Software packages FAQ

A package is a full set of the software that any device running any combination of our products might need. Devices only download and install the software they have licenses for.

For example, an endpoint package includes our core agent (used by multiple products), threat protection, encryption, and Sophos MDR, but your devices only install the core agent and threat malware protection if that's the only software you've licensed.

You can choose between software that's frequently updated or software that lets you control updating so you can test new releases for longer. The package types are as follows:

Recommended guarantees you always have the latest features. However, you have no control over updating.

Fixed term support packages offer greater stability. They're based on versions that have already been successfully rolled out. You still get updates to protect against new threats, but the product features don't change. You can keep devices on the package for 120 days.

Long term support packages are similar, but are only intended for critical devices with strict change control, such as website servers or point-of-sale tills. You can keep devices on the package for 18 months.

Yes, you can select different packages in your update management policies. This lets you use the software package that best meet the updating needs of each group of devices.

You can use multiple packages within your network as part of your strategy for testing and rolling out new versions.

Here's an example. Let's assume that you want to use mostly fixed term packages on your network.

• Put a representative group of devices on Recommended or Early Access Program packages. This lets you find issues in new versions long before you start using them.

• Put another group on a newly released fixed term support package for two weeks to check there are no issues.

• Put most devices on the previous fixed term support package until you know the new version doesn't have issues. Then switch them to the newer package gradually.

• Put critical devices in a special group on a long term support package.

If you've already installed Sophos protection, your devices have the Recommended package by default. To assign a different package, go to the update management policy and select a package there.

If you're new to Sophos, you can assign a non-default package to devices when you install protection, as follows:

1. In Sophos Central, create a computer group.
2. Create an update management policy, apply it to the group, and select a package in the settings.
3. Run the Sophos installer from the command line with the group specified.

Our updates don't usually need an immediate restart. You can wait until devices restart for another reason.

Package updates are likely to be less frequent than other updates, like OS patches, that do need restarts. So you can align Sophos updates with patch cycles to take advantage of those planned restarts.

Enabling Scheduled Updates within the Update Management policy allows you to apply software package updates at a scheduled day and time.

We’ll turn off controlled updates for endpoint computers on September 30, 2023 and for servers on January 31, 2024.

If you still want control over updating, you must migrate to software packages before then.

You use your policies to migrate to software packages.

To migrate a group of devices, add a fixed term or long term support package to their update management policy. The devices start using the package and stop using controlled updates. You can migrate more groups whenever you're ready.

You can check in Sophos Central or on the device.

• In Sophos Central, go to Devices and click the device to open its details. On the Policies tab, look for the update management policy. Click the policy to open it and check which software package is selected.

• On the device, double-click the Sophos icon in the taskbar. In Sophos Endpoint, click About and look at the details of installed products. In the version numbers, "Fixed" indicates a fixed term support package, and "LTS" indicates a long term support package.

All fixed term and long term support packages expire. Fixed term support packages expire after 120 days, long term support packages after 18 months. When they expire, you must select a new package.

Use the Recommended package if you prefer us to ensure you're always up to date.

We don't take any action when your package expires. If you choose to use fixed term or long term support packages, we expect you to manage software versions for your organization. You must select a new package.

Use the Recommended package if you prefer us to ensure you're always up to date.

We'll notify you in advance so that you have time to test and roll out a new package. You can check the expiry date any time by going to My Products > General Settings > Software Packages.

When a package expires, the devices that were using that package don't get protection updates anymore. They do still have the protection they had before the expiry.

If you need more time before you select a new package, for example you're under strict change control, you can wait for a few days. However, we recommend that you get the new package as soon as possible.

This doesn't happen. We always ensure that a new package is available before the current one expires. If necessary, we extend the expiry date to ensure there's at least a 30-day overlap between versions to allow for testing and rollout.

If we find a critical issue (for example, a vulnerability) in a package, we won't remove it or change its expiry date. We'll create an additional ".1" version with the fixes and the same expiry date. You'll need to move devices to the ".1" version.

We recommend that you move to the newer package rapidly but you can decide the time that's best for you.

You only need this option if Sophos support tells you to use it. It's used to add special packages we provide to fix customer issues.