Configure LDAP connection

If your Sophos Central user accounts are coming from Active Directory (AD), you can configure an LDAP connection between Sophos Mobile and AD. This allows users to use their AD credentials for Apple DEP, Google zero-touch, and Samsung KME.

The following devices enroll automatically with Sophos Mobile when users set them up:

  • iPhones, iPads, and Macs registered for the Apple device enrollment program (DEP)
  • Android devices registered for Google zero-touch enrollment
  • Samsung Android devices registered for Knox Mobile Enrollment (KME)

During the enrollment process, Sophos Mobile connects to your AD server to authenticate the user.

If you don’t configure an LDAP connection, only users you’ve invited to the Self Service Portal can set up Apple DEP, Google zero-touch, and Samsung KME devices.

Note Authentication fails if the email address in Sophos Central doesn’t match the email address in the Active Directory mail attribute. We recommend that you run Active Directory synchronization in Sophos Central on a regular basis.

To configure an LDAP connection:

  1. On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the LDAP connection tab.
  2. Click Configure external LDAP.
  3. On the Server details page, configure the following settings:
    1. In the Primary URL field, enter the IP address or name of the primary directory server.
      The server must support LDAPS (LDAP over SSL/TLS).
    2. Optional In the Secondary URL field, enter the IP address or name of a directory server Sophos Mobile uses as fallback in case the primary server isn’t available.
    3. In the User and Password fields, enter the credentials Sophos Mobile uses to authenticate with the LDAP server.

      Use one of the following formats:

      • <domain>\<user name>
      • <user name>@<domain>.<domain code>
      Note For security reasons, we recommend you select an account with no write permissions for the directory.
  4. On the Search base page, enter the distinguished name (DN) of the search base object.
    The search base object defines the location in the directory from which the LDAP search begins.
  5. Click Apply.