Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 3688 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD synchronised groups - some pcs need a different device control policy

ropi

Hello,

we have a problem with the policy management in sophos enterprise console. We use the SEC 5.1.0.1839

We have two AD synchronised groups - notebooks and desktop. Now we would like to use the device control policy to block all usb and cd rom drives. We set this policy to the two groups notebook and desktop.

So far so good.

The problem is, if there is one device which needs a usb or cd-rom drive we have no chance to realise this with the policies.

We can not move the device in a other group (because the AD synchronisation) with a different device control policy and we can not apply the device control policy to a device.

How can we allow a pc to use the cd-rom drive or a usb stick?

It would be nice if someone can help me.

Greeting

:37491


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    I assume there is no chance you can create a new OU for this exception and just apply a different policy to that SEC group once created?  This really is the limitation with AD-Sync.

    Are you using ADSync to auto deploy?  I suppose my question is, do you actually still need ADSync, or could you remove the sync points now that you have your structure in SEC?  If it's to ensure new computers are protected, it might be as easy to bootstrap them with an ADstartup script which can protect them as they appear.  If you only have a couple of OUs, then the startup scripts linked to the OUs could have different deployment strings so you could specific the SEC group with the -G switch at install.  This would end up with the same result.

    Other options are really, config in the CID using XML for that specific policy, but then you would have to maintain multiple CIDs.  The other option which might work is to override the name of the computer so it appears as a different record in SEC to that in AD which might enable you to put it into a "exception" group.  I've not tried this.

    I would probably examine disabling ADsync now and deploy automatically with an AD startup script.

    Regards,

    Jak

    :37503
Reply
  • 0

    HI,

    I assume there is no chance you can create a new OU for this exception and just apply a different policy to that SEC group once created?  This really is the limitation with AD-Sync.

    Are you using ADSync to auto deploy?  I suppose my question is, do you actually still need ADSync, or could you remove the sync points now that you have your structure in SEC?  If it's to ensure new computers are protected, it might be as easy to bootstrap them with an ADstartup script which can protect them as they appear.  If you only have a couple of OUs, then the startup scripts linked to the OUs could have different deployment strings so you could specific the SEC group with the -G switch at install.  This would end up with the same result.

    Other options are really, config in the CID using XML for that specific policy, but then you would have to maintain multiple CIDs.  The other option which might work is to override the name of the computer so it appears as a different record in SEC to that in AD which might enable you to put it into a "exception" group.  I've not tried this.

    I would probably examine disabling ADsync now and deploy automatically with an AD startup script.

    Regards,

    Jak

    :37503
Children
No Data