Sophos SafeGuard Retirement Guidance

The Sophos Safeguard encryption management product is now end-of-support by its vendor and as such needs to be removed from all University computers. Sophos Safeguard should have been removed from all managed University computers automatically during the Windows Refresh and Jamf projects, however we are aware that a number still in use have the product installed. Any computer running Sophos Safeguard is now considered incorrectly configured and as such requires remediation by IT to remove Safeguard and ensure that the computer is properly configured. If a computer cannot be properly configured it will no longer be supportable by IT, and in most of these cases it will be necessary to retire and/or replace these computers.

The following provides guidance and information for University staff using computers that are still running Sophos encryption products.

What to do if Sophos Safeguard is Installed on Your Computer 

If you are using a computer that has Sophos Safeguard installed, you should receive an email from the IT team titled “IMPORTANT NOTICE: End of Life Notification of Sophos Computer Encryption”. This email will contain instructions on what to next.  

It is extremely important that you ensure that you do not store any data on the local hard drive of your computer, for example on your Desktop, My Documents or Home folders. Instead, you should move data to a networked storage location such as M:, N: or OneDrive. If you must store data on the local drive of a computer then please ensure that it is backed up frequently, 

If after 31st January you haven’t received an email, you should inform IT as soon as possible to arrange for remediation. To do this, please raise a standard IT Service request with the subject line ‘Sophos Safeguard Removal’. Someone from the IT team will contact you in due course to arrange for the removal of Safeguard and to take any additional action required to ensure that the computer can be managed and supported by the IT service. A summary of the approach that will be taken can be found in the next section.


Summary of Approach to be taken on Sophos Encrypted Computers 

The nature of the work that will be carried out on Sophos encrypted devices will depend on the condition of the computer. It is important to be aware that in some cases it may not be possible to configure a computer for ongoing support and access to University IT services and systems, such as if the computer is no longer within manufacturer warranty. In these circumstances the computer will need to be retired and/or replaced.

Due to the diversity of the University computing environment, the following should be considered as indicative only of the approach that will be taken:  

All Computers That Are No Longer Covered by a Manufacturer Warranty

All Windows and Apple computers that are no longer within warranty will need to be retired and/or replaced. Exemption from this standard will only be permissible in exceptional circumstances, such as for computers controlling complex research instrumentation.

Computers Running the Windows 10 Operating System

Computers running Windows 10 with Sophos installed will need to be configured to ensure that they are correctly managed by University systems. This may mean that these computers will need to be fully rebuilt to ensure configuration compliance.

Computers Running MacOS

Apple Mac computers running Sophos will need to be configured to ensure that they are correctly managed by the University Jamf system. This may mean that these computers will need to be reset or fully rebuilt to ensure configuration compliance.

Computers using Sophos to access encrypted folders

If there is any data stored in a Sophos network encrypted folder this will need to be moved to a secure OneDrive folder or SharePoint with restricted access as required.

Computers Running Windows 7

Windows 7 devices are no longer supported by IT as per article KB0017015: Support for Windows 7 Computers. These computers should be retired and/or replaced as soon as possible.