General configuration (Android Sophos container policy)

With the General configuration you define settings that apply to all Sophos container apps, if applicable.

Setting/Field Description
Enable Sophos container password Users must enter an additional password to be able to start a Sophos container app. The password has to be defined when the first container app is started after the configuration has been applied. This password applies to all container apps.
Password complexity The required minimum complexity of the Sophos container password. More secure passwords are always allowed. Passwords (a mix of numeric and alphanumeric characters) are always seen as more secure than PINs (numeric characters only).
  • Any: Sophos container passwords do not have restrictions.
  • 4 digit PIN
  • 6 digit PIN
  • 4 char password
  • 6 char password
  • 8 char password
  • 10 char password
Password age in days The number of days that a password can be used before users are prompted to change it.
Failed logins until lock The number of failed login attempts that are tolerated before the container apps are locked. Once they are locked an administrator needs to unlock the apps or, if allowed, users can use the Self Service Portal to do so.
Allow fingerprint Users can use their fingerprint to unlock the app.
Grace period in minutes The period of time within which no Sophos container password must be entered when a container app comes to the foreground again.

The grace period applies to all container apps. You can switch between the apps during the grace period without entering a password.

You can select 1, 2, 5, 10, 15 minutes.

Lock on device lock When the device is locked, the Sophos container is locked as well.

If the check box is cleared, the container is locked only after the grace period has expired.

Last server connect The period of time within users can use a Sophos container app without a connection to the Sophos Mobile Control server.

When a Sophos container app becomes active and does not have contact with the server within the defined period of time, a lock screen will be displayed. Users can only unlock the app by tapping Retry on the lock screen. The app will then try to connect to the server. If the connection can be established, the app will be unlocked. If not, access will be denied.

  • On access: Server connection is always required and the app is locked when the server cannot be reached.
  • 1 hour: Server connection is required when the app becomes active one hour or more after the last successful server connection.
  • 3 hours
  • 6 hours
  • 12 hours
  • 1 day
  • 3 days
  • 1 week
  • none: No regular contact is required.
Offline starts without server connection In this field you define how often users can start one of the Sophos container apps without a server connection.
Note: This setting requires the Sophos container password feature to be turned on.

A counter is incremented whenever users enter the Sophos container password. If the counter exceeds the defined number, the same lock screen as for the Last server connect setting will be displayed. The counter will be reset if a connection to the Sophos Mobile Control server is established.

  • Unlimited: No server connection is required.
  • 0: Starting the app without a server connection is not possible.
  • 1: After one start of the app, a successful server connection is necessary.
  • 3
  • 5
  • 10
  • 20
Root allowed Container apps are allowed to run on rooted devices.
App usage constraints

Here you can define constraints on using the Sophos container apps. Click Add to enter constraints.

Geo-fencing Lets you add latitude and longitude and a radius within which the Sophos container apps can be used.
Time-fencing Lets you specify a start and end time within which the Sophos container apps can be used. Days of the week on which the apps can be used can be specified as well.
Wi-Fi fencing Lets you specify Wi-Fi networks to which the device must be connected in order to use the Sophos container apps.
The device must actually be connected to one of the listed networks. Being able to see a particular network in the list of available networks is not enough.
Important: We recommend that you do not rely on Wi-Fi fencing as the only security mechanism because Wi-Fi names can be spoofed very easily.