Peripheral Control - Notify user but don't block

Hello Jason Tillman,

first of all, when it's about endpoint management it's better to choose the applicable group - in this case Central instead of ESC.

there was the option in the server software version
you mean on-premise managed with SEC and the Detect but do not block setting? The equivalent setting on Central is Monitor but do not block. Neither results in a desktop notification.

Indeed what would be the purpose of this message to the user? You'd anyway have to use the Add Peripheral Exemptions dialog - and you could do this without the user coming to you before turning on blocking, or would you deny some of the requests?

Christian

Hi Christian,

Sorry I did not know that the Central forum was the one for this type of query.

When I tested with the SEC and the Detect but do not block setting users were able to use their device but got a message which I customised to say something along the lines of "this device is not recognised by Sophos. Please contact the IT Department." The purpose being that as users got notified they can tell me what types of devices they are using. I could then add school owned and encrypted devices and refuse personal and unsecure devices.

Without physically seeing the devices being used its difficult to know what to allow or disallow without a too greater amount of guessing! That's why the notifications are so useful. :)

Hello Jason,

I did not know
not really your fault, the group and forum names are somewhat ... er ... unfortunate. While the layout of the Communities per-product suggests itself there are many overlapping sections and there's no ideal solution.

users were able to use their device but got a message
I've tested (otherwise I wouldn't have said there's no message) and just retested with an additional custom message - no notification (Windows 7) in case of Detect but do not block. Can't say if you ever got a message, I don't think so.

Christian

Thanks for checking. I am happy to try and cope without it and add the bulk of devices in myself so when I turn the feature on I don't inconvenience loads of users, the trouble is unless I'm looking in the wrong place I don't seem to have much to go on. This is whats being used by the staff. I have no idea if these are encrypted school sticks or personal unencrypted sticks. How do I know whats safe to whitelist?

Hello Jason,

the Device Control component is the same for SESC and Central and the information you get in either console is essentially the same.

encrypted school sticks
how are they encrypted? Device Control doesn't assess the contents, it just recognizes and supports certain Secure Removable Storage Devices.

Christian

The encryption comes with the memory sticks. So its all third party. Staff laptops are encrypted through GPO using bitlocker. Yes I have read that article before which shows the supported sticks. If a stick is not on that list does it mean that staff cannot use it? It wont open for them? If it turns out that a lot of our devices are not supported we cannot use this Peripheral Control feature at all? Thanks

Hello Jason,

I'm not an expert, I assume that supported Secure Removable Devices means they are classified as such an thus you can generally permit their use (note there's no Read-Only option for them). I assume unsupported ones fall under the simple Removable Storage type so you'd have to exempt them individually (or per Model ID). But it should be fairly easy to test.

Christian

Yes I will have a go. That makes sense. My worry was just getting myself in trouble through turning this feature on and no one being able to access their work, crying, binning their sticks because they have "packed up" and then complaining as they all worked fine until I "fiddled with the network"!

We only have about 50 staff so whitelisting individual ones wont take too long.

Thanks for your help.

Jason