Available compliance rules

This section lists the compliance rules that you can select for the individual platforms.

Rule

Description

Platforms

Managed required

Select actions that will be executed when a device is no longer managed.

Android

iOS, iPadOS

macOS

Windows Mobile

Windows

Chrome OS

Device administrator management allowed

Select actions that will be executed for devices where Sophos Mobile is a device administrator.

Google now deprecates the device administrator management mode and is reducing its range of functions. We recommend that you use the Android Enterprise management mode instead.

Android

Tamper protection turned off

Select actions that will be executed when the Chrome Security policy has been tampered with.

Chrome OS

Minimum SMC version

The earliest allowed version of the Sophos Mobile Control app.

Android

iOS, iPadOS

Windows Mobile

Minimum Sophos Chrome Security version

The earliest allowed version of the Sophos Chrome Security extension.

Android

iOS, iPadOS

Windows Mobile

Root access allowed

Select whether devices with root rights are allowed.

This also allows the following devices if they are classified as insecure by the operating system:

  • Sony devices with Enterprise API level 4 or later
  • Samsung devices with Knox Standard SDK 5.5 (API level 17) or earlier

Android

Google SafetyNet compatibility required

The device must pass the Compatibility Test Suite (CTS), a Google SafetyNet test for Android compatibility.

Android

Apps from unknown sources allowed

Select whether apps from outside Google Play (Android) or the Chrome Web Store (Chrome OS) are allowed.

For Android, this rule only affects devices with Android 7.x or earlier.

Android

Chrome OS

Android Debug Bridge (ADB) allowed

Select whether ADB (Android Debug Bridge) is allowed.

Android

Allow jailbreak

Select whether jailbroken devices are allowed.

iOS, iPadOS

Screen lock required

Select whether a device password or other screen lock mechanism (like pattern or PIN) is required.

For Android, this includes the display lock types “Pattern”, “PIN” and “Password”, but not “Swipe”.

Windows Mobile devices that have no password policy assigned are always reported as non-compliant. This is a Windows limitation.

Android

iOS, iPadOS

Windows Mobile

Windows

Minimum OS version

The earliest allowed version of the operating system.

Android

iOS, iPadOS

macOS

Windows Mobile

Windows

Chrome OS

Maximum OS version

The latest allowed version of the operating system.

Android

iOS, iPadOS

macOS

Windows Mobile

Windows

Chrome OS

Mandatory OS updates

Select if devices must have the latest available or the latest required update installed.

Some updates are classified as required by Apple. The latest available update might be newer than the latest required update.

iOS, iPadOS

Maximum interval between synchronizations

The maximum allowed interval at which the device must synchronize with Sophos Central.

Android

iOS, iPadOS

macOS

Windows Mobile

Windows

Chrome OS

Maximum interval between SMC synchronizations

The maximum allowed interval at which Sophos Mobile Control must synchronize with Sophos Central.

iOS, iPadOS

Windows Mobile

Maximum interval between Intercept X for Mobile synchronizations

The maximum allowed interval at which Sophos Intercept X for Mobile must synchronize with Sophos Central.

Android

iOS, iPadOS

Maximum interval between Intercept X for Mobile scans

The maximum allowed interval at which Sophos Intercept X for Mobile must perform malware scans.

Android

Intercept X for Mobile permissions can be denied

Select whether the device becomes non-compliant if the user denials the app permissions for Sophos Intercept X for Mobile.

Android

Malware apps allowed

Select whether malware apps detected by Sophos Intercept X for Mobile are allowed.

Android

Suspicious apps allowed

Select whether suspicious apps detected by Sophos Intercept X for Mobile are allowed.

Android

PUAs allowed

Select whether Potentially Unwanted Apps (PUAs) detected by Sophos Intercept X for Mobile are allowed.

Android

Encryption required

Select whether encryption is required for devices.

Users must additionally enable the Require PIN to start device or Require Password to start device setting when they set a screen lock. See Sophos knowledge base article 123947.

For macOS, this setting applies to FileVault full-disk encryption.

For Windows Mobile, a violation is only reported if the restriction Forbid unencrypted device is set as well. This is a Windows limitation.

This rule is not available for iOS because iPhones and iPads are always encrypted.

Android

macOS

Windows Mobile

Windows

Third-party profiles allowed

Configuration profiles not managed by Sophos Mobile are allowed.

iOS, iPadOS

Data roaming allowed

Data roaming is allowed.

Android

iOS, iPadOS

Container configured

A container must be set up and enabled on the device. This can be a Sophos container, a Samsung Knox container, or an Android work profile.

Android

Locate permission required

This setting refers to the Locate function. Select whether the user has to allow the Sophos Mobile Control app at installation time to retrieve location data in order to be compliant.

Android

SMC permissions can be denied

The Sophos Mobile Control app needs permissions on the device to work properly. The user has to grant these permissions when the app is installed.

Select whether a denial of the required permissions results in a compliance violation.

Android

App is able to locate

Location services must be turned on and the Sophos Mobile Control app must be allowed to use them.

For Windows Mobile, this rule only affects Windows Phone 8.1 devices.

iOS, iPadOS

Windows Mobile

Firewall required

The macOS firewall must be turned on.

macOS

System Integrity Protection required

System Integrity Protection must be turned on.

Note System Integrity Protection is a macOS security feature that limits the actions the root user can perform. System Integrity Protection can be configured when the Mac starts up from macOS Recovery.

macOS

Security updates required

Automatic installation of macOS security updates must be turned on.

macOS

Installed apps

Select either Allowed apps or Forbidden apps and then select the app group containing the apps you want to allow or forbid.

Android system apps are always allowed.

For Chrome OS, app groups can contain apps and extensions.

Android

iOS, iPadOS

macOS

Chrome OS

Mandatory apps

Specify apps that must be installed. Select the app group containing the mandatory apps from the list. For information on creating app groups, see App groups.

For iOS, don’t configure system apps as mandatory. Sophos Mobile can’t tell if a system app is installed and sets all devices as non-compliant.

For Chrome OS, app groups can contain apps and extensions.

Android

iOS, iPadOS

macOS

Windows

Chrome OS

Unmanaged apps from unknown sources allowed

Apps installed manually through an IPA file are allowed.

These are self-developed apps signed with an ad hoc provisioning profile.

iOS, iPadOS

Web Filtering turned on

The Web Filtering feature of Intercept X must be turned on.

iOS, iPadOS

Windows Defender must be turned on

The Windows Defender setting real-time protection must be turned on.

Windows

Clean status from Windows Defender required

Device is not compliant when Windows Defender shows alerts.

Windows

Up-to-date Windows Defender definitions required

Windows Defender must use the latest spyware definitions.

Windows