SGN Product Enhancement Suggestions

---

JM wrote:

any news regarding SSD support? We're rolling out SSDs more and more in our machines... the performance benefits are very visible on machines without encryption, but once Safeguard is installed (now on version 5.5) the performance is less than stellar. (same level as HDD)

---

Hi JM,

Thank you for posting your question in the SophosTalk community forum. There will be improvements with SSDs in SGN 5.60. The improvements will be made available when SGN 5.60 is released later this year.

Here is my list.

 
The ability to change passwords in AD and have them sync out to the endpoints.  Still can't see the security reason for this not being possible.  If someone changes an AD password to gain access to a encrypted laptop, them not being able to use that encrypted laptop is the least of my worries as they have access to AD.

If the above isn't an option then an agent that can sit on the unencrypted clients to enable users to change their passwords on any kit in our organisation.  This can be achieved at the moment by installing 5.5 client and not encrypting, but this uses a licence.  An agent that doesn't need an expensive licence would be a great feature.

Simplify the console.  There are too many ways to perform the same task, some work, some don't.  Get it sorted.

AD sync needs to be better thought out.

 
Integration into the AV management console.

Better use of groups to control the admins that need access to every endpoint.  For example if I add our admin group to the endpoints then change that group it should update automatically rather than me having to re add that group to every endpoint.

Last but not least, maybe Sophos shoud buy Truecrypt and drop this product.

I've been supporting safeguard easy for years and although not centrally managed its been a fantastic product with no issues over 3 years.  So I know you guys can get it right.  Maybe you've over thought/complicated the whole thing with enterprise.

I would like to request that LSH (Local Self Help) works with fingerprint activated policies too - seeing as fingerprint isn't working for a lot of customers we have to fall back to password authentication.  Unfortunately when fingerprint authentication is enabled on a policy Local Self Help stops working. (This is by design). Not good when the users forget their passwords and the Servicedesk is closed.

I understand that no-one forgets their fingerprint but until Sophos can guarantee 100% that fingerprint will work (I don't see how you would be able to guarantee that) and that it wont therefore fall back to password authentication then there is a clear need for LSH with fingerprint authentication.

Hello Longun,

many thanks for your proposals. My few cents:

The ability to change passwords in AD and have them sync out to the endpoints.  Still can't see the security reason for this not being possible.  If someone changes an AD password to gain access to a encrypted laptop, them not being able to use that encrypted laptop is the least of my worries as they have access to AD.

The difficulty here is that the user's Windows password and SGN's certificate/key pair need to be in sync. De facto, the private key is encrypted with the user's Windows credentials. If you change the AD password, you consequently need to sync the SGN key pair, too, because it will be re-encrypted. This is normally done under the hood, so as a user you don't recognize this.

Unfortunately sometimes the sync does not happen (e.g. user's machine is offline, or the password is reset somewhere where SGN does not recognize the change).

Please note, that you need the old and the new password for the re-encryption of the user's key pair. For SGN it is therefore not possible to re-encrypt the user's key pair if it detects that the AD password was changed out-of-sync.

If the above isn't an option then an agent that can sit on the unencrypted clients to enable users to change their passwords on any kit in our organisation.  This can be achieved at the moment by installing 5.5 client and not encrypting, but this uses a licence.  An agent that doesn't need an expensive licence would be a great feature.

Understood. Would an API be a solution for you, so you can script the password change?

Simplify the console.  There are too many ways to perform the same task, some work, some don't.  Get it sorted.

AD sync needs to be better thought out.

Integration into the AV management console.

Better use of groups to control the admins that need access to every endpoint.  For example if I add our admin group to the endpoints then change that group it should update automatically rather than me having to re add that group to every endpoint.

We noticed all these points already and plan a number of improvements.

Last but not least, maybe Sophos shoud buy Truecrypt and drop this product.
 

Drop TrueCrypt, or SafeGuard Enterprise?

I hope you don't want us to drop Enterprise.Last but not least, maybe Sophos shoud buy Truecrypt and drop this product.

I've been supporting safeguard easy for years and although not centrally managed its been a fantastic product with no issues over 3 years.  So I know you guys can get it right.  Maybe you've over thought/complicated the whole thing with enterprise.

Thank you for the compliments, but also for the critics. I appreciate your feedback, because it seriously helps us to improve the product and make it better than SafeGuard Easy ever was.

This was probably suggested already but I'd like to add, "Speed up boot time" (power on to a usable Windows screen).  I disabled the Smart Card service per SG support - did not make much difference.  Some of my users have experienced a 4x slower boot.  Thanks

Hi jb1111,

speeding up boot time is one of our primary issues. We intend to improve it with every release, although we might not get as quick as SafeGuard Easy 4.x (which did not have to care about hardware compatibility like USB support, Unicode character sets or have a GUI at all).

With compliments

Suggestion for improvement:  Do away with the blue Utimaco Safeware screen at device startup.  It gives the impression of an even longer boot up time... or at the very least, don't make it blue - too close to the "blue screen of death" feeling.  Thanks!

We are in the process of testing the upgrade from Easy 4.50 to Enterprise. We use the Aladdin Etoken system, after I set up the server and a one test machine I found out that the Etokens we have can not be used because they are all set up with the Etoken TMS managenet and reporting center (and work fine in Easy) but no longer work in Entrpise. So every token would have to be re issued. This is very annoying.

My request is to offer a plug in or some other kind of intergration with the offical etoken TMS mamangement center so token do not need deleted and recreated.

The reason one is the time/manpower to do this, we have a realtively small installtion but the larger the installation the more of a pain this could be. Also the TMS internface give us more reporting and management capabilitys with things like lost token replacement and the like that SGN does not.

Hi Typhoon87,

unfortunately, SafeGuard Easy and SafeGuard Enterprise use different methodologies to write user credentials to the eToken. The way it was done by SafeGuard Easy is extremely proprietary, based on Aladdin code we do not have, so we are not able to support this old style in SafeGuard Enterprise. I am sorry for the inconvenience you have.

If you want to use eToken with TMS and SafeGuard Enterprise , I propose to switch from user credentials to certificates. The TMS is able to handle this situation. (I also know that the German company Netfox wrote a TMS plugin for SafeGuard Enterprise user credentials, but you still need a re-format.)

With compliments,