Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 829 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clientless Users: one user, multiple devices still one user?

Wayne Folta

I don't currently take advantage of the XG Clientless Users in terms of rules, etc, but I have set up a couple of Mac laptops with their corresponding users. Let's call them John Doe and Tammy Smith. So I set up John's laptop with the clienteles user john_doe and Tammy's laptop with tammy_smith. That gives me a little more insight into how things are going with them (things like Live Connections Per User in the Control Center). We don't have AD or other authentication means, though Intercept X does know who is logged in -- but it seems this isn't useful to XG. We're a small installation with a few dozen devices.

Both of these folks also have an iPhone and an iPad. So I could also assign their user id to all three of their devices. But then I wonder if that's going to cause any problems/complications since all three devices will be "logged in" as the same user simultaneously and at all times. Does that cause problems or complications in XG 18.5?

I could, of course, do something like have John's laptop be joihn_doe1 and his iPhone be john_doe2, and so on. But that seems contrary to the idea of a "user". In which case "user" becomes somewhat redundant with IPv4 and MAC address. Not totally redundant, since things like Live Users and Live Connections give details based on user and not IP or MAC, so perhaps worth it.

One last thought, that may be naive: the laptops have the Intercept X endpoint and other security software installed, and I consider them to be as secure as I can make them. The iPhones do not have any endpoint installed nor are they MDM-managed. Sort of BYOD, but the users themselves are highly trusted and don't engage in shenanigans on these devices, so I view the phones as less secure in the sense that the user might stumble onto a security problem when they're outside and on the cellular network but I don't view them as potential insider threats. So if I do begin to use users in some XG features (rules, etc) it seems tempting to regard the laptop slightly differently from the phone, though I can't think of a particular example.

Any thoughts or suggestions?



This thread was automatically locked due to age.
  • 0

    Hello Wayne,

    Thank you for contacting the Sophos Community.

    Clientless will only allow you to have one same Username, so you’ll not be able to create "User1" 3 times and give each one different IPs or MAC addresses.

    In this case, you can create user1_MAC, user1_iPAD, user1_iphone, they all can have the same "name" under Clientless but not the same Username.

    The other option would be to use something like the Client Authentication Agent, and enable "Simultaneous logins" so they can authenticate with the same local user in their devices. 

    Regards,

  • 0 in reply to emmosophos

    Makes sense. I've created john_doe, john_doe_ipad, and john_doe_iphone. That makes some monitoring/reporting simpler and I imagine that ultimately everything will be driven by users and behavior. And it lets me, if need be, distinguish that john_doe is more trusted than the other two. (One example, I guess, would be to allow access to the appliance via SSH or via the web interface.)

  • 0 in reply to Wayne Folta

    For a bigger, none AD environment, i started to use clientless user groups. So the group was called Peter and in this group, all devices were Peter_Iphone etc.