One or more clients report their status to the Sophos Enterprise Console as
differs from policy. This is seen under the "Device Control" tab | "Device Control policy" column.
First seen in
Enterprise Console 4.5.0
There are a variety of reasons for this.
What To Do
Confirm the client has recently reported to the console
Initially it is important to confirm that the client has sent a message to the Sophos management server recently. If the client has not reported to the console recently then the warning message may not be accurate.
- In the console, right-click the computer.
- Select "View Computer Details".
- In the computer details windows locate the line "Last message received from computer".
- If the client is switched on and connected to the network ensure the date and time is within the last 30 minutes. If the date and/ or time is outside of this period you should look to troubleshoot why the client is not reporting to the console.
Force the client to comply
If the server has received a recent message from the client then you should attempt to force a comply to the client. This will undo any local changes an administrator may have made to the client's configuration.
- Ensure that the client(s) are shown as connected in the console. To do this: From the 'View:' drop down box select 'Connected computers'.
- Right-click the client and select 'Comply with' | 'Group Anti-Virus and HIPS Policy'.
Warning: Forcing a comply for disconnected clients will generate message build-up in the management server's envelopes folder as these messages cannot be sent to offline endpoints. It is recommended you only force a comply for a small number of online endpoints first and see if the alert disappears and does not come back (see below).
Important: You may initially see the warning disappear from computers that you force to comply only to see it return after a short while (having initially complied). This happens while the policy is being sent to the endpoint and the endpoint is attempting to implement the policy. However if there is an underlying problem forcing a comply will not resolve the issue - you should work through the rest of this article to identify the issue. Forcing a policy compliance at this stage is an important step as you must rule out if the policy simply needs re-sending to the endpoint and/or a local administrator has/is altering the policy from that configured centrally.
Reboot the client
Occasionally the client may have trouble complying with the current configuration until it has been rebooted. If you have not already done so, reboot the client and wait for the client to report (see Confirm the client has recently reported to the console above).
Check the Sophos Device Control service is started
- On the client open Windows service (Start | Run | Type: services.msc | Press return).
- Locate the "Sophos Device Control Service".
- Ensure this service is started and can be restarted without an error.
If the above steps fails to resolve the differs from policy issue please follow the steps below:
- Enabled verbose agent logging on the client (affected computer that is differing):
- Stop the 'Sophos Agent' service.
- Open the Registry Editor. See Registry Editor for more information.
- Browse to HKEY_LOCAL_MACHINE\software\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent.
- Create a new DWORD value named 'LogLevel'.
- Change its value to 2.
- Re-start the 'Sophos Agent' service.
- From the console force a comply for the Anti-Virus and HIPS policy to the client.
- Allow the client to report/ differ from policy which may not be immediate.
- Run the Sophos Diagnostic Utility (SDU) on the client and forward the output file. For more information on the SDU program see article 33533.