Sophos Central Endpoint licensing only applies to devices seen in the last 30 days, with any devices older than 30 days no longer consuming any seats. Additionally, Sophos recommend not removing old devices from Central incase they come back online in the future and require the Tamper Protection code which cannot be recovered once a device is deleted after 90 days.

Liongard does not surface the lastSeenAt object from Sophos Central, and thus we cannot filter out devices that are older than 30 days and no longer consuming a license.

Reference: https://developer.sophos.com/docs/endpoint-v1/1/routes/endpoints/%7BendpointId%7D/get

lastSeenAt

string

Date and time (UTC) when the endpoint last communicated with Sophos Central.