General settings

Policy setting Explanation
Loading of Settings
Policy Loopback Replay Machine Settings

If Replay Machine Settings is selected in the field Policy Loopback, and the policy originates from a machine (Replay Machine settings in a user policy does not have any effect), this policy is implemented again at the end. This then overrides any user settings and the machine settings apply.

Ignore User

If you select Ignore User for a policy (machine policy) in the field Policy Loopback and the policy originates from a machine, only the machine settings are analyzed. User settings are not analyzed.

No Loopback

No Loopback is the standard behavior: User policies take priority over machine policies.

How are the settings "Ignore User" and "Replay Machine Settings" analyzed?

If there are active policy assignments, the machine policies are analyzed and consolidated first. If consolidation of the various policies results in the Ignore User attribute in policy loopback, policies that would have been applied for the user are no longer analyzed. This means that the same policies apply to the user as to the machine.

If the Replay Machine Settings value is applied in the case of the policy loopback, once the individual machine policies have been consolidated, the user policies are then merged with the machine policies. After consolidation, the machine policies are re-written and override any user policy settings. This means that if a setting is present in both policies, the machine policy value overrides the user policy value. If the consolidation of individual machine policies results in "not configured", the following applies: User settings take priority over machine settings.
Transfer Rate
Connection interval to server (minutes) Determines the period in minutes after which a SafeGuard Enterprise Client sends a policy (changes) enquiry to the SafeGuard Enterprise Server.
Note: To prevent a large number of clients contacting the server at the same time, communication is carried out during a period of +/- 50% of the interval you set. Example: If you set “90 minutes”, communication occurs after an interval that can be from 45 to 135 minutes.

Improve Sophos SafeGuard® by sending anonymous usage data

Sophos is continuously trying to improve SafeGuard Enterprise. Accordingly, clients regularly send anonymized data to Sophos. This data is exclusively utilized for improving the product. It cannot be used to identify customers or machines, and does not contain any other confidential information.

Because all data is sent anonymized, the data collection function is enabled by default.

If you set this option to No, no usage data will be sent to Sophos.

Feedback after number of events The log system, implemented as Win32 Service “SGM LogPlayer”, collects log entries generated by SafeGuard Enterprise for the central database and stores them in local log files. These are located in the Local Cache in the “Auditing\SGMTransLog” directory. These files are transferred to the transport mechanism which then sends them to the database through the SGN Server. Transfer takes place as soon as the transport mechanism has succeeded in creating a connection to the server. The log file therefore increases in size until a connection has been established. To limit the size of each log file, it is possible to set a maximum number of log entries in the policy. Once the preset number of entries has been reached the logging system places the log file in the SGN Server transport queue and starts a new log file.
Language used on client Language in which settings for SafeGuard Enterprise are displayed on the endpoint:

You can select a supported language or the endpoint's operating system language setting.

Logon recovery
Activate logon recovery after Windows Local Cache corruption The Windows Local Cache is the start and the end point for the data exchange between the endpoint and the server. It stores all keys, policies, user certificates and audit files. All data stored in the local cache are signed and cannot be changed manually.

By default, logon recovery after Local Cache corruption is deactivated. This means the Local Cache will be restored automatically from its backup. In this case, no Challenge/Response procedure is required for repairing the Windows Local Cache. If the Windows Local Cache is to be repaired explicitly with a Challenge/Response procedure, set this field to Yes.

Local Self Help
Enable Local Self Help Determines whether users are permitted to log on to endpoints with Local Self Help if they have forgotten their password. With Local Self Help, users can log on by answering a specified number of previously defined questions in the SafeGuard Power-on Authentication. They can regain access to their computers even if neither telephone nor internet connection are available.
Note: For the user to be able to use Local Self Help, automatic logon to Windows must be enabled. Otherwise, Local Self Help will not work.
Minimum length of answers Defines the minimum character length for Local Self Help answers.
Welcome text under Windows Specify the custom text to be displayed in the first dialog when launching the Local Self Help Wizard on the endpoint. Before you can specify the text here, it has to be created and registered in the policy navigation area under Texts.
Users can define their own questions As a security officer, you can define the set of questions to be answered centrally and distribute it to the endpoint in the policy. However, you can also grant the users the right to define their own questions. To entitle users to define their own questions, select Yes.
Challenge / Response (C/R)
Enable logon recovery via C/R Determines whether a user is permitted to generate a challenge in the SafeGuard Power-on Authentication (POA) to regain access to their computer with a Challenge/Response procedure.

