Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 7076 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Safeguard - Port control policy (Conflict resolution)

ivanwee

Hi All,

Please a take a look at my design/scenario below.

Policy A - Blocks USB storage ports

Policy B - Allows USB storage ports

Policy C - Force File level Encryption to all removable storage devices

Policy A is applied to the default ".Auto Registered" OU as a "catch all". All new PCs/Notebooks when installed with Safeguard is issued Policy A to have port disabled.

Policy B is applied to a group call USB_Allow. The purpose of this group is to allow controlled group of users to have USB.

The thing is we are not using Active Directory synchronization due us having a pretty complex and ever-changing AD OU structure. So this means Computer 1 when installed with Safeguard will get Policy A by default

And computer 1 is supposed to be allowed USB usage. So it gets assigned to Group B and C.

So how do i resolve the fact that Policy A blocks, while Policy B allows? Using the priority? (Works?) Or just setting Policy B to be a no overrride?

:18773


This thread was automatically locked due to age.
Parents
  • 0

    Hi ivanwee,

    Are you looking to allow the use of authorised USB devices only and automaitcally encrypt them? If so...

    1. Create a Whitelist of authorised USB sticks.  - use Port Auditor or manually populate the list

    2. Create a Configuration Policy with a restrict setting, pointing to the above list of allowed devices

    3. Create your encryption policy

    NB: For step 3 you can choose to encrypt all removeable media, or just point to the same whitelist as above. The latter being more flexible, as with the right settings you can authorise USB devices etc, but only encrypt certain ones.

    This way you'll avoid messy override policies.

    Regards,

    John

    P.S. I'm awating confirmation from Sophos technical support at the moment, but it would seem that there may be an issue with hybrid / briding control in CP 5.60.192 and 5.60.1.7. In that it isn't working, but a patch is only crazily scheduled for 5.60.192 (the older version!)

    Just thought I'd let you know that, as I can see you're beginning to use SGN, as per your other post/s, and not sure if you plan to use hybrid / briding control?

    :18867
Reply
  • 0

    Hi ivanwee,

    Are you looking to allow the use of authorised USB devices only and automaitcally encrypt them? If so...

    1. Create a Whitelist of authorised USB sticks.  - use Port Auditor or manually populate the list

    2. Create a Configuration Policy with a restrict setting, pointing to the above list of allowed devices

    3. Create your encryption policy

    NB: For step 3 you can choose to encrypt all removeable media, or just point to the same whitelist as above. The latter being more flexible, as with the right settings you can authorise USB devices etc, but only encrypt certain ones.

    This way you'll avoid messy override policies.

    Regards,

    John

    P.S. I'm awating confirmation from Sophos technical support at the moment, but it would seem that there may be an issue with hybrid / briding control in CP 5.60.192 and 5.60.1.7. In that it isn't working, but a patch is only crazily scheduled for 5.60.192 (the older version!)

    Just thought I'd let you know that, as I can see you're beginning to use SGN, as per your other post/s, and not sure if you plan to use hybrid / briding control?

    :18867
Children
No Data
Unfiltered HTML