AD synchronised groups - some pcs need a different device control policy

Question

Hello,

we have a problem with the policy management in sophos enterprise console. We use the SEC 5.1.0.1839

We have two AD synchronised groups - notebooks and desktop. Now we would like to use the device control policy to block all usb and cd rom drives. We set this policy to the two groups notebook and desktop.

So far so good.

The problem is, if there is one device which needs a usb or cd-rom drive we have no chance to realise this with the policies.

We can not move the device in a other group (because the AD synchronisation) with a different device control policy and we can not apply the device control policy to a device.

How can we allow a pc to use the cd-rom drive or a usb stick?

It would be nice if someone can help me.

Greeting

This thread was automatically locked due to age.

jak · Accepted Answer

Hi, For a basic batch file that checks if the endpoint solution and installs if not: http://www.sophos.com/en-us/support/knowledgebase/13090.aspx Also have a look at: http://www.sophos.com/en-us/support/knowledgebase/12570.aspx as you can use the -G switch to specify the right groups. As a tip, you can grab the deployment string you require by bootrapping a test computer from SEC and then check the scheduled tasks on the target computer.  You can grab the deployment string from the properties of that to save construncting your own and objuscating usernames and passwords. You can restrict the computers that the startup script runs on using something like WMI filters at the policy level. Regards, Jak :37531

jak · Answer

Hi,

That account just needs read access to SophosUpdate share to get the files.

When you deploy using SEC, those credentials (still passed obfuscated in the deployment string as you see them in the scheduled task properties) would be the ones in the updating policy linked to the group the computer is in.

Typically this account is the one requestred during installation and known as the "SUM" account:

http://www.sophos.com/en-us/support/knowledgebase/113954.aspx

The only admin account in the whole equation is the account the installer (setup.exe) runs as. As it's to be a startup script, rather than a login script it will run with sufficient admin rights.

Regards,

Jak