Tamper Protection Greyed Out

Hello Adrian Ceteras,

Authenticate User option greyed out
did you check with a user that is a member of the SophosAdministrator group or is it that the usual users have this option greyed out? If the latter it's the expected behaviour.

Christian

Hello Christian!

We tried with the logged on user.

I saw that if I log in with my domain account the option appears.

This is the normal behaviour?

Hello Adrian Ceteras,

it is. Tamper Protection restricts a SophosAdministrator's rights (unless the correct password is entered) so that a local admin can't change the settings. The SophosAdministrator group is populated with the members of the local Administrators group at install time. For a non-SophosAdministrator TP doesn't make a difference anyway. 

Christian

Sorry Christian but for us this sounds bad on many levels:

1. Every time something wrong happens and we have to use the Tamper protection it is uncomfortable for us and for the user, because we have to log out that user, (go through the users: I have to save close everything now? I am in the middle of so many things...)

2. Once we log out that user all the mapped drives, recycle bean, folders programs, files, etc...  are password protected and that can be an issue at the scanning point

3.  After the moment of installation other admins could show up, like not all admins have logged on to every single computer in the network, new admins could show up in the company, will they have access to this option?

To be able to have the option active no matter what the login user it sounds like a much better option. You will need the password anyway... and that password is known only by the admins. 

Sorry Christian but for us this sounds bad on many levels:

1. Every time something wrong happens and we have to use the Tamper protection it is uncomfortable for us and for the user, because we have to log out that user, (go through the users: I have to save close everything now? I am in the middle of so many things...)

2. Once we log out that user all the mapped drives, recycle bean, folders programs, files, etc...  are password protected and that can be an issue at the scanning point

3.  After the moment of installation other admins could show up, like not all admins have logged on to every single computer in the network, new admins could show up in the company, will they have access to this option?

To be able to have the option active no matter what the login user it sounds like a much better option. You will need the password anyway... and that password is known only by the admins. 

Hello Adrian Ceteras,

Sorry
I'm not Sophos so I won't take comments on a product personally [:)]

This is perhaps a misunderstanding - or several.

• First of all, as already noted, TP isn't there to elevate a user's rights. Sophos has added it (and now even beefed it up) only reluctantly after years of demands by customers
• With standard TP the SophosAdministrator membership isn't an issue as local admins can always add themselves to this group. And domain admins group are usually indirectly local admins
• While you can add any user to the SophosAdministrator group this won't elevate their Windows rights

What is the something wrong you need to resolve? As you mention password protected - do you use EFS or some other file encryption?

Christian

Hello!

It was never intended to offend or to take this personally... Sorry if it sound like that...

We found a work around for this.

From the already logged on user if we start Sophos to run as admin, then we can put our domain admin credentials, and the TP option is there for the use.

So problem solved.

Thank you for clearing all the misunderstandings.