Skip to content

Set up Mobile Threat Defense

You set up Mobile Threat Defense both in Sophos Mobile Admin and in Microsoft Intune.

Restriction

You can’t use Intune Mobile Threat Defense if you’ve configured Intercept X for Mobile app enrollment with Sophos Mobile as described in Configure Intercept X for Mobile enrollment.

Note

If you follow the Microsoft document Add and assign Mobile Threat Defense (MTD) apps with Intune, you first create the Sophos Mobile Threat Defense connector in Intune and then switch to Sophos Mobile to complete the configuration. That is an alternative approach to the one described here.

Sophos Mobile Admin

In Sophos Mobile Admin, you bind Sophos Mobile to your Intune account and configure enrollment settings.

  1. In Sophos Central Admin, go to My Products > Mobile.
  2. On the menu sidebar, select Setup > Sophos setup, and then select the Intune MTD tab.
  3. Select Bind.
  4. Sign in with your Microsoft Azure administrator account.
  5. Accept the permissions requested by Sophos Mobile Threat Defense.
  6. Configure the following settings:

    • Owner: The ownership type Sophos Mobile assigns to devices when you enroll them with Intune.
    • Device group: The Sophos Mobile device group devices will be assigned to.
    • Mobile Threat Defense policy (Android) (Optional): The default Sophos Mobile policy for Sophos Intercept X for Mobile on Android devices.
    • Mobile Threat Defense policy (iOS) (Optional): The default Sophos Mobile policy for Sophos Intercept X for Mobile on iPhones and iPads.
  7. Click Save.

Microsoft Intune

In Microsoft Intune, you configure the Sophos Mobile Threat Defense connector, add Intercept X for Mobile, and create a device compliance policy.

  1. Sign in to Microsoft Intune admin center with your Azure administrator account.
  2. Go to Tenant administration > Connectors and tokens > Mobile Threat Defense.
  3. Under MTD connector, select Sophos.
  4. Turn on the features you want to use and then select Save.

    The connector status changes from Available to Enabled.

  5. Add the Intercept X for Mobile Android app.

    See the instructions in Add Android store apps to Microsoft Intune.

    For Appstore URL, enter https://play.google.com/store/apps/details?id=com.sophos.smsec

  6. Add the Intercept X for Mobile iOS app.

    See the instructions in Add iOS store apps to Microsoft Intune.

    In Search the App Store, enter Sophos Intercept X for Mobile.

  7. Optional: Create an app configuration policy for Intercept X for Mobile.

    For available settings, see Android settings and iOS settings.

    For a description of creating an app configuration policy, see the instructions for Android devices and iOS devices.

    Note

    If you don’t configure the Device name (Android) or deviceName (iOS) setting, Sophos Mobile uses the device’s name from Microsoft Entra ID (Azure AD).

  8. Assign the apps to your Intune users.

    See the instructions in Assign apps to groups with Microsoft Intune.

  9. Create two compliance policies (one for Android devices, one for iPhones and iPads).

    See the instructions in Create a compliance policy in Microsoft Intune.

This completes the Mobile Threat Defense setup.

Note

It takes some time before Microsoft registers Sophos Mobile as Mobile Threat Defense vendor for your Intune account. If you enroll Intercept X for Mobile on a device with Intune during that period, the compliance status shown in Intune isn’t correct. This issue resolves automatically after a few minutes.

Prepare devices

To prepare a device you want to add to Mobile Threat Defense, do as follows:

  1. Enroll the device with Intune.
  2. Install the Intune Company Portal app.
  3. On your iPhones or iPads, install the Microsoft Authenticator app.

    Intune doesn’t support other authenticator apps.

To add a device to Mobile Threat Defense, see Android devices and iPhones or iPads.

Android settings

The table shows the configuration settings of the Sophos Intercept X for Mobile Android app in Microsoft Intune.

Setting Description
Device ID The unique device identifier used by the EMM.
Device name

The device name.

Sophos Mobile uses this name when it adds the device.

Tip: Use the User name variable to set the device name. See Supported variables for configuration values.

EULA disabled The End User License Agreement (EULA) is not displayed when the app starts.
Connect to Intune The app automatically starts the Intune connection assistant.

iOS settings

The table shows the configuration settings of the Sophos Intercept X for Mobile iOS app in Microsoft Intune.

Setting Type Description
macAddress string

The device’s MAC address. The value is used to identify the device when it connects to a Sophos Wi-Fi access point.

Required for Synchronized Security.

eulaDisabled boolean

The End User License Agreement (EULA) is not displayed when the app starts.

Possible values are true and false. The default is false.

startIntuneConnection boolean

The app automatically starts the Intune connection assistant.

Possible values are true and false. The default is false.