How do you all manage removable media?

I'm looking for some ideas on how to manage removable media. I can't be the only one that's noticed Sophos Central does not give full device IDs in logs or events. The only time I see the full ID is the first time it's blocked. For example, I go into Central and view the current allowed devices in my removable media policy and all I can see is: USBSTOR\DiskGeneral_USB_Flash_Disk_1100. Like many companies, we bulk purchase flash drives. This means that every single device in my exclusion list looks identical. I have no way of removing or troubleshooting a specific device. Also a problem is logs. If I'm going through logs I can't tie a specific user's activity to a specific device. My only option is to create a new rule for every single user with the media they're allowed to use. This would get out of hand quickly. I've opened tickets with Sophos support and they say it's a "feature request". I feel like this feature is vital to managing removable media on my network. I'm really hoping that I'm just missing or misunderstanding something in Central. So how do you go about using Sophos Central to manage your removable media?

  • Hi  

    If you have observed, when you access the peripheral policy, there are three options and you can only put the Exemption in the third option.

    While adding the exclusions, all the peripherals detected in your company will be listed under it and you can choose the peripheral for which you want to provide exclusion by confirming the user mentioned against that USB drive. This can give you more narrowed visibility for the device which you wanted to allow.

  • Hello TheLinuxNoob,

    every single device in my exclusion list looks identical
    I'm not using Central so I can't say whether the Device ID isn't displayed at all, inadequately accessible (e.g. by hovering over the Model ID), or in a location you've missed.

    [not] a new rule for every single user
    well, what would you suggest? All permitted user/device combinations in a single policy? Can't imagine that this would be any clearer, instead of a plethora of user policies at the policy level you have a plethora of settings inside one policy. It would be more or less an asset-management. Don't forget that if this is a feature it has to scale (potentially for thousands of users and devices). But perhaps you have a better idea.

    Christian

  • In reply to Jasmin:

    Correct, this does the trick for when I want to allow a device. What about when I want to remove a specific device? Not possible because the full device ID isn't list anywhere.

  • In reply to QC:

    every single device in my exclusion list looks identical
    I'm not using Central so I can't say whether the Device ID isn't displayed at all, inadequately accessible (e.g. by hovering over the Model ID), or in a location you've missed.

    As I mentioned in the original post, only part of the device ID is accessible. USBSTOR\DiskGeneral_USB_Flash_Disk_1100 is all you get, the full device ID continues after "1100" and is unique to the device. There is one time and one time only that you can see the full device ID, the very first time the device is blocked. In the pop up you see the entire device ID. This tells me Sophos is getting that information from Windows. If you try to connect the device a second time you will not see a block message. I've been on the phone with support multiple times and they all seem confused that displaying the full device ID isn't automatically done. They'll usually say, "Let me put you on hold and confer with a colleague." Which is usually followed by, "Displaying the full device ID isn't something that's supported."

    [not] a new rule for every single user
    well, what would you suggest? All permitted user/device combinations in a single policy? Can't imagine that this would be any clearer, instead of a plethora of user policies at the policy level you have a plethora of settings inside one policy. It would be more or less an asset-management. Don't forget that if this is a feature it has to scale (potentially for thousands of users and devices). But perhaps you have a better idea.

    I would suggest a very simple solution: display the full device ID. This allows granular control over removable media in your network.

  • In reply to TheLinuxNoob:

    Hello TheLinuxNoob,

    thanks for clarification. This doesn't sound like a missing feature but more like a bug, definitely a deficiency in the UI. The information is there, and it's not insignificant.

    Christian

  • In reply to QC:

    Agreed. It's really the only thing keeping me from loving Sophos Central.

  • In reply to TheLinuxNoob:

    Hi  

    I'll discuss this with my Support specialist team about this on how to address it, so we can have the next course of action.

  • In reply to Jasmin:

    Hi  

    I have discussed with our product specialist team and got the information on this. It is a known issue and they are already working on it.

    I'd request you to create a case with Sophos, so it can be escalated to the highest level where you can have visibility over it.

  • In reply to Jasmin:

    I've already created a ticket but was told from the support team that this is a feature request and they wanted to close the ticket. I'm hoping this is something that might be done in the near future. Controlling removable media use is a high priority for me.

  • In reply to TheLinuxNoob:

    Hi  

    Sorry for the inconvenience caused to you.

    You can reopen the case via replying to the last email and please PM me with the case number if you need my assistance there in order to escalate the case ahead.