central and view the current allowed devices in my removable media policy and all I can see is: USBSTOR\DiskGeneral_USB_Flash_Disk_1100. Like many companies, we bulk purchase flash drives. This means that every single device in my exclusion list looks identical. I have no way of removing or troubleshooting a specific device. Also a problem is logs. If I'm going through logs I can't tie a specific user's activity to a specific device. My only option is to create a new rule for every single user with the media they're allowed to use. This would get out of hand quickly. I've opened tickets with Sophos support and they say it's a "feature request". I feel like this feature is vital to managing removable media on my network. I'm really hoping that I'm just missing or misunderstanding something in Central. So how do you go about using Sophos Central to manage your removable media?



This thread was automatically locked due to age.
Parents
  • Hello TheLinuxNoob,

    every single device in my exclusion list looks identical
    I'm not using Central so I can't say whether the Device ID isn't displayed at all, inadequately accessible (e.g. by hovering over the Model ID), or in a location you've missed.

    [not] a new rule for every single user
    well, what would you suggest? All permitted user/device combinations in a single policy? Can't imagine that this would be any clearer, instead of a plethora of user policies at the policy level you have a plethora of settings inside one policy. It would be more or less an asset-management. Don't forget that if this is a feature it has to scale (potentially for thousands of users and devices). But perhaps you have a better idea.

    Christian

  • every single device in my exclusion list looks identical
    I'm not using Central so I can't say whether the Device ID isn't displayed at all, inadequately accessible (e.g. by hovering over the Model ID), or in a location you've missed.

    As I mentioned in the original post, only part of the device ID is accessible. USBSTOR\DiskGeneral_USB_Flash_Disk_1100 is all you get, the full device ID continues after "1100" and is unique to the device. There is one time and one time only that you can see the full device ID, the very first time the device is blocked. In the pop up you see the entire device ID. This tells me Sophos is getting that information from Windows. If you try to connect the device a second time you will not see a block message. I've been on the phone with support multiple times and they all seem confused that displaying the full device ID isn't automatically done. They'll usually say, "Let me put you on hold and confer with a colleague." Which is usually followed by, "Displaying the full device ID isn't something that's supported."

    [not] a new rule for every single user
    well, what would you suggest? All permitted user/device combinations in a single policy? Can't imagine that this would be any clearer, instead of a plethora of user policies at the policy level you have a plethora of settings inside one policy. It would be more or less an asset-management. Don't forget that if this is a feature it has to scale (potentially for thousands of users and devices). But perhaps you have a better idea.

    I would suggest a very simple solution: display the full device ID. This allows granular control over removable media in your network.

  • Hello TheLinuxNoob,

    thanks for clarification. This doesn't sound like a missing feature but more like a bug, definitely a deficiency in the UI. The information is there, and it's not insignificant.

    Christian

Reply Children