Skip to content

Available compliance rules

This page lists the compliance rules that you can select for the individual platforms.

Rule Description
Managed required Select actions that will be executed when a device is no longer managed.
Device administrator management allowed

Select actions that will be executed for devices where Sophos Mobile is a device administrator.

Device administrator is an obsolete management mode, only available for devices with Android 9 or earlier. We recommend that you migrate devices that use this mode to Android Enterprise. See Migrate from device administrator to Android Enterprise.

Applies to:

  • Android devices
Tamper protection turned off

Select actions that will be executed when the Chrome Security policy has been tampered with.

Applies to:

  • Chromebooks
Minimum SMC version

The earliest allowed version of the Sophos Mobile Control app.

Applies to:

  • Android devices
  • iPhones and iPads
Minimum Sophos Chrome Security version

The earliest allowed version of the Sophos Chrome Security extension.

Applies to:

  • Chromebooks
Root access allowed

Select whether devices with root rights are allowed.

This also allows the following devices if they are classified as insecure by the operating system:

  • Sony devices with Enterprise API level 4 or later.
  • Samsung devices with Knox Standard SDK 5.5 (API level 17) or earlier.

Applies to:

  • Android devices
Apps from unknown sources allowed

Select whether apps and extensions from outside the Chrome Web Store are allowed.

Applies to:

  • Chromebooks
Android Debug Bridge (ADB) allowed

Select whether ADB (Android Debug Bridge) is allowed.

Applies to:

  • Android devices
Allow jailbreak

Select whether jailbroken devices are allowed.

Applies to:

  • iPhones and iPads
Screen lock required

Select whether a device password or other screen lock mechanism (like pattern or PIN) is required.

For Android, this includes the display lock types Pattern, PIN, and Password, but not Swipe.

Apple User Enrollment devices comply with this rule if the policy that you assign to them contains a Password policies configuration.

Applies to:

  • Android devices
  • iPhones and iPads
  • Windows computers
Minimum OS version The earliest allowed version of the operating system.
Maximum OS version The latest allowed version of the operating system.
Mandatory OS updates

Select if devices must have the latest available or the latest critical update installed.

Some updates are classified as critical by Apple. The latest available update might be more recent than the latest critical update.

Applies to:

  • Supervised iPhones and iPads, but not Apple User Enrollment devices
Maximum interval between native MDM agent synchronizations

The maximum allowed interval at which the operating system’s Mobile Device Management (MDM) software must synchronize with Sophos Central.

Applies to:

  • iPhones and iPads without Sophos Mobile Control or Sophos Intercept X for Mobile
  • Macs
  • Windows computers
Maximum interval between SMC synchronizations

The maximum allowed interval at which Sophos Mobile Control must synchronize with Sophos Central.

Applies to:

  • Android devices
  • iPhones and iPads
Maximum interval between Intercept X for Mobile synchronizations

The maximum allowed interval at which Sophos Intercept X for Mobile must synchronize with Sophos Central.

Applies to:

  • Android devices
  • iPhones and iPads
Maximum interval between Sophos Chrome Security synchronizations

The maximum allowed interval at which Sophos Chrome Security must synchronize with Sophos Central.

Applies to:

  • Chromebooks
Maximum interval between Intercept X for Mobile scans

The maximum allowed interval at which Sophos Intercept X for Mobile must perform malware scans.

Applies to:

  • Android devices
Intercept X for Mobile permissions can be denied

Select whether the device becomes non-compliant if the user denies the app permissions for Sophos Intercept X for Mobile.

We recommend that you set this rule to No when using Web Filtering. With this setting, the device becomes non-compliant when Web Filtering stops working because the user turned off the Sophos Accessibility Service.

Applies to:

  • Android devices
Malware apps allowed

Select whether malware apps detected by Sophos Intercept X for Mobile are allowed.

Applies to:

  • Android devices
Suspicious apps allowed

Select whether suspicious apps detected by Sophos Intercept X for Mobile are allowed.

Applies to:

  • Android devices
PUAs allowed

Select whether Potentially Unwanted Apps (PUAs) detected by Sophos Intercept X for Mobile are allowed.

Applies to:

  • Android devices
Encryption required

Select whether encryption is required for devices.

Users must additionally enable the Require PIN to start device or Require Password to start device setting when they set a screen lock. See Encryption is not active on Android devices.

iPhones and iPads are always encrypted.

For macOS, this setting applies to FileVault full-disk encryption.

Applies to:

  • Android devices
  • Macs
  • Windows computers
Third-party profiles allowed

Configuration profiles not managed by Sophos Mobile are allowed.

Applies to:

  • iPhones and iPads, but not Apple User Enrollment devices
Data roaming allowed

Data roaming is allowed.

Applies to:

  • Android devices
  • iPhones and iPads, but not Apple User Enrollment devices
Container configured

A container must be set up and enabled on the device. This can be an Android work profile or a Samsung Knox container.

Applies to:

  • Android devices
Locate permission required

This setting refers to the Locate function. Select whether the user has to allow the Sophos Mobile Control app at installation time to retrieve location data in order to be compliant.

Applies to:

  • Android devices
SMC permissions can be denied

The Sophos Mobile Control app needs permissions on the device to work properly. The user has to grant these permissions when the app is installed.

Select whether a denial of the required permissions results in a compliance violation.

Applies to:

  • Android devices
App is able to locate

Location services must be turned on and the Sophos Mobile Control app must be allowed to use them.

Applies to:

  • iPhones and iPads
Firewall required

The macOS firewall must be turned on.

Applies to:

  • Macs
System Integrity Protection required

System Integrity Protection must be turned on.

Note System Integrity Protection is a macOS security feature that limits the actions the root user can perform. System Integrity Protection can be configured when the Mac starts up from macOS Recovery.

Applies to:

  • Macs
Security updates required

Automatic installation of macOS security updates must be turned on.

Applies to:

  • Macs
Installed apps

Select either Allowed apps or Forbidden apps and then select the app group containing the apps you want to allow or forbid.

Android system apps are always allowed.

For Chrome OS, app groups can contain apps and extensions.

Applies to:

  • Android devices
  • iPhones and iPads, but not Apple User Enrollment devices
  • Macs
  • Chromebooks
Mandatory apps

Specify apps that must be installed. Select the app group containing the mandatory apps from the list.

For iOS, don’t configure system apps as mandatory. Sophos Mobile can’t tell if a system app is installed and sets all devices as non-compliant.

For Chrome OS, app groups can contain apps and extensions.

Unmanaged apps from unknown sources allowed

Apps installed manually through an IPA file are allowed.

These are self-developed apps signed with an ad hoc provisioning profile.

Applies to:

  • iPhones and iPads
Web Filtering turned on

The Web Filtering feature of Intercept X for Mobile must be turned on.

Applies to:

  • iPhones and iPads
Windows Defender must be turned on

The Windows Defender setting real-time protection must be turned on.

Applies to:

  • Windows computers
Clean status from Windows Defender required

Device is not compliant when Windows Defender shows alerts.

Applies to:

  • Windows computers
Up-to-date Windows Defender definitions required

Windows Defender must use the latest spyware definitions.

Applies to:

  • Windows computers