Please use this space to create a new post for issues you are having if you do not see a post already created for your issue. We will also welcome feature functionality feedback, enhancement requests, and general questions.
Just wanted to give an update on this. I think this should be something that is added to the instructions.
The fix was after installing the plugin through Automate, you have to go assign the Sophos Plugin…
Hi Elias and Steve - how often does the Plug-In update / sync with the Sophos Endpoint Cloud? I've made a series of deletes, and force tamper protection "on" commands. Just curious how long they take to update. Has to be more than hours, as nothing has happened. Is this a daily thing?
Hi Christian, Endpoint actions via the API are synchronous to Central. From Central back to the Endpoint however they are asynchronous, but should update within a few minutes time.
Let's try and determine first if this is an issue with Central or the Endpoint.
1. Are you seeing the API request reporting as successful or failed in the plugin Audit logs?
2. Can you attempt the same command from Central to the same Endpoints?
If the requests are successful from the plugin, and the same action from Central still doesn't update the Endpoint, I'll have you open a ticket with support.
If the request shows as failed, or the update from Central was Successful, we'll need to pull the logs and investigate where it's failing in our Central line of communication.
OK. Perfect. Let me do some testing and I will report back. For the record, the plug-in is already extremely helpful for us in identifying endpoints that need attention. The ability to see all Endpoints and Clients together is invaluable.
OK. Some new notes, which are all good -
1 - when using the Plug-in to make a delete request of a server, it was successful (at the plug-in level) AND I actually saw it report the deletion at the Sophos Central portal about 3 secs later. Very cool!
2 - I also performed a delete in the other direction (the asynchronous route), which again was successful.
If I were guessing, the removal showed in the Plug-in anywhere from 20-30 mins later.
Things I was able to accomplish (and what makes the plug-in great):
- go through the list of servers and workstations that had Tamper Protection disabled (techs turned off and forgot to turn back on) and put them back to enabled. I had one site that a tech had adjusted the policy to disable tamper protection at the entire site, but the plug-in helped me figure that out
- find servers and workstations that had been removed from Automate, but not removed from the Sophos Central portal and removed as needed
- find offline workstations and verify whether they are retired, have damaged installs, and really get the sites cleaned up
Hey Christian, thanks for posting back with this. We're happy to see this is really addressing your needs. As for the endpoint update times back to the plugin, those times sounds correct. The plugin has a scheduler that queries and updates the endpoints every hour from application open time. It sounds as if you made the change about half way through that scheduler time.
In addition to the scheduler, you have the option to 'Force Update' every 15 minutes if you are waiting on an update before moving downstream to your next items within your process.