Sophos Endpoint onboarding

Install your endpoint protection

Deploy the Sophos Endpoint Protection

You’ll need to install an Endpoint Protection agent on workstations to protect them against malware, risky file types, malicious websites, and malicious network traffic. The agent also offers peripheral control, web control, and more.

Ensure your devices meet the minimum system requirements for Sophos Central Endpoint. See Sophos Central Windows Endpoint: System Requirements and Sophos Endpoint for MacOS: System Requirements.

You can find instructions on how to deploy Sophos Endpoint Protection below:

Now that you've successfully deployed Sophos Endpoint, you can configure its policies.

Set up your environment

Optional - Configure Update caches and Message relays

If you need to protect computers that don't have direct internet access, you can add a Sophos Update Cache and Message Relays. Adding a Sophos Update Cache will allow your computers to get their Sophos Central updates from a local cache on your network. Adding a Sophos Message Relay will allow computers in your network to communicate with Sophos Central through a designated server.

Getting Sophos Central updates from a cache on your network saves bandwidth, as updates are downloaded only once by the device with the cache.

See Manage Update Caches and Message Relays.

Optional - Configure your directory service

Using Microsoft Active Directory (AD) and Microsoft Entra ID, you can synchronize users and groups from multiple sources. You can also synchronize devices, device groups, public folders, and mailboxes from AD. Setting up directory service synchronization simplifies the configuration of your endpoint protection.

Once your directory service is synchronized, you can configure user access.

Define your MDR authorized contacts

If you're an MDR customer, you should configure your MDR settings to fully utilize the Sophos MDR service.

In-product workflow

See MDR settings.

Configure your endpoint protection policies

Sophos has pre-configured policies to ensure you have the best protection possible so you can be up and running in no time. However, in some cases, you might want to customize some of these settings.

SSL TLS decryption of HTTPS websites

Most websites today are secured and encrypted via HTTPS. Encrypted traffic can't be viewed or scanned, and Sophos Endpoint can only act on it based on its destination. Enabling SSL/TLS decryption of HTTPS websites allows Sophos Endpoint to decrypt, scan, and act on the contents of secure web pages.

In-product workflow - How to turn on HTTPS decryption

In-product workflow - How to exclude websites from HTTPS decryption

See SSL/TLS decryption of HTTPS websites.

Exclude apps from scanning

Many vendors provide a list of recommended security exclusions for their products to improve performance.

Sophos has a list of common applications with their vendor-recommended security exclusions. If you encounter significant performance degradation with an application not currently on our list, it’s recommended to reach out to the vendor to confirm if they have a recommended list of security exclusions for their product.

• Recommended vendor exclusions for use with Sophos products on Windows
• Using exclusions safely

Configure scheduled scans

We recommend configuring a scheduled scan once a week to gather information about data stored on your computers that isn’t frequently accessed.

In-product workflow

See Scheduled Scanning.

Configure your update management policies

By default, we update Sophos products on your computers automatically. The Update Management policy lets you control the day and time when updates become available on your network. This ensures that your computers don't start updating until a time that best suits you. You can also configure what software packages to apply to a small subset of computers. This allows for testing of new releases before they’re rolled out to the rest of your computers.

See Update Management Policy.

Configure additional features

Check reports

You can monitor what is happening in your environment with a wealth of reports. You can customize reports, save them, and send them out as scheduled emails.

See Reports.

Configure your user access

The role management feature lets you decide how your users access Sophos Central. You can divide security tasks according to users' responsibility levels using pre-defined administration roles or by creating custom roles.

• Role management

• Add administrators

  In-product workflow

• Add a custom role

  In-product workflow

The video below will explain how to use administration roles.

You can also configure federated sign-in to provide a Service-Provider initiated single-sign-in for your administrators and users to access Sophos Central. If you choose to use federated sign-in, Sophos Central will verify identities using an identity provider. See Set up Federated sign-in.

Configure your Web Control policies

You can configure an acceptable web usage policy for users and exclusions for specific users. For example, you can block access to Social Media websites for all your users except the Marketing team.

See Web Control Policy.

Configure your Application Control policies

Application control lets you detect and block applications that aren’t a security threat but that you decide are unsuitable for use in the office. We advise you to monitor and not block the applications for some time to identify what users currently use in your environment. Once configured, all listed applications will be blocked.

In-product workflow

See Application Control Policy.

Configure your Peripheral Control policies (Windows and macOS only)

Peripheral control lets you control access to peripherals and removable media. You can also exempt individual peripherals from that control. We advise you to monitor and not block the peripherals for some time. Once configured, all listed peripherals will be blocked.

See Peripheral Control Policy.

Configure data loss prevention

Data Loss Prevention (DLP) controls accidental data loss. DLP enables you to monitor and restrict the transfer of files containing sensitive data.

In-product workflow

See Data Loss Prevention Rules.

Configure XDR

Sophos Extended Detection and Response (XDR) transforms your security strategy from reactive to proactive by leveraging telemetry to detect and analyze suspicious or malicious activities. By providing advanced capabilities such as Live Response and Live Discover, XDR enables you to investigate and respond to threats in real-time, from anywhere via the cloud. Additionally, XDR enhances your security posture by allowing seamless integration with third-party security products, enabling centralized analysis of external telemetry through a unified console.

For new customers, XDR offers significant benefits, including streamlined threat detection, faster incident response, and improved visibility into your security ecosystem. To fully leverage its potential, it's recommended to:

1. Enable Data Lake Uploads to centralize telemetry for advanced analytics.
2. Configure included free integrations, such as Microsoft 365, to monitor your 365 cloud environment and ensure end-to-end visibility.

By implementing these configurations, new customers can harness XDR's capabilities to proactively defend against evolving cyber threats while simplifying their security management.

Finally, it's important to mention that the XDR toolset is provided for your use, which means having an internal SOC or IT resource is often recommended. Organizations without these resources would greatly benefit from utilizing our MDR service.

• XDR
• Microsoft 365 integrations