The uninstall and repair options via console would make it easier to manage a large number of machines, mainly because sometimes it is difficult to get access to some of them.

We need to be alerted only on important conditions. Being alerted that a laptop has missed two updates (laptops are often off for more than two days) is not helpful and, in fact, may result in the team paying less attention to Sophos alerts. We need to be able to configure this or at minimum, please change the default. Thanks,

Be able to classify certain alerts, such as a medium 'Reboot required after software update' as informational.

We get alot of alerts that state "One or more Sophos services are missing or not running" or "realtime protection has been disabled." We then have to go into Central and look up those machines only to find that 9 out of 10 times the alert has cleared itself. There is an Event Log entry that states "all services are running" or "realtime protection has been enabled." It would be nice to have an alert that is triggered from those resolved entries. That or be able to create an alert from Events contained in the Event Log.

We need to be able to log and report on all attempted USB device connections, whether successful or not, regardless if policy is being enforced or not. Currently, whenever the box marked 'detect, but do not block' is checked, you have the ability to report on all devices, but if the box is unchecked, and policy is set to allow all devices, you can't report on devices that successfully connected, only the blocked attempts are reportable. This needs addressed.

The migration tool is great, but it would be great to incorporate policy migration as well. Though the policies don't directly link up, for the ones that central can accommodate eg. Scanning exclusions, web control, application control

Sophos Central Installer checks server availability. Somehow that check was passing during last week's outage when Sophos servers were not able to complete installation and protection. The installer's checks should verify that all resources are available for protection to succeed, so that the installer is not able to uninstall existing protection and *then* fail, leaving endpoints unprotected. Moreover, Sophos needs a switch to flip to force this check to fail the next time they have a catastrophic outage like they did 11-14 July.

Show GVMs in the SEC and that they are being actively protected. Also, which SVM they are being protected by currently.

Only having the SVMs visible doesn't give the same level of confidence as the older fat clients.

We have a ton of old computers listed that have been retired & removed from AD, but are still listed in sophos. It would be nice if AD sync had an option to automatically clear these up.

If it's not in AD and it's not reporting as online (For 2 weeks) -> Purge.

A support tech told me awhile back that you may be working on a utility to forcefully remove the software and all of its relevant registry keys, folder structure, services, etc. I think this should be made a priority as it seems we are constantly uninstalling and reinstalling only to have the same problems after reinstalling.

Your KB article for a manual uninstall is insufficient.

I have notice that pretty much all our downloads as well as uploads are captured as events by the DLP engine when setting policy for web browsers.

This can mean the controlled items list becomes huge and the central events log is way to big to get anything meaningful in terms of data leaving via web.

All the data loss tools I've used generally only capture outbound events, as this is the nature of Data Loss Prevention.

Actual there is no way to be alerted by a Exploit Prevetion Event like the E-Mail Notifications in the AV & HIPS Module. Many of our customers are horrified why that standard function is not implemented!

I have had InterceptX Root Cause Analysis (RCA) cases detected with low, medium, and high priorities -- but none of them generated an alert email.

It is very important that they do so, because RCA cases imply that malicious code has attempted to run on an endpoint, and this requires manual investigation to ascertain the cause.

At the moment it appears that the only way of noticing if you have a new RCA case to deal with is if you manually go Dashboard -> Endpoint Protection -> Root Cause Analysis.

We need to be able to restrict the IPs that are allowed to log in to Central with administrator privileges. For example, we would only want our administrator accounts to be able to log in from our corporate network and not from anywhere outside. That way if the credentials became compromised they still couldn't be used by anyone outside of our corporate LAN. This combined with 2FA (which appears to be coming soon) would greatly improve the security of your product.

Currently Microsoft Edge is not included as a destination within the Data Control policy for the on-premise Enterprise Console.

Migration Tool for Mac devices:

Currently about to start migrating on-premise Sophos Endpoint Protection server/users to Sophos Central. Problem - migration tool works for Windows only...but not for Mac devices.
We have a large number of Mac devices and the use of the migration tool to assist in mass deployment for Mac devices would have been "invaluable" for this task.
Please can the existing Migration tool be extended to also select Mac devices and migrate.

Please add the firewall back into the new sophos central agent. Currently we already have this in place on all our corporate laptops and now we are migrating endpoint protection to sophos central..this is not currently available and has rather been removed...resulting in our endpoints not having no firewall endpoint protection. If we already have this using on premise why on earth would this be removed. Please add this back in ASAP. About to start migratung..but can't.