This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise console management for MAC OS?

I'm running enterprise console version 5.2.1 R2. Client software is Sophos Endpoint Security and Control version 10.3. I have been able to install the MAC client successfully. But I am not able to manage the MACs on the enterprise console. When we purchased Sophos, we were told it can run on both PCs and MACs. But wasn't told to us, is that it does not support the policies. I got this information from sophos support. I am angry that we were not given these specifics prior to the purchase. Has anyone had any success using the enterprise console and managing macs? What good does it do to bother installing sophos on the MACs then?

Following is a list of policies we do not support on Mac OS X:
Firewall
NAC
Application Control
Data Control
Device Control (will come with v9.1)
Full Disk Encryption
Tamper Protection (will come with v9.1)
Patch
Web Control

This thread was automatically locked due to age.

0 QC over 11 years ago
Hello PamP,
first of all, I'm not Sophos (just to avoid the occasional misconception).
But wasn't told to us, is that it does not support the policies
Well, actually these features are not in Sophos Anti-Virus for Mac OS X (please note that the name is still Anti-Virus for all platforms except Windows). Admittedly there is no document with the feature details or a platform/feature matrix (and if, they are hard to find). Nevertheless, (pre-)Sales or the partner/reseller should have been able to give you this information.
Has anyone had any success using the enterprise console and managing macs? What good does it do to bother installing sophos on the MACs then?
Macs can be managed. You don't think that "plain AV" isn't necessary on Macs, do you? Or maybe your concept of management is different from mine. "Basic" management is:
Clients reporting their status, OS and AV versions, compliance with Updating and AV policies, threats, errors and and alerts
Assigning Updating and AV policies
I understand your disappointment but ... may I ask which of the missing features are most important (and furthermore why you obviously did buy-before-you-try)? Some of them are rather easy to deploy and use, others (like Data Control or Firewall) are definitely not.
Christian
:48696
Cancel
Vote Up 0 Vote Down

Cancel
0 TerranceBennett over 11 years ago

We are about 80% Mac OS and after reading this post my concerns are with the Patch Management feature. We are still using the demo and so far the only Mac policy being tested is the Update and AV. Over the next couple of days we want to test the Patch policy for the Mac. What should I expect? Will Sophos see outdated OS version of the Mac OS? If it does how does it deploy? Looking for answers and will be supplying detail of test. If we get positive out-come from the Mac Patch policy testing look for a long relationship sophos.
:48780
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 11 years ago

Hello TerranceBennett,
[first of all, I'm not Sophos] so far in Sophos Anti-Virus for Mac OS X there's only the AV component (including Web Protection), Device Control (please see the link for details) is about to be added and, if what I heard is correct, Tamper Protection too.
About two years ago Application Control was next on the list but obviously this has been reconsidered. According to Darren Teagles' post in the former thread Web Control could be next. As for the remaining features, I don't expect them in the near future. Patch (for the Windows platform) is anyway a tool for Assessment only. Thus at the moment Updating and AV are the only features/policies you can test.
Christian
:48786
Cancel
Vote Up 0 Vote Down

Cancel
0 ruckus over 11 years ago
We've published the following KBA to clarify the supported SEC endpoint policies for different platforms.

http://sophos.com/kb/120404

:48818
Cancel
Vote Up 0 Vote Down

Cancel
0 PamP over 11 years ago

ruckus- Thank you for the clarification. That KBA is exactly what I'm talking about. It shows what features are available for which platform specifically.
Terrance and Christian- We DO use AV on the MACs for it's AV protection qualities. We are an educational institution, so in addition to our firewall, it has been very convienent to have features on the sophos management console to help in managing the client's application and web control policies specifically. We're able to block specific web sites and applications right there on the client machine by the sophos client installed on the machine. These are the exact features lacking on the sophos mac client. And that is our huge disappointment, that we can not 'tweak' the mac sophos client and take advantage of some of the client control issues that we can on our windows clients.
:48832
Cancel
Vote Up 0 Vote Down

Cancel
0 ruckus over 11 years ago

Hi PamP,

You probably know this already, but the Sophos UTM (that I think you have?) has Web Filtering. Demo:

Obviously that's not answering the "block specific web sites and applications right there on the client machine" bit, but I thought I'd reply with the UTM idea in case you aren't currently using all of its features, as well as for any other readers of this thread.
:48834
Cancel
Vote Up 0 Vote Down

Cancel
0 PamP over 11 years ago

ruckus- Our firewall is a Sophos UTM and we are absolutely blocking specific web sites on the UTM as well as content filtering. Until the very recent 9.2 firmware upgrade on the UTM, it was not able to block https websites. We have a problem with students able to get to facebook and youtube https websites. But I have been able to block them, (only on windows clients), on the sophos AV client installed via the policy applied to that computer group from the enterprise console. We also use the sophos client to block the ultrasurf app that students have been able to use via their thumb drive. The UTM does not allow us to block that app. Another example is vine.co. This is a social media website out of Columbia. The UTM can not block it, but the sophos client can.
:48836
Cancel
Vote Up 0 Vote Down

Cancel
0 ruckus over 11 years ago
Ultrasurf has been requested and the votes are increasing. Please add your vote to increase its priority...

http://feature.astaro.com/forums/133994-utm-application-pattern-requests/suggestions/2241937-ultrasurf

On our UTM forum there are a few posts about it too:

http://www.astaro.org/gateway-products/web-protection-web-filtering-application-visibility-control/40801-how-block-ultrasurf.html

http://www.astaro.org/gateway-products/web-protection-web-filtering-application-visibility-control/35544-astaro-ultrasurf.html

http://www.astaro.org/gateway-products/web-protection-web-filtering-application-visibility-control/41607-ultrasurf-11-04-pass-through-astaro-8-301-a.html

:48842
Cancel
Vote Up 0 Vote Down

Cancel
0 PamP over 11 years ago

Another example came up just today. We have both PC and MAC laptops that are being used by students. We reserve our bandwidth for educational purposes, therefore we don't allow streaming music, such as pandora.com. I have a policy set up in the sophos enterprise console for students' computers, that blocks access to pandora.com streaming music. This policy works great on the PCs, but even though sophos is applied to the MACs, it won't work. Now before you jump on me that we can just block pandora.com on our firewall, which I'm well aware of, that's not my point. It is nice to be able to block it via the sophos client that resides directly on the client, therefore eliminating additional traffic traversing on the internal network, and firewall cpu usage. This is a exact example of why I'm extremely disappointed that the same sophos policies can not work on both PCs and MACs.
:48970
Cancel
Vote Up 0 Vote Down

Cancel