Getting started with Sophos Enterprise Console

This is an overview of the tasks you need to perform to protect your network after you have installed Sophos Enterprise Console and completed the Download Security Software Wizard. For more information about using Sophos Enterprise Console, refer to the other materials and sections mentioned.

We recommend that you refer to the Sophos Enterprise Console policy setup guide for advice on best practices for using and managing Sophos security software. Sophos documentation is published at

If you haven't completed the Download Security Software Wizard, see Run the Download Security Software Wizard.

To protect your network, follow these steps:

  1. Create groups.
    • You can create groups yourself, one by one, or you can import Active Directory containers, with or without computers, and use them as Sophos Enterprise Console computer groups.
    • If you want to import Active Directory containers, see Import containers and computers from Active Directory. We recommend that you first import containers from Active Directory without computers, then assign group policies to the groups, and then add computers to the groups, for example, by synchronizing the groups with Active Directory.

    For information about creating groups manually, see Creating and using groups.

  2. Set up policies.

    Sophos Enterprise Console has a set of default policies that are essential to keep your network protected. You can use default Updating and Anti-virus and HIPS policies out of the box.

    1. To configure the firewall policy, run the Firewall policy wizard. See Set up a basic firewall policy.
  3. Discover computers on the network and add them to the console.

    If you have imported containers and computers from Active Directory in step 1, you do not need to do anything.

    1. Otherwise, see Discovering computers on the network.
  4. Protect computers.

    You can choose between two approaches to protecting your networked computers, depending on which suits you best.

    Using the Protect Computers Wizard

    When you drag a computer from the Unassigned group and drop it onto another group, a wizard is launched to help you protect the computers. See Protect computers automatically.

    Protecting computers automatically during synchronization with Active Directory

    If you chose to synchronize with Active Directory, you can also choose to protect your Windows computers automatically. You can do so in the Synchronize with Active Directory Wizard or Synchronization properties dialog box. For instructions, see Use synchronization to protect computers automatically.

  5. Check that computers are protected.
    1. When installation is complete, look at the list of computers in the new group again. In the On-access column, you should see the word Active: this shows that the computer is protected by on-access scanning, and that it is now managed by Sophos Enterprise Console. For more information, see Checking whether your network is protected.
  6. Clean up computers.
    1. If a virus, unwanted application, or other issue has been detected on your network, clean up affected computers as described in Clean up computers now.

Additional protection options

By default, Sophos Endpoint Security and Control detects malware (viruses, Trojans, worms, spyware), adware and other potentially unwanted applications, suspicious behavior, and malicious network traffic. It also blocks access to websites that are known to host malware and scans content downloaded from the internet. You can enable further security and productivity features, as described in Creating and using groups.

Administrative options

You can set up different roles in Sophos Enterprise Console, add rights to the roles, and then assign Windows users and groups to the roles. The System Administrator role that includes the Sophos Full Administrators Windows group has full rights and does not require setting up. For more information, see Managing roles and sub-estates.

You can split your IT estate into sub-estates and assign Sophos Enterprise Console groups of computers to the sub-estates. You can then control access to the sub-estates by assigning Windows users and groups to them. The Default sub-estate contains all Sophos Enterprise Console groups, including the Unassigned group. For more information about sub-estates, see Managing roles and sub-estates.

Tip Check out videos that show how to set up and use Sophos Enterprise Console on the SophosGlobalSupport YouTube channel, the Sophos Enduser Protection section.