I'm not sure I understand correctly what you mean by desktop agent . If you mean the Sophos Endpoint Security and Control GUI - which settings do you want to be protected from being changed?
sorry I do mean the desktops endpoint security and control. I have enabled tamper protection but can still access the fireweall and av settings and i want to disable this on the server
So the users have administrative rights on the machines (BTW: Is this an AD environment)?
With Tamper Protection enabled only parts of the configuration should be accessible without authentication. For AV these are On-demand extensions and exclusions and Right-click scanning (as these scans are explicitly requested by the users it's in their interest to have reasonable settings anyway), Authorization (as e.g. installers may sometime trigger detections and administrators should be able to bypass this) and Scans. As far as On-Access scanning goes, they should not be able to make changes (except for Authorization).
SCF is a different matter. Right now it is not covered by Tamper Protection as the consequences of totally locking in the settings have to be considered carefully. It might come (especially if there is sufficient interest - so you should perhaps submit a feature request through Support).
As an aside - Web Control settings were initially "open". I (and perhaps others) have questioned this and as far as I can see the are now also subject to TP.
we have set a firewall policy which we don't want uses to alter and it seems they can on the endpoint security and control gui. They can also configure the av and hips which i would like to disable.
The only feature I would like them to be a ble to use really is the scan feature
