Improved device list views
Including the ability to add/remove columns and filter results.
For example, add a column about tamper protection, and have the ability to filter for only devices with it disabled. Or to add a column about Intercept X software version and filter for certain version(s).
This would apply to Endpoint and Server views.
We intend to make this functionality available via APIs as well.
The APIs are now available, please see https://developer.sophos.com/ for more details.
For example, retrieving tamper protection status is available this way: https://developer.sophos.com/docs/endpoint-and-server/1/routes/endpoints/%7BendpointId%7D/tamper-protection/get
I appreciate many people simply want the admin UI to offer the functionality rather than just APIs, and we will update it to allow column addition/removal and filtering on any column. However, this is likely to not be until around August as the development team have been reassigned to assist another project for a few months. Sorry for the wait, I would very much like this to be available earlier.
I’ll leave this item open and “started” until the admin UI changes are released, but please do be aware of the API option in the meantime.
Michael M commented
Hi, This would allow us to better managed our Customer endpoints. Knowing the component versions allow's us to determine if a device isn't receiving an update for some reason or if a device has installed a hotfix yet.
I'd recommend listing out what's in Installed Component under the Sophos Endpoint Self Help tool
Stephen Hogan (Progress Systems Limited) commented
It would not only be nice to have this to run manually, but also to schedule it into an email digest of sorts.
Mike Bailey commented
This also needs to be audited within the system that the event occurred. There needs to be a paper trail to document the fact that Tamper Protection was offline for a period of time.
FIND System with Tamper PROTECTION Disabled
We have multiple Admins on Central and Sometime during T/S the Tamper Protection is TURNED OFF for few systems. However if the ADMIN does not roll back its a RISK.
Need an AUDIT LOG REPORT for Systems with Tamper protection TURNED OFF
Zeb Smith commented
In this day and age of DevOps and Automation, the lack of an external API to perform at basic functions (at a minimum) is a huge shortcoming.
We should, at the very least, be able to easily query information about devices registered in Central, get a list of active alerts, etc. via a web service.
Email alerts on a fleet of many thousands of devices are simply not manageable.
David Veatch - Super Admin commented
I just found a relatively easy way to identify the machines that have Tamper Protection disabled - though it's not without its inconveniences.
Logs & Reports/Audit Logs
Tamper Protection changes are recorded here the Description column as "Update computer tamper protection"
Export as CSV is available, making it relatively easy to narrow it down to just those entries.
would add a schedule and send report via email
I totally agree with this, it's very hard to see on a large network which machines need a reboot, also whereas the console says "Reboot Recommended" the individual machines state "Reboot Needed" which is very different.
Tom Stacey commented
Endpoint and Server as well please. It would be a nightmare if i had to check all 2000 devices individually.
I want it too
FFUN Support commented
I have a feature request which I believe would be useful, especially to businesses that have multiple people managing Sophos. This is something that I believe is valuable in keeping things secure as I know there are people out there who do not follow up and put things back to normal. My Feature Request is:
- When looking at the list of all computers, in the drop down, there should be a filter for "List all devices with Tamper Proof Disabled"
Currently I have to check each PC in the list 1 by 1 to see if someone left Tamper Proof Disabled.
We really need this feature please, whether in drop down or a new column would be so MUCH more enterprise friendly than nothing. I tried the suggested Event report, but it was not accurate compared to current state. I had to run the Audit Logs -> Export which only told me that Tamper was changed and not whether enabled or disabled, so still had to touch a bunch of servers we had been troubleshooting.
I also agree that this would be very helpful. I have had a few instances where I have needed to disable Tamper Protection on an Endpoint, and then a while later (days or weeks) realized that I had forgotten to re-enable it.
Vikas Mundhe commented
We really want a report that tells me if any endpoints have tamper protection turned off.
Reports>Events>Policy Compliance>Policy non-compliance does not solve the purpose
Matt Davies commented
The 'Reboot recommended' warning/alert functionality was changed as part of a recent update to the Sophos Central Platform. 'Reboot recommended' alerts were changed to informational messages, meaning that they do not show in the Alerts section on the dashboard.
The informational messages appear in both the updating event log and in the Events tab against individual devices. Unfortunately, the updating events report shows a complete history of machines that have triggered the 'Reboot recommended' informational alert. So this doesn't make it clear as to which machines have been rebooted and which still require the reboot.
Please alter this functionality in order to make it clear as to the machines that are currently pending a reboot (even though it may not be 'required'
A simple drop down option where Show all computers is default would work out the best you have show all Bad and all medium and bad so another option to show all with tamper protection off. Often we have to shut off to do maintenance and sometime we forget to turn back on
And buttons to override every occurrence of disabled tamper protection, on endpoints, servers, and/or both.
Jeremy Roberts commented
There is no obvious way to list filter or report on certain features or status, for example if Tamper Protect disabled and then enable them all on mass. you have to go in to every device individually which is a pain.
You can tell if Tamper Protection has been turned off or on by looking at the Events Report and refining the report to show Policy non-compliance.
Nick Fiorenza commented
Currently the only way to tell if Tamper Protection has been disabled for a device is Sophos Central is to view the Summary page of each device. My suggestion is to add a column to the existing "Servers" and "Computers" reports (under Logs & Reports -> Endpoint & Server Protection) that indicates whether or not Tamper Protection is enabled.