Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2378 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Controlling access to client update server settings

RMenth
We are creating a package of Sophos Endpoint Security and Control 9.0.5 that home users can download for their personal computers. We would like them to have full control of the console on their local machines, but would like to prevent them from changing the settings in the "Configure updating" section of the console. This is so they don't inadvertently make changes that will prevent them from retrieving updates from our website. I've experimented with the various local security groups in Windows XP, and can't find a way to prevent access to this section of the console without removing the user from the SophosAdministrator security group. Every other group is far too restricting though. I can't find any mention on how to do this in the knowledgebase or support documentation. The home users will be on various platforms, mostly Windows XP/Vista/7. Some will be OS X. Thanks for any help!
:2821


This thread was automatically locked due to age.
  • 0

    Hello,

    you will probably use sauconf.xml for Windows clients to pre-configure the updating policy. Per default (after you've created it with exportconfig.exe)  it has  AllowLocalConfig="false" for the update locations, schedule and logging. I'm not aware of a similar setting for Macs (which, BTW, can also be pre-configured - see ). I know you can "lock" it from the GUI but it's an OS X feature.

    Christian 

    :2838
  • 0

    Hi Christian,

    Thank you very much for your help.  When I generate that savconf.xml file through the exportconfig.exe utility, the resulting file does not contain any line resembling AllowLocalConfig.  The exact command was exportconfig.exe -type SAV -policy "NNUHomeUsers" -output c:\Test\savconf.xml. 

    Maybe I'm running a different version of the Enterprise Console or exportconfig.exe utility? 

    The Enterprise Console is 4.0.0.2362.  The exportconfig.exe utility reports that it is version 2.0 when I run it.

    I also noticed that in your post you said the name was "sauconfig.xml" rather than "savconfig.xml".  Are we talking about the same creature?

    Maybe there's a way I can manually insert that AllowLocalConfig line?  That may get painfully complex though...

    Thanks again.

    :2848
  • 0

    Hello again,

    "sauconfig.xml" rather than "savconfig.xml".  Are we talking about the same creature?

    Probably not :smileyhappy:: savconf.xml is for the Anti-Virus settings (scan, cleanup and scheduled scans), sauconf.xml is for the update settings. You'd use -type=AU for this.

    HTH

    Christian

    :2864
  • 0

    This is working great for Windows machines.  If I find a good solution for Macs, I'll post it here for posterity. 

    Thanks again.

    :2921
Unfiltered HTML