This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deleting AD Computers, what if they are brought back?

Hi

This question may be a bit long winded as I'm new to the team and I haven't used much of Sophos products before so sorry if these questions come across a bit soft.

I've been tasked with going through Sophos Enterprise Console and trying to get the "unmanaged" amount of machines down to a nice number. Obviously most of these are desktops,laptops that haven't been on the network for months so with the desktops I have been deleting the AD client then purging so it clears them out.

With our laptops though these are encrypted by Safeguard to encrypt the C drive. What I can make out from staff is that if for example I delete a laptop from the enterprise console that hasn't been logged on for months so presumed decommissioned but suddenly it is powered back on as it was really just sitting in a drawer unused then because I've deleted it from the Enterprise Console we'd have an issue because it is encrypted by SafeGuard and then Enterprise Console can't find it from AD any more so trying to use the laptop is a problem. 

This is a scenario put forward by my colleague he says he ran in to before so I was wondering, is there a way to export the settings (key) from Safeguard for a specific laptop and keep it so if it was ever to be powered back on and tried to be re-introduced to the network I can import that back in.

I'm not even sure if that makes sense what I'm asking because I haven't had the scenario happen to me yet. Please excuse my ignorance on the whole thing but any information would be helpful



This thread was automatically locked due to age.
Parents
  • Hello David Melia,

    this sounds like you are talking about the (now withdrawn and retired) Encryption component in Enterprise Security and Control, is this correct?

    Christian

  • Yes I believe so. 

    I actually finally have an example of this after becoming clear of how this situation works, sorry I'm still learning how the software works and how it has been set up.

    So a laptop came in today that hasn't been touched in a while. It boots and goes straight in to Safeguard. We tried to "recover" it and when you run the recovery wizard in Safeguard Management Centre against this laptop you get "Missing POA or key information. Please check computer's inventory" from what I can make out this has happened because the laptop has been deleted from AD and the database purged. That seems fair, the laptop will need to be formated/imaged to be used again and can't be recovered from what I'm reading.

    My issue here is that we have a lot of machines in the Enterprise Console classed as "unmanaged" and I'd like to delete these also from Active Directory and purged the database so the numbers come down. My worry is that I delete these, then suddenly a laptop/machine appears again from the cobwebs, is fired up and now Safeguard has it locked out. Is there anyway of saving/exporting settings for machines before I go deleting them so I could come back to them at future date and bring them back?

    Hoping this makes it a bit more clear of what I'm trying to achieve

    Thanks

  • Hi David  -I understand what you mean. I'd be very cautious about deleting the PC's from Sophos, as you'll remove the recovery key which you may then need in future.

    You could create an OU/container within AD and move the computers you've not seen in a while into this? That would tidy things up and then not manually delete them from the console.

    The MISSING POA error you see is exactly as you've guessed - The client has failed to talk back to the server and update it of the latest inventory and most importantly the recovery key.

    The recovery keys can change and exporting one may work for that one instance but then not again. Best not to delete anything you think may still be encrypted (and you might want data of it) and I think best to move into another OU to tidy it up.

    Are we talking about LOADS of PC's here or a handful? 

    I've not looked into it myself but there is an "standalone" client option too for machines that never talk back to the network?

  • Hi

    So I made a new OU today which hasn't been added in to the Sophos Enterprise Console, dropped the PC in Active Directory in to this new OU and hoped this would take the machine out of Sophos manually and make the "unmanaged" count go down. Unfortunately it has just taken the machine and put it in "Unassigned" group in Sophos so the number count is still there. Should that work or was that a suggestion really?

    Thanks

Reply
  • Hi

    So I made a new OU today which hasn't been added in to the Sophos Enterprise Console, dropped the PC in Active Directory in to this new OU and hoped this would take the machine out of Sophos manually and make the "unmanaged" count go down. Unfortunately it has just taken the machine and put it in "Unassigned" group in Sophos so the number count is still there. Should that work or was that a suggestion really?

    Thanks

Children
  • Hello David Melia,

    perhaps I'm dense, first I assumed you are talking about SESC/FDE but in your reply you clearly talked about the Safeguard Management Centre though you've also mentioned the Enterprise Console again. Now you say Sophos Enterprise Console, you're referring to the Unassigned group (a concept that does AFAIK nöt exist in the Management Centre) and an unmanaged count. Could it be that you are talking about both SafeGuard and SESC and the interrelation between them and AD?

