Safeguard bitlocker encryption

A computer already encrypted by other product encryption..how do I manage it through sophos.is it possible?

  • In reply to SUBHASRI D:

    Hi  

    Please refer to this article which provides SQL queries for a few of the reports which are not available as reports in the Safeguard management center. Apart from that, you can refer to this article which explains about reports. You can navigate on the document through the panel in the left hand side.

  • In reply to SUBHASRI D:

    You can also easily produce inventory logs from the server, which will show client drive state (encrypted/not) and also encryption type, device last seen etc. No SQL queries are needed for this - it's built into the console.

  • In reply to MichaelMcLannahan:

    Hi,

    Can you guide me through ,where can i find it in the console.

    There is a tab for reports,but i need the logs of the users who are manged by safeguard management center.

     

     

     

    Regards,

    Subhasri

  • In reply to SUBHASRI D:

    This "basic" report doesn't contain users, but instead the devices. Click on the root of your domain (on the left) Select Inventory on the tabs on right. Click the magnifying glass (without entering a PC/hostname) This will list ALL devices that have reported into SafeGuard. Select one device (anyone - doesn't matter). File - Print Preview - "Calculating print area might take several mins" - Click OK" - When window opens - File - Export Document. Find format you need and save it to view later.

    What data are you looking for with your users? The users of the console or users of the devices that have SafeGuard installed?

     

  • In reply to SUBHASRI D:

    Hi  

     has already suggested the simple way to export the inventory of the Safeguard Management Center. Safeguard manages computers, not the users, so you'll find the computers in the inventory, not the users.

    I am assuming that you want a report for the users who are assigned against the computers in the Safeguard. Please use the below SQL query which will help you to fetch users assigned to the computers:

    -----------------------------

    use SafeGuard

    SELECT USR_ID, USR_LOGON_NAME, USR_FIRST_NAME, USR_LAST_NAME, USR_EMAIL, machines.*

    FROM
    (SELECT SGD_NAME,SGD_ID,UMA_USER_ID,SGD_DSN,SGD_SCHEMA_CLASS_NAME
    FROM Safe_Guard_DIR INNER JOIN
    USR_MACHINE_ASSIGN ON Safe_Guard_DIR.SGD_ID = USR_MACHINE_ASSIGN.UMA_MACHINE_ID) AS MACHINES INNER JOIN USERS ON USERS.USR_ID = MACHINES.UMA_USER_ID

    -----------------------------

    This query is mentioned in the KB article I provided to you above. Please refer to this KB once, so you'll aware about numbers of reports can be generated through the query.

  • In reply to Jasmin:

    Hi,

    How to work with power on authentication in safeguard??And can only username & password can be the only way to boot the machine.

    And one more query windows credential and safeguard credential i need as only one sign in.Is it possible??

     

    Regards,

    Subhasri

  • In reply to SUBHASRI D:

    POA is dependant on OS - It's no longer available in Win10. What OS are you referring to?

     

    I'm afraid the second credential provider (Windows AND SafeGuard) will be visible. It is possible to hide the Windows one but I know this can have a strange impact on the system, and it's critical you appreciate what changes/impacts there are. I went down to route of educating users on "please use the Sophos Cog to log in from now on" approach.

    You must also plan that if you should remove SafeGuard at any point (or you're unable to log in with SafeGuard owing to an error) you'll not be able to log into the machine.

    https://community.sophos.com/kb/en-us/114190

  • In reply to MichaelMcLannahan:

    If this not going to work on win 10 then how do I protect the drive in my machine?

    What is the use of safeguard in power on authentication??

     

  • In reply to SUBHASRI D:

    Windows 10 (and some versions of Win7/8) use BitLocker and it's this that is managed by Sophos SafeGuard. Previously in earlier OS Sophos did their own disk encryption and POA worked with that.

    So SafeGuard will help you manage BitLocker and store the recovery keys within the console/SQL. The users will see the "standard" BitLocker screen when they power on their devices. They'll enter a PIN (if set by SafeGuard policy) or password (Windows 10 supports passwords for those devices without TPM) and/or TPM can be used. It's also possible to use a USB Startup key too - but my personal opinion is best to stick with TPM/PIN combination if supported.

     

    Hope this helps and clarifies a little?

  • In reply to MichaelMcLannahan:

    Hi  

    Please find the document for authentication policy which will help you to understand the options explained by Michael. POA only comes with Safeguard encryption but it is not needed after the arrival of Windows 10 as Microsoft has already provided the native encryption technology "Bitlocker". Now Safeguard only manages the Bitlocker for the drive encryption and so that if you want to put POA for those users, you can use options mentioned under "BitLocker Logon Mode for Boot Volumes". 

  • In reply to Jasmin:

    Hi,

     

    let me be clear in what I actually need.

     

    1. We want to implement Username & Password Authentication at "Pre-Boot Authentication" instead of BitLocker Password only , is this possible to achieve with Sophos Safeguard + BitLocker
    2. Single Sign On (PreBoot + Windows Logon Authentication Synchronisation), is this possible to achieve with Sophos Safeguard + BitLocker 

    We are using Microsoft Windows 8, 10.

  • In reply to SUBHASRI D:

    Hi  

    Please refer the below answers for your queries:

    1. It is not possible to implement Username & Password Authentication instead of Bitlocker Password with any kind of Encryption software as in preboot authentication, the machine never has access to network service and hence user can't be authenticated against the AD.

    2. If you have installed Safeguard Encryption on the client, you need to login to the Safeguard cred provider instead of Windows Cred provider as it syncs automatically clients to safeguard server on fix interval and generates user certificates. Safeguard Cred provider is not different, username and password for that will be the same as Windows username and password.