Enable Tamper Protection by Group Policy, not just Globally
We need the ability to enable/disable tamper protection with a group policy like in on-premise Enterprise Console. Having to do it Globally is terrible.
We've had a number of instances where initial installation has gone bad -- getting far enough that tamper protection has gone into effect, but not far enough that we can turn off tamper protection for the individual client. Sophos Support has suggested that we turn off TP globally while we complete our rollout. That's ridiculous. If we could turn on TP in group policy, I would have it off in Base Policy to keep it from applying to new installs until they're really complete, but I could have TP on for the installed base and for servers.
Stefan H commented
Hi, tamper protection is controlled via registry keys. So it's no problem to control this keys via group policy and let it act like a "enabled/disabled". It not very complicated to write a group policy for yourself. If you need, i can give you a template which you can import into active directory central store. Just let me know.
Dennis Lee commented
We've run into this issue as well, but it has hit us more when deploying new machines from a template. We use VMware customization specifications extensively for VDI as well as new servers and we are basically unable to leave Sophos on our templates.
When we go to deploy a new server/VDI, we can prepare the template using Sophos best practices but once they start deploying, the MCS client service starts up immediately, generates a new Machine code, hooks into Sophos Central and enables Tamper Protection. At that point, the customization kicks in and begins a sysprep, which breaks the VM completely due to Tamper Protection's incompatibility with sysprep.
Unfortunately, due to the random aspect of when new VDI servers are generated, we cannot leave Tamper Protection off when they are deploying.
At this point sophos central is basically unusable for VDI as we have around 300 systems spinning up and down at any given moment.
andreu serrando commented
My organitation needs the same feature because our costumers have many groups of computers and users in sophos central and today its not possible to fix tamper protection by group