Application control policy not updating on non reporting agent

Recently we found out that firefox has been renamed to firefox quantum and found that it was being blocked by the Sophos application control policy. I added the new version of firefox to the allowed application list and applied the policy from the Enterprise console.  Most agents once applied the policy firefox worked again.  The problem is in my environment we have computers that are used mainly outside the network. While we do have the network configured for the remote management some computer when outside the network do not show online in the SEC.  Thus this we have some with an outdated application control policy and the only way to get them updated is to have the user bring in the computer which in some cases in not really a solution as they are to far the office and never come in.  I was wondering if someone could tell me where the files that control the application control policy is located.  I want to copy the policy from a computer which is updated to a computer that is not syncing with the SEC.  Please let me know the best way to update these computers as right now they can not open firefox. These computer have an external update policy and I can confirm via our computer management tool that they are indeed getting updates just not reporting to the sec so the application policy is outdated.

  • Hello Scott Ishbia,

    an external update policy
    but do they update from one of your CIDs (published with a web server)? If so, you could configure this CID with an XML policy file. It's not  "a file that has to be replaced" - would make it too easy bypass a policy.

    Christian

  • In reply to QC:

    I will give this a try.  But the computer in question show offline in the SEC so will this force the clients to update the policy even if they show offline but are connected to the internet?

  • In reply to Scott Ishbia:

    Hello Scott Ishbia,

    show offline in the SEC
    the offline/online (or rather in terms of SEC Disconnected/Connected) status is determined by the Remote Management System (RMS). RMS uses ports 8192/8194 and is independent from updating (that uses NetBIOS/SMB or HTTP). Thus an endpoint might update but be unable to communicate, or it might communicate but be unable to update.
    If RMS is connected the endpoint will receive its policies via RMS. XML files in the CID are an alternative way to provide policies to endpoints.

    Christian

  • In reply to QC:

    ok thanks. I have been reading over the steps to do this.  Should Confgicid.exe be run from enterprise console or the update manager where the agents are updating from?

  • In reply to Scott Ishbia:

    Hello Scott Ishbia,

    most important is to run it for the desired CID. :)
    Not unlikely that the management server can't access the CIDs on a remote SUM. Please see here.

    Christian

  • In reply to QC:

    Thank You.  I was able to create the XML policy and run it for the CID.  It looks like now these clients policy are updated.