Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
This article describes how license usage and reporting is calculated for Sophos Central-managed endpoint, Intercept X and Device Encryption. Other products in Sophos Central such as Email, Cloud Web Gateway, Phish threat etc. have license usage calculated differently.
Most customers will be licensed per user, and that is the focus of this knowledge base article.
General exception for Education, Health and Government Entities
Managed Service Providers (MSPs) who have usage-based billing as part of the MSP Connect Flex program will use the same user based license usage calculations; this page applies in that scenario as well.
An endpoint that counts towards a user’s license usage for Endpoint Protection may not count towards that user’s Intercept X license usage, depending on which pieces of software are installed.
This is to help avoid over counting when one administrator login is used for installation but a second non-administrator login is then used by the regular user. With this, the license usage is only limited to the current logged in user.
Effective January 2019, RDS sessions will not be included on Server Protection and will no longer reflect on the Endpoint Protection license count. For more information, take a look at the PDF Virtual Desktop Licensing Guide.
If an account has one user and one device associated to each other, the license usage will then be one. If the device is deleted, the license usage will drop to zero, even though the user remains on the account, as the user no longer has a device associated.
If a user is logged into a computer and then turns it off, the license will remain as used for up to 30 days. For instance, if the user is on a holiday for two weeks and then turned on the computer, the license used throughout remains at one. If the computer is offline for more than 30 days, this computer will no longer consume a license and the overall license usage will drop by one. The Sophos application has been uninstalled but not deleted from Sophos Central or the computer no longer exists or has been re-imaged are some of the reasons that the computer will be seen as offline by Sophos Central. The 30-day limit ensures that such devices do not count indefinitely while avoiding usage varying frequently based on common scenarios like holidays. If the computer is deleted in Sophos Central, it will immediately stop counting towards usage. Sophos needs to be re-installed for the computer to be managed again.
A user with one device running the Endpoint Protection software but not Intercept X, will use one Endpoint Protection license and zero Intercept X license.
A user with two devices, one using Endpoint Protection only and one running both Endpoint Protection and Intercept X, will use 1 license of Endpoint Protection (not two licenses despite having two devices) and one license of Intercept X.
When an administrator logs into a computer to install Sophos, the computer will initially be associated to the administrator and contribute to his or her license usage. Once the installation is finished and the same administrator logs out, the computer and its license will then be associated to the next user that will log in. In Sophos Central, one only device will appear and one license used. Two users will be listed, one for the administrator and one for the next user that logged in.
If a user logs into two computers using the same login credentials (e.g. domain login), there will be one user shown in Sophos Central and two associated devices.
If an account is licensed for Intercept X for Server with EDR, the license must be purchased for all Servers within that account. It is not possible to run the Central Server Protection (SVRC) or Intercept X for Server (SVRCIXA) licenses in accounts running Intercept X for Server with EDR (SVRCIXAEDR).
Please note that the Devices and users: summary on the Sophos Central Dashboard as well as the Hero Reports under Logs & Reports > Reports > Endpoint & Server Protection do not display the license usage, so the figures that are shown are not the actual license used.
For instance, if an administrator only installed Intercept X Advanced on a computer and did not include the Device Encryption, the following can be noticed in Sophos Central once the original user of the computer logs in:
The Sophos Central Dashboard is intended to help an administrator identify if devices need attention such as incomplete Sophos installation or deletion of computers or user accounts that are no longer needed. These figures are also used in Hero Reports. License usage is shown in the licensing page, in the licensing panel of Hero Reports, and for partners, in the Partner Dashboard. Some example images are shown below, indicating how the figures for license usage and users or computers in the Sophos Central account are often similar but not quite the same, as they are providing slightly different pieces of information for the Sophos Central administrator.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.