We have created in our policy below sections,

1. Enabled Require startup authentication


2. Enabled new authentication password/pin from users after 3 months

By creating we have seen users are just postponing the new authentication and we are getting this alerts after 5 times postponed by user which is a big thing to troubleshoot.

If we can disable the postponed tab in the dailouge box poped out automatically from sophos we can reduce this unnecessary alerts.

And we have 1000 users environment enrolled which is very much difficult to maintain and we need to enforce our policy mentioned above.

once uninstalled, SGN does not restore the functionality that was initially activated on the workstation (nor even warns the admin that the workstation will not be returned to its initial state): FastUserSwithing no longer works

The SGMTrace-Logging could be "acitivated" and "deactivated" (= changing Minimumtracelevel from 5a to 0 and back) via buttons in the about-box of SGN.

It is a SGN MC recovery feature and should also be available via Webhelpdesk.

Implement Windows 10 POA with Smartcards like in Windows 7. Only the BitLocker PIN is not Enterprise ready in my humble opinion..

Sophos Enterprise client should display client agent status regards to the disk encryption status. End user should be able to confirm endpoint encryption status.
I’m fully aware about the SGNState tool.

Thank you.

On-premise SafeGuard Enterprise customers have been requesting the ability to remotely trigger a PIN reset for specific machines.

A context menu item via right-clicking a Machine Object in the Management Center triggering a PIN reset the next time the SafeGuard client syncs would be the best implementation for this feature.

Ability to have Network Aware POA on machines (especially BitLocker as there is no user-based POA).

Many customers need the ability to disable POA on devices in the office - for example shared machines. If the device is stolen, then POA should be enabled immediately. We are currently working on a 3,000 user company with Call Centre who love what we can do in Win7 but need a comparable approach for BitLocker managed machines.

This would apply for Central as well however we have a larger SGN deployment base today so SGN is the most important starting place.

The Message to enter the old password (usually after resetting the PW by an AD-Admin) often confuses users and admins. The procedure is completly described in KBA 112239, but has to be delivered by the support.

The message could be improved by directly mentioning or referring to KBA 112239. This could help admins and users to find the solution without calling any support

to allow the encryption and management of Ubuntu workstation as part of SafeGuard Enterprise

Safeguard 8 Managed Client Enhancement request for SafeGuard to disallow “suspension” of BitLocker on client.

the FDE capability are primarily governed by the following requirements:

·

Maintain or improve existing security posture of the Windows 7 platform

·

Ensure end users cannot suspend/remove installed security controls

As our current FDE solution in the Windows 7 environment prevents end users from suspending/removing full disk encryption provided by Sophos Safeguard 7.x, we are looking to preserve the same level of security in
our upcoming Windows 10 platform

Customer is asking for the possibility to remove old clients via a GUI window "en bloc" - means that user should get a window with criterias (like last server contact date) to pre-select shown clients and the her should be able to tick mark all clients that should get removed from database.

When SafeGuard manages a Bitlocker full disk encryption device, event code 3503 - Sector-based initial encryption of drive 'X:' started" should be captured in the Event log of the Safeguard Management console.

At the moment it is not possible to configure the windows 10 locksreen if Safeguad is installed.
Please make it possible to let the admin choose if it is possible or not.
Best would be to configure it via Windos GPO. To configure it via Safeguard policy would be an alternative way.

A Platinum Customer wants to include the hostname in the Challenge/Response to make sure that Response Codes fits to the machine.

The reason is described in sophtrac case 5777475.

After user authenticates through SG CP, a Windows GPO can trigger a display of the last successful and unsuccessful login attempts. The SG CP shows the successful attempts correct, but has a count of zero for correct logins. Displaying this information works correct when Windows CP is used. The information is stored in the OS but the SG CP doesn't appear to pull the failed amount correct.

Please move the recovery button a bit further from the OK button. UX principles would suggest that such a radically different function should not be close enough to the OK button such that an accidental click renders the system in a temporarily unusable state. OK/Clear/Recovery/Restart or something like that would be better to give a buffer for those of us with fat fingers and itchy mouse triggers.

When a network user logon to a computer with SGN installed and the user´s password is expired, SGN requests a password change.

SGN must have a way to disable this feature, preventing request a new password to network users when company uses a external Password Manager.