SafeGuard Enterprise 550 questions

---

ivanwee wrote:

Hi All,

I am new to SafeGuard, i still have many things which i am unclear of now.

1) Active Directory. If i do not synchronize my AD with the SGN, and i just create a domain myself. How do i add users to it? I assume when a new user connects to SGN, he will be added to auto.registered container.. how to do i move this user to the domain i created? I noticed the Move button is greyed out.

2) Local Storage Encryption. I configured a local storage encyption policy with the purpose of encypting our notebooks (HDD). But i recieved feedback that the policy is encrypting mobile devices that are detected as usb storage by Windows. Is there any way i can prevent this?

---

Hi ivanwee,

Thank you for posting your question in the SophosTalk community forums. 

1) Active Directory: Is not a requirement to use SGN, but sync'ing with AD does add the benefit of not having to create Domain, Workgroups, etc manually. In your sceanrio, if a User does authenticate on a SGN proetcted device, the Domain User will be be added to the .Auto registered container either under Root or the Domain they are a member of. The SGN system knows to organize the User in the appropriate Domain. The big thing to be aware is, since the Domain User doesn't have an OU associated with their GUID from the AD import, they will be placed in the .Auto registered container under the Domain. These User object are unmoveable through the SGN MC GUI. I haven't tried this, but I've heard collegues talk about it, you can use the SGN API to create and move users that are not bound to an AD sync. If they are bound to an AD OU, the next sync will move them back to wherever AD has them associated.

2)  Local Storage Encryption: Yes, change your Device Protection policy to encrypt either Mass Storage or Boot Volumes and NOT  Local Storage Encryption. Other media are getting encrypted because the target devices are listed in a heirarchy, which means the encryption policy will flow downwards to the lower level devices (for example: anything with storage but CDs or DVDs). This KBA will help you get those other devices decrypted.

Hi David,

Regarding point number 2

Boot Volume falls under the Mass Storage Tree in the console. If i enable this, will the C drive get encrypted? I assume since since is the boot partition it will get encryption. And if there is a D partition, it won't get encrypted right?

I actually had to ask technical support for clairification before creating my policies on this one.  According to support, the following device protection targets map to actual devices:

Boot Volumes

- System Partition

Other Volumes

- Non-system partitions on the system disk

- Non-system internal IDE hard disks (all partitions)

- Non-system internal SATA hard disks (all partitions)

- eSATA external hard drives, all parittions

Removable Media

- USB storage devices (flash drives, hard disks, card readers, etc)

- Firewire (iee1394) storage devices (hard disks, etc)

So, if you want to use sector-based encryption to encrypt a machine that has both a C and D drive, you need to create TWO  Device Protection policies with a media encryption mode of "Volume Based".  One needs to target Local Storage Devices\ Mass storage\ Boot Volumes (for C drive encryption), and the other needs to target Local Storage Devices\ Mass storage\ Other Volumes (for the non-system partition).

I hope this helps.

Hi, this is very helpful, thanks alot!

Another question, it seems after i have encrypted a harddrive, UNCs to the its share drive starts to fail. Tech support told me if i need to access shares of the encrypted volumes, i need to have their keys. This sounds fine as i can assign my admins all the machine keys in my company.

But i have been thinking about this.. why is it that my managed applications are still running fine? Apps like anti-virus, inventory agents, etc. Why is it that my remote management servers are still able to connect to agents running in the encypted, whereas if i connect to a share, i need to supply the keys..

---

ivanwee wrote:

Hi, this is very helpful, thanks alot!

Another question, it seems after i have encrypted a harddrive, UNCs to the its share drive starts to fail. Tech support told me if i need to access shares of the encrypted volumes, i need to have their keys. This sounds fine as i can assign my admins all the machine keys in my company.

But i have been thinking about this.. why is it that my managed applications are still running fine? Apps like anti-virus, inventory agents, etc. Why is it that my remote management servers are still able to connect to agents running in the encypted, whereas if i connect to a share, i need to supply the keys..

---

Hi ivanwee,

The issue you are experiencing is generally related to the IRPStack. The network resources can become unavailable if there are enough 3rd party drivers accessing the stack. So, to fix this we have a KBA which identifies the registry change to make.

I'm a bit confused about the answer Tech Support provided. That response sounds like the response to read an encrypted drive that's in an enclosure. With SGN DE, to access a FDE encrypted share you only need authentication credentials and not the encryption key.

Hi David, yes that solves my problem. I believe Tech Support didn't actually give the correct solution because i asked this question during one of our light conversations, the case i opened wasn't for this.