Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 5365 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SGE 6 on standalone laptops

colinh

My client (a financial advice charity) has a number of laptops used by volunteers working from home.  As these laptops contain client personal and financial data, they need to be encrypted.  I have installed the SGE 6 Policy Editor on a computer in the office (actually a server) and created the configuration file.  My question is about the client laptops.

These laptops will never logon to the domain directly (from within the client’’’’s office).  The users logon locally (from their own homes) and then access the client database via RDS (RemoteApps).

When I installed the first laptop, I didn’’’’t realise that the first logon is captured and is always there.  This is not what I need as the provided laptops may be assigned to different volunteers and some actually belong to volunteers.

Is the best way to do this to have a two stage logon, i.e. to logon via the SGE POA and then logon to their computer locally? In that case, is it best that I create a username / password for the device rather than the person?  Should these be POA users or Service Account list users?  How do I get over the issue of the first logon being captured by POA and being ever present?

Or am I looking at this the wrong way?

Thanks

:35159


This thread was automatically locked due to age.
Parents
  • 0

    Hi colinh,

    We've got a slightly similar situation here in that we have a small group of laptops that are in use by multiple people.  What we've done in this case is to create a separate config file containing an additional POA user (service users are limited to just our admin account) and turned off the automatic login to Windows feature.  This does of course mean the users have to login twice (once at POA level and again at Windows) but it's not that much of a hassle to be honest, and since we're a public sector organisation, keeping laptops encrypted is slightly essential :smileyhappy:

    For all of the laptops that have just one user, we use the standard automatic logon where the laptop gets 'locked' to that user.  Should the laptop ever change hands (when someone leaves for example), we just reset the POA user and the laptop is locked to the next user.  If some of your users are using their own machines, then this might be the best option?

    All depends on your individual circumstances of course, but the tl;dr version is disable automatic logon to Windows and add an additional POA user.

    Edited to fix typos

    :35187
Reply
  • 0

    Hi colinh,

    We've got a slightly similar situation here in that we have a small group of laptops that are in use by multiple people.  What we've done in this case is to create a separate config file containing an additional POA user (service users are limited to just our admin account) and turned off the automatic login to Windows feature.  This does of course mean the users have to login twice (once at POA level and again at Windows) but it's not that much of a hassle to be honest, and since we're a public sector organisation, keeping laptops encrypted is slightly essential :smileyhappy:

    For all of the laptops that have just one user, we use the standard automatic logon where the laptop gets 'locked' to that user.  Should the laptop ever change hands (when someone leaves for example), we just reset the POA user and the laptop is locked to the next user.  If some of your users are using their own machines, then this might be the best option?

    All depends on your individual circumstances of course, but the tl;dr version is disable automatic logon to Windows and add an additional POA user.

    Edited to fix typos

    :35187
Children
No Data
Unfiltered HTML