This article provides further information on the different options for computer isolation in Sophos Central, the available policy options and known issues.
Note: The device isolation feature on Central is not currently supported for Linux or Mac endpoint clients. Please note configuring Security Heartbeat for these endpoints.
The following sections are covered:
This allows the Central Administrator to isolate a device from the network while investigating a threat case. There are multiple ways to isolate a device:
Note: This is available for all customers with a Sophos Endpoint Protection license and is not available for Server Protection.
This provides a policy option that allows computers to isolate themselves from the network when the computer reports a red health status. This option is available in the Threat Protection policy under Device Isolation:
You can still manage the computer from Sophos Central when it is isolated.
Note: This policy option is not enabled by default.
To display a list of isolated computers access Global Settings and select Admin Isolated Computers. This will display the isolated computer/server name, date isolated, last logged on user, IP address, which Central account isolated the computer and associated comment (if entered):
Note: This report only displays computers isolated by the Central Administrator and does not display computers that have isolated themselves due to a red health status.
You can allow isolated computers, to communicate with other computers in limited circumstances. This can be configured globally by accessing Settings | Global Scanning Exclusions, click Add Exclusion and in the Exclusion Type drop-down list, select Device isolation (Windows) or per policy by accessing a Threat Protection policy, click Settings, click Add Exclusion and in the Exclusion Type drop-down list, select Computer isolation (Windows) or Server isolation (Windows):
An example exclusion may be you want remote desktop access to an isolated computer so that you can troubleshoot.
In Sophos Central:
Computer isolated by <Administrator>
Computer auto isolated due to red health
Locally on the computer/server:
Your administrator isolated the computer
Computer isolated. Contact IT for help
If you are logged on to the isolated computer/server and have a requirement to disable the isolation status you can do this by:
Administrator triggered isolation
There are three different ways to remove a computer/server from isolation:
Due to a red health status:
To remove a computer from isolation due to a red health status, the computer must be returned to good health.
Note: If required, the policy option enabling this setting as detailed under Allow computers to isolate themselves on red health can be disabled.
Application <application name> was blocked by an endpoint firewall
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.