Improved device list views
Including the ability to add/remove columns and filter results.
For example, add a column about tamper protection, and have the ability to filter for only devices with it disabled. Or to add a column about Intercept X software version and filter for certain version(s).
This would apply to Endpoint and Server views.
We intend to make this functionality available via APIs as well.
The APIs are now available, please see https://developer.sophos.com/ for more details.
For example, retrieving tamper protection status is available this way: https://developer.sophos.com/docs/endpoint-and-server/1/routes/endpoints/%7BendpointId%7D/tamper-protection/get
I appreciate many people simply want the admin UI to offer the functionality rather than just APIs, and we will update it to allow column addition/removal and filtering on any column. However, this is likely to not be until around August as the development team have been reassigned to assist another project for a few months. Sorry for the wait, I would very much like this to be available earlier.
I’ll leave this item open and “started” until the admin UI changes are released, but please do be aware of the API option in the meantime.
Grant Phillipson commented
I agree this should be a feature, just now it is too time consuming having to go into every device to check its tamper protection status. we should be able to run a report or have an extra column on one of the existing reports. also maybe place an alert if tamper protection is turned off.
Tamper protection status as a column
Stefan Bettighofer commented
We have to Reinstall ower PCs with disabled TP. Else the HitmanPro Alert Service Fails to install from time to time.
Its possible that we forget to aktivate the TP after the reinstallation of the Client.
+1 from me too.
Yes, need to be able to schedule reports and send them via email, like the on-premise Sophos Enterprise Console lets us do. This is critical from an auditors, regulators perspective.
Michael M commented
Hi, This would allow us to better managed our Customer endpoints. Knowing the component versions allow's us to determine if a device isn't receiving an update for some reason or if a device has installed a hotfix yet.
I'd recommend listing out what's in Installed Component under the Sophos Endpoint Self Help tool
Stephen Hogan (Progress Systems Limited) commented
It would not only be nice to have this to run manually, but also to schedule it into an email digest of sorts.
Mike Bailey commented
This also needs to be audited within the system that the event occurred. There needs to be a paper trail to document the fact that Tamper Protection was offline for a period of time.
FIND System with Tamper PROTECTION Disabled
We have multiple Admins on Central and Sometime during T/S the Tamper Protection is TURNED OFF for few systems. However if the ADMIN does not roll back its a RISK.
Need an AUDIT LOG REPORT for Systems with Tamper protection TURNED OFF
Zeb Smith commented
In this day and age of DevOps and Automation, the lack of an external API to perform at basic functions (at a minimum) is a huge shortcoming.
We should, at the very least, be able to easily query information about devices registered in Central, get a list of active alerts, etc. via a web service.
Email alerts on a fleet of many thousands of devices are simply not manageable.
David Veatch - Super Admin commented
I just found a relatively easy way to identify the machines that have Tamper Protection disabled - though it's not without its inconveniences.
Logs & Reports/Audit Logs
Tamper Protection changes are recorded here the Description column as "Update computer tamper protection"
Export as CSV is available, making it relatively easy to narrow it down to just those entries.
would add a schedule and send report via email
I totally agree with this, it's very hard to see on a large network which machines need a reboot, also whereas the console says "Reboot Recommended" the individual machines state "Reboot Needed" which is very different.
Tom Stacey commented
Endpoint and Server as well please. It would be a nightmare if i had to check all 2000 devices individually.
I want it too
FFUN Support commented
I have a feature request which I believe would be useful, especially to businesses that have multiple people managing Sophos. This is something that I believe is valuable in keeping things secure as I know there are people out there who do not follow up and put things back to normal. My Feature Request is:
- When looking at the list of all computers, in the drop down, there should be a filter for "List all devices with Tamper Proof Disabled"
Currently I have to check each PC in the list 1 by 1 to see if someone left Tamper Proof Disabled.
We really need this feature please, whether in drop down or a new column would be so MUCH more enterprise friendly than nothing. I tried the suggested Event report, but it was not accurate compared to current state. I had to run the Audit Logs -> Export which only told me that Tamper was changed and not whether enabled or disabled, so still had to touch a bunch of servers we had been troubleshooting.
I also agree that this would be very helpful. I have had a few instances where I have needed to disable Tamper Protection on an Endpoint, and then a while later (days or weeks) realized that I had forgotten to re-enable it.
Vikas Mundhe commented
We really want a report that tells me if any endpoints have tamper protection turned off.
Reports>Events>Policy Compliance>Policy non-compliance does not solve the purpose
Matt Davies commented
The 'Reboot recommended' warning/alert functionality was changed as part of a recent update to the Sophos Central Platform. 'Reboot recommended' alerts were changed to informational messages, meaning that they do not show in the Alerts section on the dashboard.
The informational messages appear in both the updating event log and in the Events tab against individual devices. Unfortunately, the updating events report shows a complete history of machines that have triggered the 'Reboot recommended' informational alert. So this doesn't make it clear as to which machines have been rebooted and which still require the reboot.
Please alter this functionality in order to make it clear as to the machines that are currently pending a reboot (even though it may not be 'required'