Skip to content

Install the ZTNA agent

The ZTNA agent runs on your devices and lets you do the following:

  • Control access to local apps. If you don't use the agent, ZTNA can only control access to web-based apps.

  • Set policies that check the security health of devices before allowing access.

The installation process depends on whether you're an existing customer (you have our endpoint protection already) or a new customer.

If you already have endpoint protection installed on your devices, install the ZTNA agent as follows:

  1. In Sophos Central, go to Devices.

    Central menu

  2. Select devices where you want to install the agent and click Manage Endpoint Software.

    Devices page

  3. Under ZTNA, select Install and click Save.

    Manage Endpoint Software dialog

  4. On the Devices page, the ZTNA column shows a tick for devices where you installed the agent.

    Devices with agent

  5. Go to one of the devices and double-click the Sophos icon in the taskbar. On the Status page, you see ZTNA listed.

    Endpoint status page

If you're a new customer, you must install the Sophos endpoint protection agent and the ZTNA agent, as follows:

  1. In Sophos Central, go to Protect Devices.

    Central menu

  2. In the Endpoint Protection section, click Download Complete Windows Installer or Download Complete macOS Installer. This installer installs all the endpoint products you're licensed for.

    Windows Installer

  3. Run the installer on your devices.

    For help with different types of installation, including scripted installation, see Endpoint Protection deployment methods

  4. To check that the agent is installed, go to Devices. The Protection and ZTNA columns show a tick for devices where you installed the agent.

    Devices with agent

  5. Go to one of the devices and double-click the Sophos icon in the taskbar. On the Status page, you see ZTNA listed.

    Endpoint status page

Note

Installing the ZTNA agent changes the default TAP adapter. If you use nslookup to do a DNS lookup, it now uses the ZTNA TAP adapter by default. Lookups of apps that aren't behind the ZTNA gateway will fail. You need to add the correct adapter to your nslookup command. For example:

nslookup <FQDN-to-be-resolved><DNS-Server>

Next you add resources.