Hi,
My company policy is to lock down all removable device write access.
I have some users who occasionally need to write to several new devices, these users aren't always on site (they have laptops) so it's not an option for the Sophos admins to add ad-hoc exemptions.
What I want to do is to enable those users to be able to configure device control and disable the control as and when they need, If I make them Sophos Power Users then they don't have enough rights, if I make them Sophos Administrators then they have too many rights. Even putting on Tamper Protection still allows them to disable scanning on C: drive.
In addition I would like the device control to re-enable itself, say on next boot-up.
Looking through the Sophos options I don't think this can be done. The only way I can see is to give those users Start/Stop rights to the Sophos Device Control service so they can stop the service, it will still be set to Automatic so it will restart upon reboot.
Anyone got a better idea/workaround?
Thanks
This thread was automatically locked due to age.