Hi,
I am working for a large Company, an ISP for many customers, and one of our customers have requested to get Sophos SafeGuard Easy 6.0.
The customer requests that I find a solution to get his end users to log on to their notebooks with a device account, which is not a windows domain AD user and not a local user account as well. Second the direct and automated login at windows is disabled, so the user has to enter his credentials within the Windows AD Login window. (login on with the windows in a domain)
So we give the end users of each notebook the password for the device account logon with Sophos SGE, having to create 40 POA user accounts and 40 user notebook device groups.
Now, that is doable, but not fun at all. Well, customer is king!
Now, the issue starts with the need of the LocalSelfHelp function to recover when the end user has misstyped his password gtoo many times and the device is logged. Using only device bound accounts to access sophos before hand of the windows logon, prevents the use of the LocalSelfHelp function, right? That's what I found. As long as this POA account is not a windows AD account, no LocalSelfHelp recovery with questions/answere process can be used, so the workload of the HelpDesk hotline can be decreased.
Second issue is that the end user still can enter his windows AD credentials in the first step, using his username and password for the domain in both logon steps, sophos and windows. I cannot find any settings with the policy sets that would prevent that.
So, how can I nail the needs of our customer to have two separate logon steps and have it realy easy for the end user without any possibilities to play around like trying to login with his domain credentials?
Cu, Arne
This thread was automatically locked due to age.
