Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protected-browser-add-device-posture

Add a device posture

Device posture is a policy object that applies policies based on a device's operating system and security posture. It helps ensure that a web policy considers compliance factors, such as endpoint protection and disk encryption, before allowing or blocking access.

To add a device posture, do as follows:

  1. Go to My Products > Protected Browser > Policy objects.
  2. Click Add object and select Device posture.
  3. Enter a name and description for the device posture.
  4. Under OS platform, select Windows or macOS.

  5. Under Endpoint protection, select a condition from the following options:

    • Don't check endpoint protection status: The policy ignores the device's endpoint protection status. Use this when endpoint protection isn't a requirement.

    • Check if device is protected by Sophos Endpoint: The policy verifies whether Sophos Endpoint is installed on the device or not. If installed, it ensures that protection is active. Additionally, the policy evaluates the overall health status of the device.

      Select a health status from the following options:

      • Any (Green, yellow, or red)
      • Green
      • Green or Yellow
      • Red
      • Yellow or Red

    • Device is not protected by Sophos Endpoint: The policy applies to devices that don't have Sophos Endpoint installed.

    • Any active EPP detected: The policy checks whether any third-party Endpoint Protection Product (EPP) is installed on the device or not. If an EPP is installed, it doesn't check whether the protection is active or not. It checks for EPPs from the following vendors:

      • Sophos Endpoint
      • Avira
      • Bitdefender Antivirus
      • Cisco Secure Endpoint
      • Crowdstrike
      • Cybereason
      • CylancePROTECT
      • McAfee
      • Microsoft Defender
      • Palo Alto Cortex XDR
      • SentinelOne
      • Symantec

    • No endpoint protection is detected: The policy applies to devices that don't have any endpoint protection software installed.

  6. Under Full disk encryption (FDE), select a condition based on your operating system.

    The options depend on the operating system you select in step 4.

    To see options for your device type, click the appropriate tab below.

    • Don't check for full disk encryption status: The policy ignores whether the device's disk is encrypted.
    • The device is encrypted with BitLocker: The policy applies only if the device uses BitLocker for full disk encryption.
    • The device is not encrypted with BitLocker: The policy applies if the device doesn't use BitLocker for encryption.
    • Don't check for full disk encryption status: The policy ignores whether the device's disk is encrypted.
    • The device is encrypted with FileVault: The policy applies only if the device uses FileVault for full disk encryption.
    • The device is not encrypted with FileVault: The policy applies if the device doesn't use FileVault for encryption.

  7. Click Save.