Yes: User is permitted to generate a challenge. In this case, the user can regain access to their computer with a C/R procedure in an emergency.

No: User is not permitted to issue a challenge. In this case, the user cannot initiate a C/R procedure to regain access to their computer in an emergency.

Allow automatic logon to Windows Allows a user to log on to Windows automatically after authentication with Challenge/Response.

Yes: User is automatically logged on to Windows.

No: Windows logon screen appears.

Example: A user has forgotten their password. After the Challenge/Response procedure, SafeGuard Enterprise logs the user on at the endpoint without a SafeGuard Enterprise password. In this case automatic Windows logon is switched off and the Windows logon screen is displayed. The user cannot log on because they do not know the SafeGuard Enterprise password (= Windows password). The setting Yes allows automatic logon and the user is able to move on from the Windows logon screen.

Information text Display information text when a Challenge/Response procedure is initiated in the SafeGuard POA. For example: "Please contact Support Desk on telephone number 01234-56789".

Before you specify a text here, you must create it as a text file in the Policies navigation area under Texts.


New images must be registered in the Policies navigation area of the SafeGuard Management Center under Images. The images will only be available after registration. Supported formats: .BMP, .PNG, .JPEG.

Background image in POA

Background image in POA (low resolution)

Replace the blue SafeGuard Enterprise background with a custom background image. Customers may for example use the company logo in SafeGuard POA and at Windows logon. Maximum file size for all background bitmaps: 500 KB.


  • Resolution: 1024x768 (VESA mode)

  • Colors: unlimited


  • Resolution: 640x480 (VGA mode)

  • Colors: 16 colors

Logon image in POA

Logon image in POA (low resolution)

Replaces the SafeGuard Enterprise image displayed during SafeGuard POA logon with a custom image, for example a company logo.


  • Resolution: 413 x 140 pixels

  • Colors: unlimited


  • Resolution: 413 x 140 pixels

  • Colors: 16 colors

File Encryption
Trusted Applications For file-based encryption by File Encryption and SafeGuard Data Exchange, you can specify applications as trusted to grant them access to encrypted files. This is for example necessary to enable antivirus software to scan encrypted files.

Enter the applications you want to define as trusted in the editor list box of this field. Applications must be entered as fully qualified paths.

Ignored Applications For file-based encryption by File Encryption and SafeGuard Data Exchange, you can specify applications as ignored to exempt them from transparent file encryption/decryption. For example, if you define a backup program as an ignored application, encrypted data backed up by the program remains encrypted.

Enter the applications you want to define as ignored in the editor list box of this field. Applications must be entered as fully qualified paths.

Ignored Devices For file-based encryption by File Encryption and SafeGuard Data Exchange, you can exclude entire devices (for example disks) from file-based encryption.

In the editor list box, select Network to select a predefined device, or enter the required device names to exclude specific devices from encryption.

Enable persistent encryption For file-based encryption by File Encryption and SafeGuard Data Exchange, you can configure persistent encryption. With persistent encryption, copies of encrypted files will be encrypted, even when they are saved in a location not covered by an encryption rule.

This policy setting is activated by default.

User is allowed to set default keys For file-based encryption by Cloud Storage you can configure whether the user is allowed to set a default key for encryption or not. If allowed, the Set default key command is added to the Windows Explorer context menu of Cloud Storage synchronization folders. Users can use the command to specify separate default keys to be used for encryption of different synchronization folders.
Email add-in settings
Enable email add-in

SafeGuard Enterprise includes an add-in for Microsoft Outlook that makes encrypting email attachments easy.

If you set this option to Yes, users will be prompted to decide how to handle attachments each time they send emails with attachments.

In addition, you can list domains and specify how attachments are handled when they are sent to these domains.

Behavior for white-listed domains
Encryption method for white-listed domains

Select how to handle attachments from the drop-down list:

Encrypted: All attachments in emails to the specified domain will be encrypted. Users will not be prompted.

No encryption: Attachments in emails to the specified domain will not be encrypted. Users will not be prompted.

Unchanged: Encrypted files will be sent encrypted, plain files will be sent in plaintext. Users will not be prompted.

Always ask: Users will be asked how to handle the attachments each time they send emails to the specified domain.

Domain whitelist

Enter one or more domains for which the encryption method should be applied. Enter several domains separated by commas. Wildcards and partially specified domains are not supported.