    Christian

  • I was making the assumption he WAS using AD and Enterprise Console Christian - but perhaps I'm wrong too?! :)

     

    I suggested you create a container within AD - allow this container to sync with Sophos and move your "old" computers into there in AD. You could then either manually sync this folder so the "old" computers move into this container, or if you've setup ADSync script - allow that to do it!

    I though may be confused like Christian! 

    Perhaps you could clarify for us please David?

  • Sorry I've caused quite the confusion here haven't I.

    Yes I'm using Enterprise Console to keep an eye on the "unmanaged" computers that we have. I wanted that number reduced vastly as it doesn't look like most in here are on the network any more, probably decommissioned but AD accounts of the machines have not been deleted. The worry lies in me deleting these AD accounts and then all of a sudden I've made a mistake and one of these machines are brought back and tried to be used, hence Safeguard will produce the "Missing POA or key information. Please check computer's inventory" error when trying to do the a recover. 

    So from there I made a new AD OU as suggested. I dropped one machine that I classed as out of the network (lastlogindate 6 months ago) in to this new OU. This new OU has not been added in to the Enterprise Console so I'd hoped the PC would of dropped out automatically and brought the "unmanaged" number down. It did not, instead it dropped in to the blue "unassigned" group in Enterprise Console. I'm guessing they'll never disappear unless I delete the AD account of the PC. What I'll have to do going forward like suggested is make a new OU and anything classed as unmanaged and lastlogindate is beyond a certain date I'll put in this OU and class it as offline. I'd hate to lock a load of laptops out from Safeguard so I think this will be best practice. 

    I did finally get to grips with Safeguard today and how it functions. I managed to run the recovery wizard on a machine where the AD account had been deleted, exporting a key file to a usb with the help of WinPE and being able to see the files on the hard drive. Was hoping that software would let me decrypt the drive but from what I've read this isn't possible. Once restarting the machine Sophos Safeguard tells me it is still locked out. I found the original "inactive key" for the laptop when it was first encrypted but don't see a way of assigning that to the machine now it seems to be dropped back in to AD. Would be nice if that was possible and get this old laptop back on the network without having to format it. 

    I read through https://sophserv.sophos.com/repo_kb/108156/file/Recovery_in_SafeGuard_Device_Encryption.pdf but didn't get the solution I wanted.

    Thanks for all your help and suggestions with this. 

  • Hello DM85,

    thanks for the clarification. Your actual question is about SafeGuard and recovery and SEC only makes a cameo,  nevertheless there seem to be some more than just minor misconceptions that shouldn't go unmentioned.
    First of all - the SafeGuard Management Center (SGMC) and SEC are not interrelated and completely independent. What one does with one of its clients has no impact on the other.
    Secondly both are only loosely connected to AD. Neither requires AD, neither requires synchronization with AD in a domain environment. Whether a client/endpoint is managed from either console's POV depends on the software installed and running on the client. If the respective management component is installed the client is managed. In SEC you can't "unmanage" it (if you delete it from the console it will reappear from where it has been deleted the next time it sends a message to SEC). V.v. a client is only managed if the software is installed.

    SEC and AD: As said there's no tight connection between SEC and AD, in particular no action on a computer object in SEC has any effect on AD. Every computer (whether it's part of the domain or not and regardless of its membership in AD) that has the SESC software installed appears in SEC as a managed computer. For the impact of AD on SEC there are four scenarios
    1) no import of information from AD, actions in AD have no effect on SEC
    2) manual discover with AD, all computer objects are imported from AD, those not yet known are placed as unmanaged in the Unassigned group
    3) manual import from AD, the selected OU subtree is mirrored by creating corresponding groups in SEC, optionally the computer objects are imported to the applicable group, computers already known are moved to the respective group
    4) automatic synchronization with AD, similar to 3), computers that are deleted from AD or moved to an OU outside the synchronized subtree are moved to Unassigned but remain managed
    Please note that in neither scenario a computer is deleted from SEC

    All these actions have no effect on SGMC whatsoever. SGMC has its own synchronization with its own rules though. Again, as far as encryption and its management are concerned SEC's POV is completely irrelevant. Keep SGMC and SEC apart. 

    Christian