Skip to content

Create compliance policy

  1. On the menu sidebar, click Compliance policies.
  2. On the Compliance policies page, click Create compliance policy, and then select the template the policy will be based on:

    • Default template: A selection of compliance rules, with no actions defined.
    • PCI template, HIPAA template: Compliance rules and actions based on the HIPAA and the PCI DSS security standard, respectively.

    Your choice of template doesn’t restrict your subsequent configuration options.

  3. Enter a name and, optionally, a description for the compliance policy.

  4. Repeat the following steps for all required platforms.
  5. Make sure that the Enable platform check box on each tab is selected.

    If this check box is not selected, devices of that platform are not checked for compliance.

  6. Under Rule, configure the compliance rules for the particular platform.

    For a description of the available rules for each device type, click Help in the page header.

    Each compliance rule has a fixed severity level (high, medium, low) that is depicted by a blue icon. The severity helps you to assess the importance of each rule and the actions you should implement when it is violated.

  7. For each rule, define the actions that will be taken if the rule is violated:

    Action Description
    Deny email

    Block email access.

    This action is only available if you configured a connection to the Sophos Mobile EAS proxy. See Configure the Sophos Mobile EAS proxy server.

    This action applies to Android devices, iPhones, iPads, and Windows computers.

    Lock container

    For Android Enterprise devices, this action locks all apps except the following: Sophos Mobile Control, Sophos Intercept X for Mobile, Google Play Store, Contacts, Messages, Phone.

    This action applies to Android devices, iPhones, and iPads.

    Set health

    Select the health status (Red, Yellow, Green) the device gets if it violates this rule. If the device violates more than one rule, it gets its health status from the rule that’s associated with the worst health.

    Sophos Mobile reports the health status to Sophos Wireless. Depending on your Sophos Wireless configuration, network access is restricted.

    This action applies to Android devices, iPhones, and iPads if you’ve turned on Synchronized Security. See Turn on Synchronized Security.

    Create alert Sophos Mobile creates an event, which you can see on the device’s details page, and an alert.
    Transfer task bundle

    Transfer a specific task bundle to the device. We recommend that you set this to None at this stage.

    Warning When used incorrectly, task bundles may misconfigure or even wipe devices. To assign the correct task bundles to compliance rules, an in-depth knowledge of the system is required.

  8. When you have made the settings for all required platforms, click Save to save the compliance policy under the name that you specified.


When an Android Enterprise fully managed device becomes non-compliant, all apps are disabled.

To make use of a compliance policy, you assign it to a device group. This is described in the next section.