Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 3903 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central [Peripheral Control] - Issue with User-Based Policy

MYK

I have created a user-based policy; with the intention to block USB Storage Devices.

It is configured to apply to a specific AD Group only; for example {students}

When a user (member of {students}) logs in, the policy is applied and USB devices are blocked...

However, once they log out and a another user logs in (NOT a member of {student} group) USB devices are still blocked.

Upon checking Sophos Central, it has picked up the correct logged in user and required policy (e.g. not to block) but it stays blocked!

Sophos Tech Support assisted for 2 hours last week, and suggested that the end-user would have to do a forced, manual update of Sophos End-Point to ensure the correct policy was being applied (this does not work - and would not be a workable solution anyway!). 

I've now had Sophos Tech Support on a remote session, attempting to identify / resolve this issue for the past 3 hours, and it's still not looking promising.

Coincidentally, [Application Control] appears to work, as I would expect [Peripheral Control] to work, as in (on the whole) the correct policies 'are' being applied based on the logged in user.

As this rate, I think I may have to stop using Sophos Central for peripheral control and use Group Policy instead!

 

Any assistance would be appreciated; even if other users could check and advise how [Peripheral Control] policies are working with their environment.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    If the Student which is not a member of the AD group on which the policy is being applied logs in, the USB should not get blocked. Is there a single policy created under Peripheral control or you have created other device/user-based policies as well?  Could you please follow the below steps and check it once? 

    1. Log in with the user(not part of AD group {Students}) on which the Peripheral control policy is applied. 

    2. Reconnect the USB and wait for fraction of seconds( around 15-20 approx), and open Sophos Endpoint. 

    3. Do not manually update endpoint, go to Run Diagnostic tool> Policy, and check under Sophos Anti-Virus policy, does the time stamp remain same? 

    Also, please PM me the case details which you have already registered with support. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    Hello,

    We have exactly the same issue. We have intercept X deployed. What is the solution?

  • +1 in reply to Uzi114

    It works OK for me but it can be slow?  For example, as a test:

    • User1 - Device1
    • User2 - Device1

    Create 2 user based peripheral policies:

    • Policy1 - Block removable storage
    • Policy2 - Allow removable storage

    Link the "block" policy to "user1" and link "user2" to "allow" policy.

    Log into the endpoint as user1, shortly after, if a USB device is inserted it will disappear in Explore as it is disabled.

    Log into the endpoint as user 2.  At this point, MCS Client will see the change of user (see the line in the MCSClient log file) and send this new info to Central.  Central will then send down the policies for user 2.  At this point the policy is applied, SAV will re-enable the device and it will be available in Explorer.

    If user 2 logs off, user 1 logs on, again MCS Client will notice the change of user, send up the details and Central will send down the policies for user 1 before SAV is reconfigured.

    The process does rely on a round trip message to Central so can take potentially minutes.

    I would suggest enabling MCS Message Trails https://community.sophos.com/kb/en-us/119608 and you should see the XML policy file (...SAV16.xml) arrive.  It is cached here: %ProgramData%\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\DEVCAdapterConfig.

    I would say the first step in troubleshooting this issue is to monitor when the policy arrives for the user and how long it takes.

    Regards,
    Jak

     

  • 0 in reply to jak

    Thank you for the detailed response. I enabled MCS Message trails on two machines and it looks like the policy takes between 1-15 mins to land at the machine.
    Is this an expected behavior? Is there a way to shorten this time?

    Regards,

    Uzi

  • 0 in reply to Uzi114

    That sounds excessive. Given the policy config of MCS:

    %ProgramData%\Sophos\Management Communications System\Endpoint\Config\Config.xml

    The client should check every 55 seconds:

    <commandPollingInterval>55</commandPollingInterval>

    In the MCS Client log, the checks for messages for the client confirm this interval so I could expect maybe 2 minutes, but 15 seems odd, is the MCS Client showing errors at that time?

Reply
  • 0 in reply to Uzi114

    That sounds excessive. Given the policy config of MCS:

    %ProgramData%\Sophos\Management Communications System\Endpoint\Config\Config.xml

    The client should check every 55 seconds:

    <commandPollingInterval>55</commandPollingInterval>

    In the MCS Client log, the checks for messages for the client confirm this interval so I could expect maybe 2 minutes, but 15 seems odd, is the MCS Client showing errors at that time?

Children
  • 0 in reply to jak

    I didn't notice any errors. I talked with support and they suggested I use the base policy to restrict all and another policy to white list only certain groups. That brought the time to about 2 mins. I was using two polices besides that base. Thank you for the help!

Unfiltered HTML