Device group discovery FAQ

Find answers to common questions about device group discovery in Sophos Central.

You can search for answers to common questions here.

Which operating systems are supported?

Currently, we support Windows. You can synchronize Windows computers and servers.

What are unprotected or unmanaged devices?

Unmanaged devices are devices that don't have Sophos protection agents installed on them.

Sophos Central compares devices that have Sophos protection agents installed with devices synchronized from Active Directory. Sophos Central lists the unmanaged devices so that you can install protection.

You can find these devices on a separate tab on your devices pages.

Go to Overview > Devices and click Computers or Servers to find your unmanaged devices. You can then go to Overview > Protect Devices to download installers to protect them.

When is a new device or group created in Sophos Central?

We create a new device or device group when there isn't a device or group in Sophos Central with the same ObjectGUID.

If the group name matches an existing group's name, we give the new group a distinguished name (DN).

What happens if a device is in a manually created group?

We always move matched devices to your synchronized groups.

How does the mapping work?

The mapping uses the fully qualified domain name (FQDN) plus the hostname. We use the device's FQDN. We map devices if their FQDN and hostname match. We handle matched devices as follows:

  • We link existing devices that aren't linked to an existing ADSync object to the matching object.
  • If an ADSync object is mapped to another device, we move the device to the appropriate Active Directory group.
  • If a device exists in Sophos Central with the same domain and hostname as an ADSync object, but the details of the stored object don't match, we update it with the newly imported details. We move the device to the appropriate Active Directory group.

What are Organizational Units (OU)?

In the context of Sophos Central, an OU is a group of devices. An OU may contain nested groups of Organizational Units.

In Sophos Central, you can move or delete synchronized devices and device groups. You can't edit synchronized devices or device groups.

Can I create nested groups in Sophos Central?

Yes.

What happens if I delete a protected device in Active Directory?

The next time you synchronize, we move the device to an unstructured group, and we update the details to reflect the fact it isn't an Active Directory managed device.

What happens if there are two devices with the same FQDN?

We unlink the old device record, and we link the new device record instead.

What happens if I change devices or the structure in Active Directory?

If you make changes in Active Directory to the names or operating system details of already synchronized devices, we update these when you synchronize with Sophos Central.

If you make changes to the structure, we update your groups and devices the next time you synchronize with Sophos Central. This includes already synchronized devices. These are updated when you next synchronize with Sophos Central.

If you make changes to the structure, Sophos Central updates your groups and devices the next time you synchronize. This includes removing devices and groups or moving devices to a different group.

What happens to policies assigned to existing groups?

Synchronization doesn't affect policies assigned to manually created groups, and they are left intact.

If you synchronize devices and device groups, we move any Active Directory managed devices in the manually created groups to the appropriate synchronized group. The default policies protect these groups. You can then assign policies to these groups.

What happens if a device is moved or deleted in Sophos Central?

If you move a device to another group or delete it in Sophos Central, it's reinstated the next time you synchronize. This means that the device is either moved back to the original group or reappears.

How do policies and nested groups work?

If you apply a policy to a top-level group and a nested group has no policy assignment, it inherits the top-level policy.

Is there a directory device and device group API?

Not yet.

Are multiple AD records with the same DN supported?

No, we don't support this.

What happens if a device group hierarchy has more than 40 levels?

Any levels greater than 40 are moved to level 40 when you synchronize with Sophos Central.