Authenticate to Sophos Central using OAuth2 client credentials and obtain a JWT access token. The token is managed automatically and refreshed as needed. Call this first to verify credentials are working. Returns success status and authentication state.

Call GET /whoami/v1 to discover the authenticated entity's identity. Returns idType ('partner', 'organization', or 'tenant'), the entity's UUID (id), and regional API hosts (global and dataRegion). Use this to determine which account type is connected and which regional API base URL to use for tenant-scoped calls.

List all tenants managed by this Sophos Central Partner account. Returns tenant ID, name, data region, billing type, and regional API host for each tenant.

Get details for a specific managed tenant by ID, including its regional API host.

Create a new tenant under this Sophos Central Partner account. Requires tenant name, data geography, billing type, and primary contact details.

Delete a tenant managed by this partner. WARNING: This is a destructive, irreversible operation. Confirm the tenant ID carefully before calling this tool.

List all partner-level administrators for this Sophos Central Partner account.

Create a new partner-level administrator. The admin will receive an invitation email.

Get details for a specific partner-level administrator.

Delete a partner-level administrator.

List all available partner-level roles that can be assigned to administrators.

Get details for a specific partner role.

Create a new partner-level role with the specified name and permission sets.

Update a partner role's name or description.

Delete a partner role.

List all available permission sets that can be used when creating partner roles.

List all admins assigned to a specific partner role.

Assign a partner role to an admin (principal).

Remove a role assignment from a partner admin (principal).

List all administrators for a specific managed tenant using the partner-level endpoint. For tenant-scoped admin management (common/v1), use the tenant admin tools instead.

Create an administrator for a specific managed tenant using the partner-level endpoint. The admin will receive an invitation email.

Get billing usage data for a specific month. Shows per-tenant, per-product usage quantities.

List role assignments for a specific partner admin (shows which roles this admin holds).

Assign a role to a partner admin (add a role to an admin's existing role set).

Remove a specific role assignment from a partner admin.

List tenants under this Sophos Central Organization account. Use this when your identity type is 'organization' rather than 'partner'. Supports pagination via page_key.

Get details for a specific tenant under this Sophos Central Organization account.

List all account-level access tokens for a tenant. These tokens are used to authenticate downloads of Sophos products such as Sophos Linux Sensor. Returns token metadata (ID, label, type, expiry) but NOT the actual token secret.

Create a new account-level access token for a tenant. Currently supported token type: 'sophosLinuxSensor' — used to authenticate downloads of the Sophos Linux Sensor package. The token secret is returned only on creation; store it securely as it cannot be retrieved again.

Update an existing account-level access token. Supports updating the token's label and/or expiry date. At least one of label or expires_at must be provided.

Permanently revoke (delete) an account-level access token. Revoking a token immediately invalidates it — any software using it for package downloads will stop working. This action is irreversible.

Get all product licenses (with current usage) for a Sophos Central tenant. Returns license type, quantity, start/end dates, perpetual flag, and current usage counts.

Get firewalls and their licenses for a Sophos Central tenant or partner. Provide either tenant_id (for tenant context) or partner_id (for partner context), but not both.

List distributor quotes from the Sophos Business Automation API. Only approved quotes are returned. Requires a Distributor ID.

Get full details for a specific Sophos Business Automation quote by proposal number.

Return partner level information for a distributor's partners. Filters by billing sub-region and optionally by name, update date, or EDI number.

List endpoints in a Sophos Central tenant with optional filtering by type, health status, tamper protection, hostname, or free-text search. Returns paginated results.

Get detailed information about a specific endpoint by its ID, including health, OS, network, assigned products, and isolation status.

Isolate an endpoint from the network. The endpoint will only be able to communicate with Sophos Central. Use this for incident response to contain a compromised machine.

Remove network isolation from an endpoint, restoring normal network connectivity.

Get the current isolation status of an endpoint.

Get the tamper protection status and password for an endpoint. Tamper protection prevents unauthorized changes to Sophos agent settings.

Enable or disable tamper protection on an endpoint. When enabled, Sophos agent settings cannot be changed without the tamper protection password. Optionally regenerate the password.

Delete (deregister) an endpoint from Sophos Central. This removes the endpoint record but does not uninstall the agent. Use with caution.

Delete (deregister) multiple endpoints from Sophos Central in a single call. Accepts up to 100 endpoint UUIDs.

Trigger an on-demand scan on an endpoint. The scan runs asynchronously; this call initiates it.

Force an endpoint to check for and apply software updates from Sophos Central immediately.

