Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 5363 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SGE 6 on standalone laptops

colinh

My client (a financial advice charity) has a number of laptops used by volunteers working from home.  As these laptops contain client personal and financial data, they need to be encrypted.  I have installed the SGE 6 Policy Editor on a computer in the office (actually a server) and created the configuration file.  My question is about the client laptops.

These laptops will never logon to the domain directly (from within the client’’’’s office).  The users logon locally (from their own homes) and then access the client database via RDS (RemoteApps).

When I installed the first laptop, I didn’’’’t realise that the first logon is captured and is always there.  This is not what I need as the provided laptops may be assigned to different volunteers and some actually belong to volunteers.

Is the best way to do this to have a two stage logon, i.e. to logon via the SGE POA and then logon to their computer locally? In that case, is it best that I create a username / password for the device rather than the person?  Should these be POA users or Service Account list users?  How do I get over the issue of the first logon being captured by POA and being ever present?

Or am I looking at this the wrong way?

Thanks

:35159


This thread was automatically locked due to age.
  • 0

    Hi colinh,

    We've got a slightly similar situation here in that we have a small group of laptops that are in use by multiple people.  What we've done in this case is to create a separate config file containing an additional POA user (service users are limited to just our admin account) and turned off the automatic login to Windows feature.  This does of course mean the users have to login twice (once at POA level and again at Windows) but it's not that much of a hassle to be honest, and since we're a public sector organisation, keeping laptops encrypted is slightly essential :smileyhappy:

    For all of the laptops that have just one user, we use the standard automatic logon where the laptop gets 'locked' to that user.  Should the laptop ever change hands (when someone leaves for example), we just reset the POA user and the laptop is locked to the next user.  If some of your users are using their own machines, then this might be the best option?

    All depends on your individual circumstances of course, but the tl;dr version is disable automatic logon to Windows and add an additional POA user.

    Edited to fix typos

    :35187
  • 0

    Hi RGBE

    This is very helpful.  However, I am still a little unsure about how to proceed, as the POA will intercept the user logon and use that as the primary POA logon, regardless of what POA Users I have setup in the configuration package.  

    So, I have configured a new laptop and set the username as the person who will be the primary user.  As soon as I install SGE, it will intercept the user logon and make that the primary logon to SGE.  So far as I can see, there is no way to stop that logon name appearing in the POA dialog on bootup.  

    I thought about creating a new user with a device specific name and password and deleting any other user accounts on the laptop.  Would that work?

    How have you resolved this?

    Thanks

    :35219
Unfiltered HTML