Secure Updating

We guarantee the integrity of our software updates for customers as follows.

We digitally sign all binary files we publish.

When devices update from Sophos, they download files over a secure HTTPS session by default. If for any reason they're not already using HTTPS updating, the admin can switch to it in Global Settings in Sophos Central.

Devices also receive a manifest (signed by us) that lists what they need to install. The devices install only files that are on the list and that are signed by us.

So devices can't install any files that we haven't approved.