Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Overview:
This article gives an overview of how Endpoint Software Management (ESM) can be leveraged to implement version control across Endpoint and Server clients.
Applies to the following Sophos products and versions.
Sophos Central Endpoint and Server
Table of Contents:
- Notice
- Update Packages
- Examples/Visualization
Notice:
In the following diagrams, the percentages represent the total endpoint footprint. The percentages are for visual purposes only. Customers can bucket these however they want or remove/add groups. This is for demonstration purposes only and can be modified depending on your environment.
Upon setting up ESM, Customers can change the selected software package for ‘Fixed’ and ‘LTS’ at their leisure when they want to push a new version to the designated group, except Group A devices (Recommended Package)
Update Packages:
Note: Not all packages may be accessible right away in Sophos Central; additional packages will be released later this year.
Before you manage your Endpoints via ESM, it’s important to understand the names associated with each package.
Recommended: This package is automatically updated to give you our latest protection. It never expires.
Fixed-term support: This package gives you the protection available on the release date, plus updates against new threats. It expires 120 days after the release date (or at least 30 days after the next release to allow for testing).
Long-term support: This package gives you the protection available on the release date, plus updates against new threats. It expires 18 months after the release date.
Special: Special packages fix specific issues. You can only get them from Sophos support.
EAP: Sophos Early Access Program. Devices in an EAP ignore any other software package you've assigned to them until the EAP ends.
Examples/Visualization:
Endpoint Staging Full Version Control 
Endpoint Staging Essential Version Control
Note: All functions on full version control also apply to essential version control. This is only a simplified version for Endpoint client management. 
Server Staging Full Version Control
Server Stagging Essential Control
Note All functions you can see on full version control also apply to essential version control. This is only a simplified version for Server Endpoint management.
Environment Staging Location-Based Version Control
This ESM Policy design has a location/office based system for updating instead of grouping device percentages.
Environment Staging Department-Based Version Control
This ESM Policy is designed for updating based on department instead of grouping device percentages. Depending on each department’s application, you can opt to deploy whatever terms you wish that suit the user’s needs.
Current State Of Updating Priority
This is how an update override can occur. Currently, a policy render for ESM will cause an overwrite for Controlled Updates.
Related Articles:
https://community.sophos.com/intercept-x-endpoint/b/blog/posts/esm
https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/EndpointProtection/ConfigureUpdatingPolicy/index.html#package-types
Thank you to Sophos Support Manager Lee Anderson (helloworld) for the source material used in this article.
Credits
[edited by: Qoosh at 11:44 PM (GMT -7) on 11 Apr 2023]