I deal with many issues for big accounts where stale\offline machines could get deleted by the dozens\hundreds from Sophos Central only to be discovered months later. I asked each of my customers to create a scheduled TP recovery report. Since then, I started recommending it to every single Sophos Central customer I talked to, as the benefits are pretty substantial – no need to do a manual recovery with someone on site:
To avoid the situation, where the machine was removed from Central dashboard by mistake (and it’s discovered after 90 days when any info about it is gone from the Logs & reports), we recommend scheduling Tamper Protection recovery report.
Note: These steps will only work if you are logged in directly to the Sophos Central account. Partner and Enterprise Dashboard customers will not be able to proceed unless logged in with an admin account created directly under the sub-estate.
- Go to the “Logs and Reports” page
- Scroll down to “Recover Tamper Protection passwords”
- On the top right of the page select “Save as Custom Report”
The report email will look like the screenshot below and does have an expiry date for the link to work, so I recommend downloading it at least every 2nd-3rd report due to Sophos storing logs for 90 days. The report going out monthly will have some crossover with the previous\next one. The same steps also work for any other report you might want to be scheduled.
This report will only be emailed to the Super admin who sets this up. Mail forwarding rules will need to be used if you wish to distribute this.
When selecting CSV instead of PDF, Excel by default will convert long numeric values to something like this in the screenshot below:
If you get the email, but wouldn't download the report file, the link will expire in 90 days and the report will no longer be available.
In order to avoid each Central dashboard admins having to download their own copies of the report, one of my customers downloads reports into a cloud share location, which is shared with all staff responsible for endpoint software installation or troubleshooting.
Note: Deleting an email template will prevent you from being able to download reports from links that were already emailed to you.
[edited by: Qoosh at 3:01 PM (GMT -7) on 2 Aug 2023]