If a SafeGuard Enterprise user is assigned to multiple machines, following a password change, the password (that is required at POA) is not updated on all the other clients until they have synchronized with the SafeGuard Enterprise Server.
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Device Encryption
All supported Operating Systems
The reason for this is that SafeGuard Enterprise creates a certificate and a .p12 for every user that is a "SafeGuard Enterprise POA user". The user authenticates to the POA using his Windows password. If the password is changed at Windows level, a new .p12 file is created at the server and sent back to the Client. This file is then sent to the POA which allows the user to authenticate to the POA with his new password.
In order to send the new password to the POA, the client needs to be running. The POA cannot receive any data from external sources.
As a result of this, a client will always use the old Windows password until a connection to the SafeGuard Enterprise Server is established so that the new .p12 can be sent to the Client.
What to do
To update the password on a client (in this example called Client 2) that was "offline" do as follows:
- Change the password on Client 1.
- The new .p12 file is generated and sent back to the Client. The user can now authenticate to the POA with the new password.
- Start Client 2 (which was offline). Authentication needs to be done using the old Windows password.
- At GINA/CP level the system recognizes that the the password is out of date, so the Single Sign On (SSO) fails and the operating system prompts for the new password to be entered.
- The client now connects to the SafeGuard Enterprise Server and the .p12 file is sent to the client.
- After the next reboot the new password can be used at the POA of Client 2.