Available compliance rules

The following table shows the compliance rules you can select for the individual platforms under Rule in the relevant Compliance rules tabs.

Setting Description Android iOS Windows Mobile Windows Desktop
Managed required Define the action that will be executed when a device is no longer managed.
Minimum SMC app version Enter the minimum Sophos Mobile Control app version that has to be installed onto the device.
Root rights allowed Select whether devices with root rights are allowed.
Note: For Sony devices with Enterprise API version 4 or above and for Samsung devices with Knox version 5.5 or below, this includes all devices that are classified insecure by the MDM API, for example because the bootloader is unlocked.
Apps from unknown sources allowed Select whether apps from unknown sources are allowed.
Android Debug Bridge (ADB) allowed Select whether ADB (Android Debug Bridge) is allowed.
Allow jailbreak Select whether jailbroken devices are allowed.
Password required Select whether a device password or other screen lock mechanism (like pattern or PIN) is required.

For Android, this includes the display lock types Pattern, PIN and Password, but not Swipe.

Min. OS version Select the earliest operating system version required.
Max. OS version Select the latest operating system version allowed.
Max. synchronization gap Specify the maximum interval between synchronization processes for devices.
Maximum SMC app synchronization interval Specify the maximum interval between iOS app synchronization processes for devices.
Max. SMSec scan interval This field is only displayed if Sophos Mobile Security is available for this customer. For further information, see Manage Sophos Mobile Security. In this field, you can specify the maximum scan interval for malware scans performed by the Sophos Mobile Security app on the device.
Denial of SMSec permissions allowed Sophos Mobile Security needs permissions on the device to work properly. The user has to grant these permissions when the app is installed.

Select whether a denial of the required permissions results in a compliance violation.

Malware apps allowed This field is only displayed if Sophos Mobile Security is available for this customer.

Select whether detected malware apps are allowed.

Suspicious apps allowed This field is only displayed if Sophos Mobile Security is available for this customer.

Select whether detected suspicious apps are allowed.

PUAs allowed This field is only displayed if Sophos Mobile Security is available for this customer.

Select whether detected PUAs (Potentially Unwanted Apps) are allowed on devices.

Encryption required Select whether encryption is required for devices.

On devices with Android 5 or higher, users must additionally enable the Require PIN to start device or Require Password to start device setting when they set a screen lock. See Sophos knowledgebase article 123947.

Data roaming allowed Select whether data roaming is allowed for devices.
Locate permission required This setting refers to the Locate function. Select whether the user has to allow the Sophos Mobile Control app at installation time to retrieve location data in order to be compliant.
Denial of SMC permissions allowed The Sophos Mobile Control app needs permissions on the device to work properly. The user has to grant these permissions when the app is installed.

Select whether a denial of the required permissions results in a compliance violation.

App is able to locate Location services must be turned on and the Sophos Mobile Control app must be allowed to use them.

For Windows Mobile, this rule only affects Windows Phone 8.1 devices.

Process control permission required Sophos Mobile Security needs usage access to ensure that blocked apps cannot be opened and protected apps will ask for a password.

Select whether a denial of usage access results in a compliance violation.

Allowed apps / Forbidden apps You can specify either Allowed apps or Forbidden apps. Select the desired option from the first list and then select the app group containing the apps that should be allowed or forbidden from the second list. For information on creating app groups, see App groups.
If you specify Allowed apps, only the listed apps are allowed. If other apps are detected the device will no longer be compliant.
Note: Android system apps are automatically allowed.

If you specify Forbidden apps, the device will no longer be compliant if these apps are detected.

Mandatory apps Specify apps that must be installed. Select the app group containing the mandatory apps from the list. For information on creating app groups, see App groups.
Windows Defender must be turned on The Windows Defender setting real-time protection must be turned on.
Clean status from Windows Defender required Device is not compliant when Windows Defender shows alerts.
Up-to-date Windows Defender definitions required Windows Defender must use the latest spyware definitions.