Selectively disable Tamperprotection via API or other means of automation

Hello Community,
we're preparing to distribute the Sophos Endpoint Client in our network. 

We have an established software distribution system we would like to use to manage this rollout.
The removal of the old AV solution is already sorted, silent install of Sophos Endpoint is working flawlessly as far as we tested it.

The remaining issue is the rollback strategy. There is seemingly no way to selectively disable tamperprotection for individual clients by making an API call as a priviledged user.

We have found some 1st and 3rd party scripts that attempt to remove Sophos products, but this is not the ideal solution we are looking for.
(From past experience I can tell that the manual removal is not reliable and can leave the client inoperational.)

Did we miss anything in our research on this topic? We want to make use of official uninstall routines for this product, but manually disabling Tamper protection for individual clients (or globally disabling it) is not the way we want to go. Neither is triggering the removal from the Sophos Central console.

 

Thanks for any feedback, especially from people with similar issues.