Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 1874 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Apply Policies on USer groups.

Carlos1982

Hi,

We are currently running Sophos enterprise version 5.2.0.644.

We are looking for a solution as we would like to create an apply a Device Control policy to a particular group of users and no by computer.

I have created a group on AD to that we would like to apply the policy.

As far as I can see Sophos doesn't show me the Users on the AD Groups but it does show me the workstations on the Computers group in the AD.

Is there any solution to this or any setup we can change to make this possible and for example apply and block usb by User and not by Computers.

Thanks very much.

Carlos

:41569


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Enterprise Console is all about computer based policies I'm afraid; Sophos Cloud which is currently in beta is user based policies and also has device control.  Maybe that would be an option in the near future for these computers/users.

    If I had to try and get SEC to do some sort of used based policies it would require some hacking.

    I could imagine a logon script which: stops the Sophos Agent service, creates the group on bootstrap registry key (see here) with a specific path and then starts the Sophos Agent service.  This would cause the endpoint to send back to SEC a request to move the computer to a particular group, the policies of that group would be sent don to the client.  For something like this to work you would need some mapping logic and for there to be groups and policies in SEC that are ready and waiting.  It also would mean a slight delay and be dependent on messaging working all the time.

    This approach would also require the user to have the rights to stop and start services and write to the registry key, which by default would require admin rights.  If the users do not have these rights, you might have to write a service (running as system for example or a service user with sufficient rights to perform the above) that monitors the logged on user and takes the same action as and when required.

    Regards,

    Jak

    :41589
Reply
  • 0

    Hi,

    Enterprise Console is all about computer based policies I'm afraid; Sophos Cloud which is currently in beta is user based policies and also has device control.  Maybe that would be an option in the near future for these computers/users.

    If I had to try and get SEC to do some sort of used based policies it would require some hacking.

    I could imagine a logon script which: stops the Sophos Agent service, creates the group on bootstrap registry key (see here) with a specific path and then starts the Sophos Agent service.  This would cause the endpoint to send back to SEC a request to move the computer to a particular group, the policies of that group would be sent don to the client.  For something like this to work you would need some mapping logic and for there to be groups and policies in SEC that are ready and waiting.  It also would mean a slight delay and be dependent on messaging working all the time.

    This approach would also require the user to have the rights to stop and start services and write to the registry key, which by default would require admin rights.  If the users do not have these rights, you might have to write a service (running as system for example or a service user with sufficient rights to perform the above) that monitors the logged on user and takes the same action as and when required.

    Regards,

    Jak

    :41589
Children
No Data