Improved device list views
Including the ability to add/remove columns and filter results.
For example, add a column about tamper protection, and have the ability to filter for only devices with it disabled. Or to add a column about Intercept X software version and filter for certain version(s).
This would apply to Endpoint and Server views.
We intend to make this functionality available via APIs as well.
The APIs are now available, please see https://developer.sophos.com/ for more details.
For example, retrieving tamper protection status is available this way: https://developer.sophos.com/docs/endpoint-and-server/1/routes/endpoints/%7BendpointId%7D/tamper-protection/get
I appreciate many people simply want the admin UI to offer the functionality rather than just APIs, and we will update it to allow column addition/removal and filtering on any column. However, this is likely to not be until around August as the development team have been reassigned to assist another project for a few months. Sorry for the wait, I would very much like this to be available earlier.
I’ll leave this item open and “started” until the admin UI changes are released, but please do be aware of the API option in the meantime.
A simple drop down option where Show all computers is default would work out the best you have show all Bad and all medium and bad so another option to show all with tamper protection off. Often we have to shut off to do maintenance and sometime we forget to turn back on
And buttons to override every occurrence of disabled tamper protection, on endpoints, servers, and/or both.
Jeremy Roberts commented
There is no obvious way to list filter or report on certain features or status, for example if Tamper Protect disabled and then enable them all on mass. you have to go in to every device individually which is a pain.
You can tell if Tamper Protection has been turned off or on by looking at the Events Report and refining the report to show Policy non-compliance.
Nick Fiorenza commented
Currently the only way to tell if Tamper Protection has been disabled for a device is Sophos Central is to view the Summary page of each device. My suggestion is to add a column to the existing "Servers" and "Computers" reports (under Logs & Reports -> Endpoint & Server Protection) that indicates whether or not Tamper Protection is enabled.
Logs and Reports>Events Report>Policy Violations>Policy non-compliance
This report will display computers that are not compliant with policies, including Tamper Protection. It will not show when/if the computer violating the policy was returned to compliance, but you can add that to the report if you wish.
Jeremy Roberts commented
some way to see all the computers with tamper protection turned of would be good.
Anand Singh commented
I just thought of a great functionality where it's a simple filter but can be very useful to spot any security risks with the clients.
There could be a filter where it shows something like "Tamper Protection Off" and it displays all the devices that have tamper protection set to 'off'.
This would be super useful as if tamper protection is disabled then users and potential threats are able to stop the service or uninstall the Sophos application.
Is there a way where we can obtain a report to see if tamper protection has been disabled? If not can we get it added in ASAP?
Christopher Wanamaker commented
Enhance Reporting capability, such as allowing a report to be pulled showing the users, last active, and what policies are assigned to them.
As of now there is no way to confirm the users are getting the correct policies without going into each individual user, and when you have hundreds makes it wasteful.
Basically, a feature which allows custom reports to be created regarding users, groups, policies, and statistics for auditing / compliance.
It's not targeted, but Reports>Events>Policy Compliance>Policy non-compliance will list TP non compliant along with status on other policies.
Rich Glaser commented
I want a report that tells me if any endpoints have tamper protection turned off.
Neil Watkiss commented
What version(s) do you think you want?
Version of the suite? (Currently "11.0.2 Cloud")
Version of SAV? (Currently "10.6.0")
Version of core agent components (MCS, SAU)? (Currently "1.5.8" and "4.2.0")
Version of optional add-ons? (Currently SLD is "6.2")
Version of virus engine? (Currently "3.58")
Version of virus data? (Currently "5.10")
We try to avoid customers having to think about version numbers, especially as there are so many of them. Do we really want to display all of them? We don't give customers any control over these versions; nor do we want to explain whether these versions are "expected" or "out of date"; nor do we want to explain why there are so many components; nor do we want to expose whether an update is "minor" or "major". I worry that showing versions will imply that customers should care about them; and we give them no tools to react to these versions (and have no plans to).
Some compliance requirements need a list of the versions installed in each endpoint. Most of the time, it will be the latest version, but in case of not being update since time ago, versions could differ. Today, Cloud shows the time an endpoint has not being updated, but showing also the version would be very useful.