SEC 5.2.1 and Sophos for MAC OS X Preview (9.0.3)

---

Carob wrote:

So now it's "you hope you can address them"?  In an earlier post Bob had said this stuff was going to be done.  There was just no time frame.  I, along with the rest of my colleagues, have been waiting for this for about at least a year.  I would like to know what I am supposed to tell our clients.  As of now we don't have a truely viable option to supply to them.  Needless to say, those above me are concerned that our contract will not be renewed when the time comes.  Not only because of this situation but another open case that I have that has gone unresolved for 5 months and counting.

You are probably taking Darren's comments a little too literally. To be fair to him, he hasn't always been the Mac endpoint product manager so he is getting up to speed.

We still intend to evolve our approach and tools for deployment to meet your needs as well as others. Not committing to a timeline isn't the same as not doing it.

---

CheltCollege wrote:

• Update server addresses (which is addressed in the latest version, sans proxy settings)

---

Very curious to hear why you'd manage proxy settings for endpoints that are outside your own network. Sounds like users take these systems offsite, which I'd expect makes your own proxy servers unreachable. We didn't include the ability to set the proxy settings because we figured it was not useful.

---

CheltCollege wrote:

---

• Manage on access scanning (in archives/compressed files, but not network volumes)
• Manage cleanup of infected files (delete infected files)
• Display a custom desktop alert warning when a threat has been detected (explanation below)
• E-mail a specified address when threats are detected for logging/tracking purposes.

---

Thanks for this list. Its pretty extensive but not unrealistic. Please understand that we aren't going to create a separate tool to manage all possible settings. So although we may offer ways to pre-configure many or even all of these settings, we aren't going to guarantee your users can't change them. That is what Enterprise Console and Sophos Cloud are for.

---

bobcook wrote:

---

Carob wrote:

So now it's "you hope you can address them"?  In an earlier post Bob had said this stuff was going to be done.  There was just no time frame.  I, along with the rest of my colleagues, have been waiting for this for about at least a year.  I would like to know what I am supposed to tell our clients.  As of now we don't have a truely viable option to supply to them.  Needless to say, those above me are concerned that our contract will not be renewed when the time comes.  Not only because of this situation but another open case that I have that has gone unresolved for 5 months and counting.

---

You are probably taking Darren's comments a little too literally. To be fair to him, he hasn't always been the Mac endpoint product manager so he is getting up to speed.

We still intend to evolve our approach and tools for deployment to meet your needs as well as others. Not committing to a timeline isn't the same as not doing it.

---

I wouldn't say I'm taking it too literal or otherwise.  Please understand this from a customer point of view...  We had a tool that, aparantly, was widly used taken away with no replacement well over a year ago.  I've had customers basically complaining ever since that they don't have what we need/would like to give them.  And, after all this time, I still have nothing to tell them except "we're waiting for Sophos".  My guess is that it isn't making your company look to good to the 3rd party people in this situation.

I know my boss for one is pretty over the situation (this one in partiuclar as well as the others mentioned) and there have been talks about dumping the product for another.  Either when our contract is up or perhaps even earlier.

bobcook wrote:

Very curious to hear why you'd manage proxy settings for endpoints that are outside your own network. Sounds like users take these systems offsite, which I'd expect makes your own proxy servers unreachable. We didn't include the ability to set the proxy settings because we figured it was not useful.

---

In the past our users did update through a proxy server when on site (primary server) directly to Sophos and although they don't anymore, if circumstances were to change it's nice to have the option (although I can understand why this might be somewhat confusing/would be something that is no longer available).

---

bobcook wrote:

Thanks for this list. Its pretty extensive but not unrealistic. Please understand that we aren't going to create a separate tool to manage all possible settings. So although we may offer ways to pre-configure many or even all of these settings, we aren't going to guarantee your users can't change them. That is what Enterprise Console and Sophos Cloud are for.

That wouldn't be a problem for us as it would be no different to the situation we currently have with SUM - as the users' machines are generally their own, it wouldn't fall upon us to ensure the software stays configured/remains installed on their computers, but covers us from our end that we at least provide an appropriately configured solution for them when setting up their computers on our network; once they leave our institution, the software is removed and the computers would no longer be in our control anyway. The main concern is that we can configure the endpoint to appropriately scan and remove threats and notify/inform us/the user of any action that they need to take should there be an issue.

I must confess that I am unfamiliar with your Sophos Cloud offering, so we will investigate this and see if it is suitable option for our end users.

Many thanks.

Sophos Cloud is a managed option and hence allows a central administrator to enforce, maintain compliance, and change local AV settings.

Trying to understand the requirements from both angles…

From reading the thread it seems that the situation is one where there is a requirement to provide Mac users, who (and this is important) own the computer and is an administrator of it, an antivirus solution that minimizes the need for the end user to ‘‘‘‘get involved’’’’ in setting up the software.

