Auto-assign users to auto-enrolled devices

For devices that enroll automatically with Sophos Mobile during device setup, you can configure automatic user assignment.

The following devices that enroll automatically with Sophos Mobile support automatic user assignment:

  • Zero-touch enabled Android devices (zero-touch devices)
  • Knox Mobile Enrollment enabled Android devices (KME devices)
  • iPhones and iPads registered in Apple Business Manager (Apple Business Manager devices)

When users set up the device after switching it on for the first time or resetting it to factory settings, they must enter their credentials. Sophos Mobile looks up the user account and assigns it to the device.

You can configure which credentials to use:

  • Sophos Central credentials
  • Active Directory (AD) credentials

Note that you can’t use Azure AD federated authentication for automatic user assignment.

To configure automatic user assignment, follow one of the sections below.

Automatic user assignment with Sophos Central credentials

To use Sophos Central credentials for user authentication, complete the following steps:

  1. Add user accounts to Sophos Central, either manually or by synchronizing them with your AD server.

    See Add a user manually and Set up synchronization with Active Directory.

  2. Send your users an access email for Sophos Central Self Service Portal.

    Users must follow the link in that email to activate their account and set a password.

    See Send users an access email for Sophos Central Self Service Portal.

The final step is identical for Sophos Central and AD credentials:
  1. For KME and Apple Business Manager devices, turn on automatic user assignment:
    • For KME devices, select User authentication in the KME enrollment settings.
    • For Apple Business Manager devices, select Assign user to device in the Apple Business Manager profiles for iOS and macOS.

    For zero-touch devices, Sophos Mobile always assigns the user automatically.

    For details about enrollment settings, see the following pages:

Automatic user assignment with AD credentials

To use AD credentials for user authentication, complete the following steps:

  1. Set up synchronization with your AD server.

    See Set up synchronization with Active Directory and Active Directory synchronization FAQ.

  2. Make sure that your firewall allows connections from Sophos Central to your AD server via secure LDAP (LDAPS), that is, via TCP port 636.

    To get the IP address that Sophos Central uses to connect to your AD server, see IP addresses for AD and SCEP connections.

  3. In Sophos Mobile, configure the connection to your AD server.

    See Configure LDAP connection.

The final step is identical for Sophos Central and AD credentials:
  1. For KME and Apple Business Manager devices, turn on automatic user assignment:
    • For KME devices, select User authentication in the KME enrollment settings.
    • For Apple Business Manager devices, select Assign user to device in the Apple Business Manager profiles for iOS and macOS.

    For zero-touch devices, Sophos Mobile always assigns the user automatically.

    For details about enrollment settings, see the following pages: