User roles

Sophos Mobile administrators have different roles. The role affects what an administrator can do.

The available roles are:




This role has the rights to perform all available actions.

Limited Administrator

This role is allowed to perform all actions required for enrolling and managing a device, but cannot specify essential settings and cannot manage other administrators.


This role can view the list of devices and is able to create reports. For example, an auditor or an employee who needs to document the settings in Sophos Mobile.

Content admin

This role is intended for employees responsible for uploading, updating or removing documents. Usually this role is assigned to a person outside the IT department. The permissions are set to limit visibility and access only the content in the Documents menu.


This role is intended for support purposes. It has only limited rights (for example installation of software packages). This role does not have access to critical functions, such as defining settings and creating, deleting or editing devices/device groups, packages and profiles.


This role has read-only access to all settings that are available to the Administrator role.

App Group Administrator

This role can manage app groups. A typical user is an administrator that accesses the Sophos Mobile web service interface to create, update or read app groups.


This role is required for integration with the Duo Security authentication software. Administrators with the Duo API role can access the Sophos Mobile web service interface for requesting the management status of devices.

See Duo Security integration.

Tip Your Sophos Mobile product delivery includes the Role Editor. Role Editor lets you easily modify existing user roles or create your own custom roles. You can find it in the %MDM_HOME%\tools\Wizard folder, where %MDM_HOME% is the Sophos Mobile installation folder.

For information on how to use the Role Editor, see Sophos knowledgebase article 122066 or contact the Sophos support team.