Restrict VPN access only to devices that are in a specific domain, or that have Sophos Antivirus installed
Today, if the user downloads the VPN application, he can install it on a personal computer, which should not have this access and in this way, it would be another point of security for companies that only the company's computers have. access, or just the equipment that has Sophos antivirus, which could be validated through heartbit security
If you are using the Sophos Connect Client you can set it to require heartbeat and if not you could use a VPN to LAN FW rule to have heartbeat requirement?
Even the ability to quarantine new devices until approved.