Set up Mobile Threat Defense
You set up Mobile Threat Defense both in Sophos Mobile Admin and in Microsoft Intune.
If you follow the Microsoft document Add and assign Mobile Threat Defense (MTD) apps with Intune, you first create the Sophos Mobile Threat Defense connector in Intune and then switch to Sophos Mobile to complete the configuration. That is an alternative approach to the one described here.
Sophos Mobile Admin
In Sophos Mobile Admin, you bind Sophos Mobile to your Intune account and configure enrollment settings.
- In Sophos Central Admin, go to My Products > Mobile.
- On the menu sidebar, select Setup > Sophos setup, and then select the Intune MTD tab.
- Select Bind.
- Sign in with your Microsoft Azure administrator account.
- Accept the permissions requested by Sophos Mobile Threat Defense.
Configure the following settings:
- Owner: The ownership type Sophos Mobile assigns to devices when you enroll them with Intune.
- Device group: The Sophos Mobile device group devices will be assigned to.
- Mobile Threat Defense policy (Android) (Optional): The default Sophos Mobile policy for Sophos Intercept X for Mobile on Android devices.
- Mobile Threat Defense policy (iOS) (Optional): The default Sophos Mobile policy for Sophos Intercept X for Mobile on iPhones and iPads.
In Microsoft Intune, you configure the Sophos Mobile Threat Defense connector, add Intercept X for Mobile, and create a device compliance policy.
- Sign in to Microsoft Intune admin center with your Azure administrator account.
- Go to Tenant administration > Connectors and tokens > Mobile Threat Defense.
- Under MTD connector, select Sophos.
Turn on the features you want to use and then select Save.
The connector status changes from Available to Enabled.
Add the Intercept X for Mobile Android app.
See the instructions in Add Android store apps to Microsoft Intune.
For Appstore URL, enter
Add the Intercept X for Mobile iOS app.
See the instructions in Add iOS store apps to Microsoft Intune.
In Search the App Store, enter
Sophos Intercept X for Mobile.
Optional: Create an app configuration policy for Intercept X for Mobile.
If you don’t configure the
Device name(Android) or
deviceName(iOS) setting, Sophos Mobile uses the device’s name from Microsoft Entra ID (Azure AD).
Assign the apps to your Intune users.
See the instructions in Assign apps to groups with Microsoft Intune.
Create two compliance policies (one for Android devices, one for iPhones and iPads).
See the instructions in Create a compliance policy in Microsoft Intune.
This completes the Mobile Threat Defense setup.
It takes some time before Microsoft registers Sophos Mobile as Mobile Threat Defense vendor for your Intune account. If you enroll Intercept X for Mobile on a device with Intune during that period, the compliance status shown in Intune isn’t correct. This issue resolves automatically after a few minutes.
To prepare a device you want to add to Mobile Threat Defense, do as follows:
- Enroll the device with Intune.
- Install the Intune Company Portal app.
On your iPhones or iPads, install the Microsoft Authenticator app.
Intune doesn’t support other authenticator apps.
The table shows the configuration settings of the Sophos Intercept X for Mobile Android app in Microsoft Intune.
|The unique device identifier used by the EMM.
The device name.
Sophos Mobile uses this name when it adds the device.
Tip: Use the
|The End User License Agreement (EULA) is not displayed when the app starts.
|Connect to Intune
|The app automatically starts the Intune connection assistant.
The table shows the configuration settings of the Sophos Intercept X for Mobile iOS app in Microsoft Intune.
The device’s MAC address. The value is used to identify the device when it connects to a Sophos Wi-Fi access point.
Required for Synchronized Security.
The End User License Agreement (EULA) is not displayed when the app starts.
Possible values are
The app automatically starts the Intune connection assistant.
Possible values are