Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 3686 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD synchronised groups - some pcs need a different device control policy

ropi

Hello,

we have a problem with the policy management in sophos enterprise console. We use the SEC 5.1.0.1839

We have two AD synchronised groups - notebooks and desktop. Now we would like to use the device control policy to block all usb and cd rom drives. We set this policy to the two groups notebook and desktop.

So far so good.

The problem is, if there is one device which needs a usb or cd-rom drive we have no chance to realise this with the policies.

We can not move the device in a other group (because the AD synchronisation) with a different device control policy and we can not apply the device control policy to a device.

How can we allow a pc to use the cd-rom drive or a usb stick?

It would be nice if someone can help me.

Greeting

:37491


This thread was automatically locked due to age.
  • 0

    HI,

    I assume there is no chance you can create a new OU for this exception and just apply a different policy to that SEC group once created?  This really is the limitation with AD-Sync.

    Are you using ADSync to auto deploy?  I suppose my question is, do you actually still need ADSync, or could you remove the sync points now that you have your structure in SEC?  If it's to ensure new computers are protected, it might be as easy to bootstrap them with an ADstartup script which can protect them as they appear.  If you only have a couple of OUs, then the startup scripts linked to the OUs could have different deployment strings so you could specific the SEC group with the -G switch at install.  This would end up with the same result.

    Other options are really, config in the CID using XML for that specific policy, but then you would have to maintain multiple CIDs.  The other option which might work is to override the name of the computer so it appears as a different record in SEC to that in AD which might enable you to put it into a "exception" group.  I've not tried this.

    I would probably examine disabling ADsync now and deploy automatically with an AD startup script.

    Regards,

    Jak

    :37503
  • 0

    Hi Jak,

    thanks for your reply.

    yes we need the AD sync to auto deploy the sophos software.

    We have 2 OUs - one for notebooks and the other for desktop pcs. So there is no problem with that.

    I will have a look in the manual for the AD script or is there any good KB article for this solution?

    Greeting

    Steffen

    :37521
  • 0

    Hi,

    For a basic batch file that checks if the endpoint solution and installs if not:

    http://www.sophos.com/en-us/support/knowledgebase/13090.aspx

    Also have a look at:

    http://www.sophos.com/en-us/support/knowledgebase/12570.aspx

    as you can use the -G switch to specify the right groups.

    As a tip, you can grab the deployment string you require by bootrapping a test computer from SEC and then check the scheduled tasks on the target computer.  You can grab the deployment string from the properties of that to save construncting your own and objuscating usernames and passwords.

    You can restrict the computers that the startup script runs on using something like WMI filters at the policy level.

    Regards,

    Jak

    :37531
  • 0

    Hi Jak,

    thanks for your great help!!

    I have one last question. In the AD script it is necessary to add the install user and password.

    I dont want to use the domain administrator for the installation. If i create a new user, is it necessary to to add this "install user" to the domain administration group?

    :37577
  • 0

    Hi,

    That account just needs read access to SophosUpdate share to get the files.

    When you deploy using SEC, those credentials (still passed obfuscated in the deployment string as you see them in the scheduled task properties) would be the ones in the updating policy linked to the group the computer is in.

    Typically this account is the one requestred during installation and known as the "SUM" account:

    http://www.sophos.com/en-us/support/knowledgebase/113954.aspx

    The only admin account in the whole equation is the account the installer (setup.exe) runs as.  As it's to be a startup script, rather than a login script it will run with sufficient admin rights.

    Regards,

    Jak

    :37579
  • 0

    Hi Jak,

    i created the AD script like described in your link.

    I created a gpo too and added the AD script. Now i have a test device linked to the gpo with the start script. The sophos was installed correctly but if i reboot the pc the installation is running again. On every boot the sophos installation is started while i created the login script like this:

    @ECHO OFF
         REM --- Check for an existing installation of Sophos AutoUpdate on 32-bit (the 'Sophos AutoUpdate Service' process)
         IF EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
         REM --- Check for an existing installation of Sophos AutoUpdate on 64-bit (the 'Sophos AutoUpdate Service' process)
         IF EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALSVC.exe" goto _End
         REM --- Check for an existing installation of Sophos Anti-Virus on 2003/XP (the SAV adapter config file)
         IF EXIST "C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End
         REM --- Check for an existing installation of Sophos Anti-Virus on Vista+ (the SAV adapter config file)
         IF EXIST "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End
         REM --- Deploy to Windows 2000/XP/2003/Vista/Windows7/2008/2008-R2
         \\SERVER\SophosUpdate\CIDs\Sxxx\SAVSCFXP\Setup.exe -updp "\\SERVER\SophosUpdate\CIDs\Sxxx\SAVSCFXP" -user USER -pwd PWD -mng yes
         REM --- End of the script
         :_End

    What did i wrong?

    :37609
  • 0

    Hi,

    Well you could simplify it to just:

    @echo off
    IF EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
    IF EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe" goto _End
    echo needs install
    :_End

    as a test.  So on the computer that has had the software install, run the above as a batch file.  Does it echo that it needs an install or display nothing.  It's just checking that alsvc.exe exists and if so ends the batch file.

    Regards,

    Jak

    :37611
  • 0

    Hi Jak,

    i think i found the problem. My script is looking for "C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" but the file SAVAdapterConfig is missing on my test device so the installation is running on every boot.

    i installed sohpos manually and the files are created during the installation but removed after a successful update.

    Can i only check for the autoupdate service like in your simplified test script? The ALsvc.exe file exists on my test device.

    EDIT: i used your sript and there is no echo that it needs a install. I tested it with my script and there is no echo too if i modfiy it with the echo command. But if i restart the pc the installation begins again :(

    EDIT2: Problem solved - the problem was the german XP. The path in the script with C:\Program Files could not be resolved. i changed it to %programfiles% and now its working fine.

    :37613
  • 0

    Last Question Jak :)

    i would like to use the -g commandline switch but i'm not sure how the syntax should look

    i tried this: -g "\\SEC-SERVER\Globale Gruppe\Desktop\Clients" but it is not working. The device is set to "unassigned devices"

    The Folder structure in the SEC Console looks like this

    Globale Gruppe     (first folder)

          -Desktop          (second folder)

                 -Clients     (third folder) -> this is the folder where the client should be moved in

    :37641
  • 0

    OK, it only needs "one" backslash (\) before the server name.  Also ensure that the entire path (including the server name) has the right case as it's case sensitive.

    -g "\SEC-SERVER\Globale Gruppe\Desktop\Clients"

    Regards

    Jak

    :37643