List machines with tamper protection disabled
There is no way to run a report or search for any devices that have had tamper protection disabled and it has not been re-enabled.
During Sophos Evolve yesterday one of the poll questions was "Should tamper protection be disabled" and the possible answers were "No" "No" and "No"...but the product can't tell you if machines have TP disabled! Seems like if it was really a priority there should be a report that ensures all your devices have TP enabled.
XG Fan commented
consider merging this into https://ideas.sophos.com/forums/428821-sophos-central/suggestions/37144834-improved-device-list-views
Kevin Kingston commented
This is also possible now using our new Live Discover capability which is now in available as part of our Endpoint and Server Early Access Program. More details here: https://community.sophos.com/products/intercept/early-access-program/b/blog/posts/powerful-new-edr-capabilities-now-available-in-early-access Details specifically on this query can be found here: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-queries/119836/live-discover-query---identify-devices-where-tamper-protection-is-disabled
Currently, there is no report for it it, but you can use Central APIs to query that.
For endpoints specifically: https://developer.sophos.com/docs/endpoint-and-server/1/overview
We could really benefit from this feature
Sorry - might be a noob comment, but isn't this something that can be directly query'd from the SQL database? Just an idea, have not really looked into it.
[Deleted User] commented
Why is there no report for this already.