Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/Mobile/help/en-us/index.html?contextId=configure-ldap-connection

Configure LDAP connection

If your Sophos Central user accounts are coming from Active Directory (AD), you can configure an LDAP connection between Sophos Mobile and AD. This allows users to use their AD credentials for Apple Business Manager, Google zero-touch, and Samsung KME devices.

Requirement

Your firewall allows inbound connections from Sophos Central. See IP addresses for AD and SCEP connections.

The following devices enroll automatically with Sophos Mobile when users set them up:

  • Apple Business Manager managed iPhones, iPads, and Macs
  • Android devices registered for Google zero-touch enrollment
  • Samsung Android devices registered for Knox Mobile Enrollment (KME)

During the enrollment process, Sophos Mobile connects to your AD server to authenticate the user.

If you don’t configure an LDAP connection, only users you’ve invited to the Sophos Central Self Service Portal can set up Apple Business Manager, Google zero-touch, and Samsung KME devices.

Note

Authentication fails if the email address in Sophos Central doesn’t match the email address in the Active Directory mail attribute. We recommend that you run Active Directory synchronization in Sophos Central on a regular basis.

To configure an LDAP connection:

  1. On the menu sidebar, click Setup > Sophos setup, and then click the LDAP connection tab.
  2. Click Configure external LDAP.

  3. On the Server details page, configure the following settings:

    1. In the Primary URL field, enter the IP address or name of the primary directory server.

      The server must support LDAPS (LDAP over SSL/TLS).

    2. Optional: In the Secondary URL field, enter the IP address or name of a directory server Sophos Mobile uses as fallback in case the primary server isn’t available.

    3. In the User and Password fields, enter the credentials Sophos Mobile uses to authenticate with the LDAP server.

      Use one of the following formats:

      • <domain>\<user name>
      • <user name>@<domain>.<domain code>

      Warning

      For security reasons, we recommend you select an account with no write permissions for the directory.

  4. On the Search base page, enter the distinguished name (DN) of the search base object.

    The search base object defines the location in the directory from which the LDAP search begins.

  5. Click Apply.