Request forensic log collection from an endpoint for investigation. Returns a forensicLogRequestId to poll for status.

Get the status of a forensic log collection request previously initiated with sophos_request_forensic_logs.

Request a memory dump from an endpoint for forensic investigation. Requires specifying the dump mode and expiry time. Returns a memoryDumpRequestId to poll for status.

Get the status of a memory dump request previously initiated with sophos_request_memory_dump.

Get Adaptive Attack Protection (AAP) settings for an endpoint. AAP temporarily increases protection during active attacks.

Enable or disable Adaptive Attack Protection (AAP) on an endpoint. When enabled with an expiry duration, AAP automatically disables after that period.

Isolate or deisolate multiple endpoints at once via POST /endpoints/isolation.

List peripheral devices detected by peripheral control across the tenant.

Get details for a specific peripheral device.

List endpoint migration jobs for a tenant. Shows status of endpoint migrations between Sophos Central tenants.

Start an endpoint migration job on the sending tenant. Generates a migration job token that the receiving tenant uses to accept the migration via sophos_accept_migration.

Get the status and details of a specific endpoint migration job.

Accept an endpoint migration job on the receiving tenant using the job token generated by the sending tenant. This completes the migration transfer.

List the endpoints included in a specific endpoint migration job and their migration status.

Get available Sophos agent installer download links for specified products and platforms.

List all endpoint groups in a tenant. Groups are used to organize endpoints for policy assignment and management.

Get details of a specific endpoint group, including its name, description, type, and endpoint count.

Create a new endpoint group in a tenant. Groups organize endpoints by type (computer or server) and can be used for targeted policy assignment.

Update the name and/or description of an existing endpoint group.

Add one or more endpoints to an endpoint group. The endpoints will inherit any policies assigned to the group.

Delete an endpoint group. Endpoints in the group will not be deleted.

List all endpoints that are members of a specific endpoint group.

Remove one or more endpoints from an endpoint group. The endpoints themselves are not deleted.

List endpoint policies in a tenant. Optionally filter by policy type. Supported types: threat-protection, web-control, application-control, peripheral-control, data-collection-and-investigation, device-encryption, server-threat-protection, server-peripheral-control, server-application-control, server-lockdown.

Get detailed information about a specific endpoint policy, including its settings, priority, and which endpoints it applies to.

Create a new endpoint policy. Specify the policy type, name, and optionally priority, enabled state, and settings as a JSON string.

Update an existing endpoint policy. You can modify its name, enabled state, priority, and/or settings.

Delete an endpoint policy from a tenant. Endpoints previously governed by this policy will fall back to the base policy. Use with caution.

Clone an existing endpoint policy. Creates a copy with a new name, inheriting all settings from the source policy.

List the endpoints or endpoint groups governed by a specific policy.

List mobile devices enrolled in Sophos Mobile for a tenant. Supports filtering by platform, management type, compliance status, health state, ownership, device groups, and date ranges. Returns paginated results.

Get full details for a specific mobile device by its ID, including compliance status, installed apps, platform, and assigned policies.

Register a new mobile device in Sophos Mobile MDM. Requires device name, ownership type (corporate/employee), and platform (iOS, macOS, android, chrome, windows).

Update a mobile device's attributes (name, ownership type, group assignment, etc.). This is a full PUT replacement of the device record — all required fields must be supplied.

Remove a mobile device from Sophos Mobile MDM enrollment.

List compliance violations for a specific mobile device.

List applications installed on a specific mobile device.

Get the last known GPS location for a specific mobile device.

List MDM policies assigned to a specific mobile device.

List custom device properties for a specific mobile device.

Add a custom property (key/value pair) to a mobile device. The key must follow the pattern 'custom.'.

Update the value of an existing custom device property identified by its key.

Delete a custom property from a mobile device by its key.

List IXM (Intercept X for Mobile) scan results for a specific mobile device.

List mobile device groups in a Sophos Mobile tenant.

Get details for a specific mobile device group by its ID.

Create a new mobile device group in Sophos Mobile. Requires name and compliance policy IDs for both employee- and corporate-owned devices.

Update a mobile device group. This is a full PUT replacement — all required fields must be provided.

Delete a mobile device group from Sophos Mobile.

List MDM actions (sync, scan, lock, wipe, etc.) for a tenant with filtering by type, state, endpoint IDs, and date ranges.

Get details for a specific MDM action by its ID.

Delete a pending MDM action (cancel it before execution).

Trigger a sync action on up to 50 mobile devices — forces devices to check in with Sophos Mobile and apply pending policies.