Recap: Getting started with Sophos Endpoint - Session 1

On February 19, we hosted session 1 of our 4-part Getting started with Sophos Endpoint webinar series. We covered manual and scripted deployment of Sophos Endpoint to Windows and Mac devices.

For those unable to attend or are looking to revisit, you can find the webinar recording below. Additional resources can be found at the bottom of this post.
 

Interested in learning more?

This was the first of a 4-part series designed to enhance your journey with Sophos Endpoint. Future sessions include:   

• Session 2: Setup your environment, March 18, 2025  
• Session 3: Configure your endpoint protection policies, April 16, 2025 
• Session 4: Configure additional Sophos Endpoint features, May 13, 2025  

REGISTER NOW

Can’t attend live? Register anyway to receive the recording after the live event.   

Related resources

• Sophos Endpoint onboarding page
• Documentation: Domains and ports to allow
• Sophos CRT: List of third-party security software removed by Sophos
• Advisory: Sophos Endpoint for macOS - Failure to install due to Gatekeeper quarantine

Additional Support resources

• Support Portal – for access to product resources, knowledge base articles, documentation, and much more.
• Sophos Status – sign up for updates on system and product statuses and maintenance.
• Sophos Techvids – for troubleshooting guides, product demos, and foundational knowledge videos.

Follow-up Q&A

1. Once you install Sophos on to a Mac, how do you update the endpoint name if you rename the Mac later?
   1. The name will be updated automatically in Sophos Central if you rename the device locally on the macOS device.
      
      
2. Where can I find the command line to overwrite a Mac endpoint name?
   1. Domain name override commands can be found here: Installer command-line options for Mac.
      
      
3. Is there any integration with ConnectWise Automate or SolarWinds N-able?
   1. Information on ConnectWise Automate integration with Sophos Central can be found here: Sophos Integrations > ConnectWise Automate
   2. Solarwinds N-Able/N-Central information can be found here: N-Able/N-Central
      
      
4. What does the installer do if it ran once and installed on the endpoint, then if the user reboots, does it run again, or does it look for the product being installed and if it is there, it skips it going forward?
   1. The deployment script includes checks to verify if an existing installation is detected. If so, the script will not trigger install.
      
      Fullscreen

      1

      2

      3

      4

      5

      6

      7

      8

      9

      10

      11

      .bat example:

      IF NOT EXIST

      "%ProgramFiles(x86)%\%MCS_ENDPOINT%" GOTO INSTALL

      exit /b 0

      Powershell example:

      If ($SophosInstalled){

      Write-Host "Sophos is already installed. "

      Sleep 3

      Exit

      }

      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

      .bat example:
      IF NOT EXIST
      "%ProgramFiles(x86)%\%MCS_ENDPOINT%" GOTO INSTALL
      exit /b 0
      
      Powershell example:
      If ($SophosInstalled){
      Write-Host "Sophos is already installed. "
      Sleep 3
      Exit
      }

5. For GPO installs, what does the installer do if it ran once and installed on the endpoint, then if the user reboots, does it run again, or does it look for the product being installed and if it is there, it skips it going forward?
   1. The installation script includes a check to see if Sophos is already installed. If installed, the script will end without running the Sophos installer.
      
      
6. Can Sophos Central enable BitLocker and capture the key?
   1. Yes, this is possible only if you have a Sophos Central Device Encryption license.
      
      
7. Is there any way to turn off tamper protection after a device has been deleted off Sophos Central?
   1. Within a 30-day period, it’s possible to restore a deleted device. If it is past the 30-day mark, it is still possible to view the tamper passcode for the deleted device. Depending on the version of endpoint installed, Tamper Protection may disable itself automatically as well.
   2. See: Deleted and expired devices
      
      
8. When I delete an endpoint machine - how long (how many months) afterwards can I see the BitLocker key?
   1. We suggest retrieving the BitLocker key within 90 days. In some cases, we have found that keys are stored near indefinitely barring any central-backend data migrations or data purges, however, it would be best practice to retrieve the keys you need within the 90-day period.
      
      
9. Is there an easier way to perform the deployment of permissions on Mac?
   1. The easiest way to do this is using the provided .mobileconfig file with an MDM solution.
      
      
10. Where can I send feedback regarding the onboarding page?
    1. Connect with us on the Sophos Community! You can post any feedback you have to share with us on the Product Documentation Feedback forum
       
       
11. Will the deployment files for Mac work with any MDM?
    1. Yes, the .mobileconfig files are platform agnostic and will work with any modern MDM. You’ll need to ensure that your MDM can deploy out custom configuration profiles, and push out bash scripts, however most modern MDM’s can do this.
       
       
12. What if I don't have Active Directory on some sites?
    1. If you have a method of pushing out a script to devices on these sites, the Sophos batch or powershell scripts can be used. If devices on these sites are not managed on any platform, you’ll need to perform a basic or manual install on them.
       
       
13. Have you seen an improvement in the way Windows 11 manages the compute load Sophos demands especially on startup? We notice a large and impactful demand on resources especially on startup.
    1. There are a lot of variables to this. Some initial checks to perform are:
       
       1. Does the system meet minimum system requirements?
       2. Are there other apps that are competing for resources on startup? Can they be changed to delayed start. (In some cases, Outlook loading a bloated .pst file can contribute to this)
          
       3. Thorough A/B testing with Sophos installed vs uninstalled, is there a considerable difference in wait time? (e.g. 2x as long to start up)
          Note: Sophos Support can help you troubleshoot
          
          
14. If the device is not available anymore, will it be deleted from Sophos Central?
    1. If a device is no longer communicating with Sophos Central, it will remain in the devices list until you choose to delete it. You can configure Sophos Central to remove devices automatically if they’ve been inactive for a specified amount of time. See Removal of inactive devices.
       
