Individual (or client) Policy Exceptions
I would like some functionality added to Sophos Central to accommodate for the need to exempt a specific application on a single server without creating the need for an endless and complicated web of policies as additional application exemption needs are identified.
The company has all servers "enrolled" in the Default Application Control policy. Server A requires all of the same rules as the Default policy but needs PuTTY allowed. No other servers can have PuTTY installed per a strict security policy. To accommodate this need, we, at present, must create Default Application Controls policy clone (w/PuTTY allowed).
After that first application exemption need was identified and accommodated, we now have two policies that are nearly identical, the Default policy and the Default policy clone w/PuTTY exemption.
A new application is identified as requiring exemption on all servers. To accommodate this, we need to modify the Default policy AND the Default policy clone w/Putty exemption. Fine, so we modify the two policies and move on.
A new application, Ruby Installer, for instance, is identified that is required to be exempted on Server B, but not on Server A where PuTTY is exempted, so a third policy must now be created.
Now, for our policies, we have: 1) Default policy, 2) Default policy clone w/PuTTY exemption, and 3) Default policy clone w/Ruby Installer exemption.
Another application is identified that all servers need allowed, so we have to update all three policies.
Over time, this list is expected to grow in complexity that appears exponential.
Perhaps I am missing something somewhere, but it appears as though there is no nice accommodation for one-off exemptions like this in the Application Control policy. If possible, I would like to suggest the addition of the ability to add an exemption that is assigned to a machine that overrides the Application Control policy to which it subscribes in Sophos Central.
This is a great idea. If you care about locking down systems, its crazy to think that you would want all of them protected the same. Especially in an environment where there are lots of systems doing different things with different software. 50+ policies would be INSANE to manage.