SGN Product Enhancement Suggestions

Hello Longun,

many thanks for your proposals. My few cents:

The ability to change passwords in AD and have them sync out to the endpoints.  Still can't see the security reason for this not being possible.  If someone changes an AD password to gain access to a encrypted laptop, them not being able to use that encrypted laptop is the least of my worries as they have access to AD.

The difficulty here is that the user's Windows password and SGN's certificate/key pair need to be in sync. De facto, the private key is encrypted with the user's Windows credentials. If you change the AD password, you consequently need to sync the SGN key pair, too, because it will be re-encrypted. This is normally done under the hood, so as a user you don't recognize this.

Unfortunately sometimes the sync does not happen (e.g. user's machine is offline, or the password is reset somewhere where SGN does not recognize the change).

Please note, that you need the old and the new password for the re-encryption of the user's key pair. For SGN it is therefore not possible to re-encrypt the user's key pair if it detects that the AD password was changed out-of-sync.

If the above isn't an option then an agent that can sit on the unencrypted clients to enable users to change their passwords on any kit in our organisation.  This can be achieved at the moment by installing 5.5 client and not encrypting, but this uses a licence.  An agent that doesn't need an expensive licence would be a great feature.

Understood. Would an API be a solution for you, so you can script the password change?

Simplify the console.  There are too many ways to perform the same task, some work, some don't.  Get it sorted.

AD sync needs to be better thought out.

Integration into the AV management console.

Better use of groups to control the admins that need access to every endpoint.  For example if I add our admin group to the endpoints then change that group it should update automatically rather than me having to re add that group to every endpoint.

We noticed all these points already and plan a number of improvements.

Last but not least, maybe Sophos shoud buy Truecrypt and drop this product.
 

Drop TrueCrypt, or SafeGuard Enterprise?

I hope you don't want us to drop Enterprise.Last but not least, maybe Sophos shoud buy Truecrypt and drop this product.

I've been supporting safeguard easy for years and although not centrally managed its been a fantastic product with no issues over 3 years.  So I know you guys can get it right.  Maybe you've over thought/complicated the whole thing with enterprise.

Thank you for the compliments, but also for the critics. I appreciate your feedback, because it seriously helps us to improve the product and make it better than SafeGuard Easy ever was.

Hello Longun,

many thanks for your proposals. My few cents:

The ability to change passwords in AD and have them sync out to the endpoints.  Still can't see the security reason for this not being possible.  If someone changes an AD password to gain access to a encrypted laptop, them not being able to use that encrypted laptop is the least of my worries as they have access to AD.

The difficulty here is that the user's Windows password and SGN's certificate/key pair need to be in sync. De facto, the private key is encrypted with the user's Windows credentials. If you change the AD password, you consequently need to sync the SGN key pair, too, because it will be re-encrypted. This is normally done under the hood, so as a user you don't recognize this.

Unfortunately sometimes the sync does not happen (e.g. user's machine is offline, or the password is reset somewhere where SGN does not recognize the change).

Please note, that you need the old and the new password for the re-encryption of the user's key pair. For SGN it is therefore not possible to re-encrypt the user's key pair if it detects that the AD password was changed out-of-sync.

If the above isn't an option then an agent that can sit on the unencrypted clients to enable users to change their passwords on any kit in our organisation.  This can be achieved at the moment by installing 5.5 client and not encrypting, but this uses a licence.  An agent that doesn't need an expensive licence would be a great feature.

Understood. Would an API be a solution for you, so you can script the password change?

Simplify the console.  There are too many ways to perform the same task, some work, some don't.  Get it sorted.

AD sync needs to be better thought out.

Integration into the AV management console.

Better use of groups to control the admins that need access to every endpoint.  For example if I add our admin group to the endpoints then change that group it should update automatically rather than me having to re add that group to every endpoint.

We noticed all these points already and plan a number of improvements.

Last but not least, maybe Sophos shoud buy Truecrypt and drop this product.
 

Drop TrueCrypt, or SafeGuard Enterprise?

I hope you don't want us to drop Enterprise.Last but not least, maybe Sophos shoud buy Truecrypt and drop this product.

I've been supporting safeguard easy for years and although not centrally managed its been a fantastic product with no issues over 3 years.  So I know you guys can get it right.  Maybe you've over thought/complicated the whole thing with enterprise.

Thank you for the compliments, but also for the critics. I appreciate your feedback, because it seriously helps us to improve the product and make it better than SafeGuard Easy ever was.