       
15. Does Sophos detect applications installed on devices and then add AV exclusions as appropriate (e.g. SQL databases)?
    
    1. Several applications will have exclusions automatically added. This is specific to Server OS’ and a full list can be found here: Sophos Server: Automatically excluded third-party products
       
       
16. Can you use Ninja One to push out installers with configuration files?
    
    1. Some information on managing macOS devices through NinjaOne is available here, however, it would be best to reach out directly to NinjaOne support to get assistance with this. Clear documentation on uploading a .mobileconfig file or bash script appears to be lacking.
       
       
17. In my current environment, we have Sophos installed, though the Sophos Blue Shield will not display or load in the taskbar area unless you first open Sophos Endpoint. With support's help, we've isolated a specific GPO to be the cause though no change. Any thoughts to getting the Blue Shield to always load?
    
    1. "C:\Program Files\Sophos\Sophos UI\Sophos UI.exe" is the application that displays the blue Sophos shield. It is designed to run on startup. If this has been isolated down to a specific GPO, I suspect that conflicting settings may be applied to the GPO. Check on an affected device to confirm that that Sophos UI is set to run on startup on the computer via Registry Editor:
       1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - REG_SZ - “Sophos UI.exe”
       2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run - REG_BINARY - “Sophos UI.exe” with a value of 00 00 00 00 00 00 00 00 00 00 00 00
    2. You can also specify Sophos UI.exe to run in your Group Policy under:
       1. Computer Configuration\Administrative Templates\System\Logon\Run These Programs at User Logon.
          
          
18. Which one do we want to deploy to Mac first, the script or the configuration file?
    
    1. You’ll want to deploy out the .mobileconfig file first so that your enduser does not get any popups requesting user-intervention when the installation takes place.
       
       
19. Will there be more browser plugin protection in the future?
    
    1. We’d suggest raising a support case so that a feature request can be associated to your account if this is something you’d like to see developed further. Additional details about your request will be necessary. Sophos is releasing detections for malicious browser extensions.
    2. See Release of Sophos detections against malicious Google Chrome extensions.
       
       
20. Can you manually deploy the Mac with the config and script file if our MDM doesn't support deploying Sophos Mac config file?
    
    1. Apple has discontinued Profile Manager. It is currently only possible to deploy out .mobileconfig profiles using an MDM.
    2. See: Profile Manager User Guide
       
       
21. Does Sophos disable Microsoft's AV?
    
    1. Sophos does not disable Windows Defender. Instead, Windows Defender detects the presence of other protection software and will automatically disable itself. On Windows Server 2016 and above, Microsoft has configured Windows Defender to not disable itself if you are running another product and you will have to configure Windows Defender to be disabled on these devices.
    2. See Windows Defender Antivirus for Windows Server.
       
    3. See Passive mode and Windows Server.
       
       
22. Once Sophos is uninstalled, will the device name be gone in Sophos Central?
    
    1. If a device has been uninstalled, it will no longer communicate with Sophos Central. it will remain in the devices list until you choose to delete it. You can configure Sophos Central to remove devices automatically if they’ve been inactive for a specified amount of time.
    2. See Removal of inactive devices.
       
       
23. Mac often fails as end users do not understand install; this needs automating.
    
    1. Using an MDM solution is the best way to address permissions issues on macOS. In a later release, additional information will be available in Sophos Central to alert you to missing permissions.
    2. Subscribe to our Sophos Endpoint blog to stay up to date on the latest news/releases!
       
       
24. Can we uninstall endpoint from Sophos Central? For now, we uninstall this via RDP.
    1. We can remove Sophos Endpoint components/features from Sophos Central, however we cannot perform a full uninstall directly from Sophos Central. You can script out an uninstallation using a batch script and deploy it out via GPOs.
    2. See: Sophos Central Endpoint and Server: Uninstall Sophos using the command line or a batch file
       
       
25. Sometime after installation on Mac, some permissions are reset; maybe an update OS. How can fix this on remote?
    1. If you are using an MDM, the easiest option is to obtain the new .mobileconfig file that needs to be applied. This can be found in the “Deployment Tools” section of the SophosInstall.zip installer for macOS. Our development team typically publishes updated .mobileconfig files on or prior to the date of the formal OS release (EAPs may differ).
       
       
26. Is there a way to identify and delete the duplicate entries in Sophos central using API?
    1. You can use the API to collect any events for “Device has been detected as a duplicate device". After identifying the duplicate devices, you can delete a list of endpoints using POST /endpoints/delete.
       
       
27. What could be the reason for Sophos update failures and how to fix it?
    1. There are many reasons why an update failure may occur. You can investigate further by opening C:\ProgramData\Sophos\AutoUpdate\Logs\SophosUpdate.log and searching for keyword “fail”.
    2. If you require further assistance, we suggest calling Sophos Support or raising a case to Support with a Sophos Diagnostic log collected from the affected device.
       
       
28. We have Mac endpoints where Sophos fails to update, what could be the reason and how to fix it?
    1. The following advisory may be related to your issue: Advisory: Sophos Endpoint for macOS - Sophos Update failures
       
       
29. I have an issue with windows defender interaction with Sophos on a 2022 Windows Server. I was told to disable Windows Defender. The documentation I received was not clear. Do I just go into settings / windows settings and turn off in both virus & threat protect and firewall protection and reboot? I still see wdfilter instances when I type fltmc
    1. There are a few options to set Windows Defender to Passive mode. You can create a registry key, remove the role using the Remove Roles and Features wizard, or uninstall/disable it using PowerShell or Group Policy. You can view the exact steps in Microsoft’s documentation linked here.