I think the key thing here is that the business doesn’’’’t own nor control the hardware and hence may not want endpoint antivirus software with full management capabilities as the IT department could end up fully owning or being further responsible for the installation. However the business want to make it as quick and as simple as possible for the user to get up and running and best protected.

Currently you can preprogram the standalone installer with updating credentials but the antivirus scanning settings are left to the default. The scanning settings are configured for best protection for on-access scanning and Live/Web Protection out of the box but do not include a scheduled scan and obviously has no awareness of network/environment customizations like excluding a particular drive etc.

If the business owned the hardware they would definitely want/need to pick a managed solution (Cloud or Enterprise Console).

If the user owned the hardware themselves and is conscious that an antivirus solution is required they’’’’d buy a license for standalone SAV and use the credentials provided on the license schedule. Or, if they aren’’’’t using the Mac in a professional capacity, opt for the free SAV for Mac Home Edition which as pre-programmed updating credentials. However in both cases the end user would need to read up on the software if they wanted to ensure it is configured exactly how it needs to be.

The issue seems to be this overlap or even gap in the middle where an IT department for a company or college is mandated with providing antivirus protection to whomever needs it (e.g., everyone that connects to, or interacts with their systems) whatever that user’’’’s relationship is to the business, and to maximize adoption and smooth out any hindrance to the users that may stop the user from protecting their own computer.

Anyway, that’’’’s my take on it, maybe others agree or have a different view.

---

CheltCollege wrote:

That wouldn't be a problem for us as it would be no different to the situation we currently have with SUM - as the users' machines are generally their own, it wouldn't fall upon us to ensure the software stays configured/remains installed on their computers, but covers us from our end that we at least provide an appropriately configured solution for them when setting up their computers on our network; once they leave our institution, the software is removed and the computers would no longer be in our control anyway. The main concern is that we can configure the endpoint to appropriately scan and remove threats and notify/inform us/the user of any action that they need to take should there be an issue.

---

In addition to the retirement of SUM we've been revising (e.g. completely replacing) the installer mechanism we used in v8, and this gives us the chance to rethink how and why the various different versions are deployed. Hence more quesitons. Do you simply send these users the installer? How often do you update that installer? How much after-installation support do you tend to offer these users?

---

bobcook wrote:

In addition to the retirement of SUM we've been revising (e.g. completely replacing) the installer mechanism we used in v8, and this gives us the chance to rethink how and why the various different versions are deployed. Hence more quesitons. Do you simply send these users the installer? How often do you update that installer? How much after-installation support do you tend to offer these users?

---

Currently, the .mpkg configured by SUM is packaged in a .dmg file and stored on a network volume where it is accessible for first time installs (it is periodically updated, about once a year or so) - the preconfigured .mpkg contains all of the update/scanning/ notification settings. We generally have not needed to provide after-installation support (other than when a threat has been detected and the user has contacted us) as the installation/updating/scanning has always worked rather successfully from an end user perspective (hence why we are looking to replicate the same pre-configuration functionality with the version 9 installer).

For bobcook...

I guess I have to ask for a status update on the replacement tool.  Is this still in the "thinking about" stage, "planning" stage, "development" stage?  Any stage?

It's been about 3 months with no update.

Thanks.

---

Carob wrote:

For bobcook...

I guess I have to ask for a status update on the replacement tool.  Is this still in the "thinking about" stage, "planning" stage, "development" stage?  Any stage?

---

Version 9.2 will include a feature to pre-configure the On-Access Scanner settings. It will work in the same way as the feature allowing pre-configuration of Update settings (command line tool). That version will be available as Preview for on-premise warehouses either late July or early August, depending how smoothly the rest of the project goes. There will be a corresponding KBA available at the same time.

A prerequisite to releasing 9.2 as Preview is to move 9.1 from Preview to Recommended, replacing 9.0. That will happen in July.

---

bobcook wrote:

---

Carob wrote:

For bobcook...

I guess I have to ask for a status update on the replacement tool.  Is this still in the "thinking about" stage, "planning" stage, "development" stage?  Any stage?

---

Version 9.2 will include a feature to pre-configure the On-Access Scanner settings. It will work in the same way as the feature allowing pre-configuration of Update settings (command line tool). That version will be available as Preview for on-premise warehouses either late July or early August, depending how smoothly the rest of the project goes. There will be a corresponding KBA available at the same time.

A prerequisite to releasing 9.2 as Preview is to move 9.1 from Preview to Recommended, replacing 9.0. That will happen in July.

---

You're talking about a client version 9.2, right?  If so I guess I'm confused.  Is a new tool built into the client then instead of being something stand-alone?

Also, if I remember correctly, the command line tool still only allowed certain things to be configured and not all being requested (by myself and others it seemed), is that right?

When there is a KBA on the subject would you post the number/link here?