Skip to content

Software packages FAQ


This feature is currently only available for Windows devices.


If you're compliant with the Federal Risk and Authorization Management Program (FedRAMP), you'll only see our Fixed term support and Long term support packages.

Software packages let you control when your Sophos protection software is updated. They're replacing the "controlled updates" feature in Sophos Central.

This page is for customers who want our fixed term or long term support packages, rather than our recommended software.

Is a package a product, a component, an installer, or something else?

A package is a full set of the software that any device running any combination of our products might need. Devices only download and install the software they have licenses for.

For example, an endpoint package includes our core agent (used by multiple products), threat protection, encryption, and Sophos MDR, but your devices only install the core agent and threat malware protection if that's the only software you've licensed.

Which package type should I use?

You can choose between software that's frequently updated or software that lets you control updating so you can test new releases for longer. The package types are as follows:

Recommended guarantees you always have the latest features. However, you have no control over updating.

Fixed term support packages offer greater stability. They're based on versions that have already been successfully rolled out. You still get updates to protect against new threats, but the product features don't change. You can keep devices on the package for 120 days.

Long term support packages are similar, but are only intended for critical devices with strict change control, such as website servers or point-of-sale tills. You can keep devices on the package for 18 months.

Can I use different packages in different policies?

Yes, you can select different packages in your update management policies. This lets you use the software package that best meet the updating needs of each group of devices.

How can packages help with testing and rollout of new versions?

You can use multiple packages within your network as part of your strategy for testing and rolling out new versions.

Here's an example. Let's assume that you want to use mostly fixed term packages on your network.

  • Put a representative group of devices on Recommended or Early Access Program packages. This lets you find issues in new versions long before you start using them.

  • Put another group on a newly released fixed term support package for two weeks to check there are no issues.

  • Put most devices on the previous fixed term support package until you know the new version doesn't have issues. Then switch them to the newer package gradually.

  • Put critical devices in a special group on a long term support package.

How do I assign a package to devices?

If you've already installed Sophos protection, your devices have the Recommended package by default. To assign a different package, go to the update management policy and select a package there.

If you're new to Sophos, you can assign a non-default package to devices when you install protection, as follows:

  1. In Sophos Central, create a computer group.
  2. Create an update management policy, apply it to the group, and select a package in the settings.
  3. Run the Sophos installer from the command line with the group specified.
Do you need to restart devices when you assign a package or switch to another package?

Our updates don't usually need an immediate restart. You can wait until devices restart for another reason.

Package updates are likely to be less frequent than other updates, like OS patches, that do need restarts. So you can align Sophos updates with patch cycles to take advantage of those planned restarts.

Can you schedule software package updates?

You can't schedule assignment of software packages. When you select a software package in an update management policy, your devices switch to the package immediately. We'll add support for scheduling later.

If you need to schedule updates, either continue to use Sophos controlled updates or change your policy at the time you want updates to occur.

What happens if I'm using controlled updates?

We’ll turn off controlled updates for endpoint computers on September 30, 2023 and for servers on January 31, 2024.

If you still want control over updating, you must migrate to software packages before then.

How do I migrate from controlled updates?

You use your policies to migrate to software packages.

To migrate a group of devices, add a fixed term or long term support package to their update management policy. The devices start using the package and stop using controlled updates. You can migrate more groups whenever you're ready.

Can I check which package a device is using?

You can check in Sophos Central or on the device.

  • In Sophos Central, go to Devices and click the device to open its details. On the Policies tab, look for the update management policy. Click the policy to open it and check which software package is selected.

  • On the device, double-click the Sophos icon in the taskbar. In Sophos Endpoint, click About and look at the details of installed products. In the version numbers, "Fixed" indicates a fixed term support package, and "LTS" indicates a long term support package.

Do software packages expire?

All fixed term and long term support packages expire. Fixed term support packages expire after 120 days, long term support packages after 18 months. When they expire, you must select a new package.

Use the Recommended package if you prefer us to ensure you're always up to date.

When a package expires, does Sophos force me to update?

We don't take any action when your package expires. If you choose to use fixed term or long term support packages, we expect you to manage software versions for your organization. You must select a new package.

Use the Recommended package if you prefer us to ensure you're always up to date.

How do I know when a package is about to expire?

We'll notify you in advance so that you have time to test and roll out a new package. You can check the expiry date any time by going to Global Settings > Software Packages.

What happens if a package expires and I don't select a new one?

When a package expires, the devices that were using that package don't get protection updates anymore. They do still have the protection they had before the expiry.

If you need more time before you select a new package, for example you're under strict change control, you can wait for a few days. However, we recommend that you get the new package as soon as possible.

What happens if a fixed term support package expires before the next one is released?

This doesn't happen. We always ensure that a new package is available before the current one expires. If necessary, we extend the expiry date to ensure there's at least a 30-day overlap between versions to allow for testing and rollout.

What happens if an issue is found in a package I'm using?

If we find a critical issue (for example, a vulnerability) in a package, we won't remove it or change its expiry date. We'll create an additional ".1" version with the fixes and the same expiry date. You'll need to move devices to the ".1" version.

We recommend that you move to the newer package rapidly but you can decide the time that's best for you.

What's the 'Add software' option on the Software Packages page?

You only need this option if Sophos support tells you to use it. It's used to add special packages we provide to fix customer issues.