Available compliance rules
This section lists the compliance rules that you can select for the individual platforms.
|
Rule |
Description |
Platforms |
|---|---|---|
|
Managed required |
Define the action that will be executed when a device is no longer managed. |
Android Android Things iOS macOS Windows Mobile Windows Windows IoT |
|
Minimum SMC app version |
Enter the minimum Sophos Mobile Control app version that has to be installed onto the device. |
Android Android Things iOS Windows Mobile |
|
Root access allowed |
Select whether devices with root rights are allowed. Note For Sony devices with Enterprise API version 4 or above and for Samsung devices with Knox version
5.5 or below, this includes all devices that are classified insecure by the MDM API, for example
because the bootloader is unlocked.
|
Android |
|
Apps from unknown sources allowed |
Select whether apps from unknown sources are allowed. This rule only affects devices with Android 7.x or earlier. With Android 8, the system setting to restrict app installation sources was removed. |
Android |
|
Android Debug Bridge (ADB) allowed |
Select whether ADB (Android Debug Bridge) is allowed. |
Android |
|
Allow jailbreak |
Select whether jailbroken devices are allowed. |
iOS |
|
Screen lock required |
Select whether a device password or other screen lock mechanism (like pattern or PIN) is required. For Android, this includes the display lock types Pattern, PIN and Password, but not Swipe. Windows Mobile devices that have no password policy assigned are always reported as non-compliant. This is a Windows limitation. |
Android iOS Windows Mobile Windows |
|
Min. OS version |
Select the earliest operating system version required. |
Android Android Things iOS macOS Windows Mobile Windows Windows IoT |
|
Max. OS version |
Select the latest operating system version allowed. |
Android Android Things iOS macOS Windows Mobile Windows Windows IoT |
|
Mandatory OS updates |
Select if devices must have the latest available or the latest required update installed. Some iOS updates are classified as required by Apple. The latest available update might be newer than the latest required update. |
iOS |
|
Max. synchronization gap |
Specify the maximum interval between synchronization processes for devices. |
Android Android Things iOS macOS Windows Mobile Windows Windows IoT |
|
Maximum SMC app synchronization interval |
Specify the maximum interval between app synchronization processes for devices. |
iOS Windows Mobile |
|
Max. SMSec scan interval |
Specify the maximum scan interval for malware scans performed by the Sophos Mobile Security app on the device. |
Android |
|
Denial of SMSec permissions allowed |
Sophos Mobile Security needs permissions on the device to work properly. The user has to grant these permissions when the app is installed. Select whether a denial of the required permissions results in a compliance violation. |
Android |
|
Malware apps allowed |
Select whether malware apps that have been detected by Sophos Mobile Security are allowed. |
Android |
|
Suspicious apps allowed |
Select whether suspicious apps that have been detected by Sophos Mobile Security are allowed. |
Android |
|
PUAs allowed |
Select whether PUAs (Potentially Unwanted Apps) that have been detected by Sophos Mobile Security are allowed. |
Android |
|
Encryption required |
Select whether encryption is required for devices. On devices with Android 5 or higher, users must additionally enable the Require PIN to start device or Require Password to start device setting when they set a screen lock. See Sophos knowledgebase article 123947. For macOS, this setting applies to FileVault full-disk encryption. For Windows Mobile, a violation is only reported if the restriction Forbid unencrypted device is set as well. This is a Windows limitation. |
Android iOS macOS Windows Mobile Windows |
|
Data roaming allowed |
Select whether data roaming is allowed for devices. |
Android iOS |
|
Container configured |
Select whether a container must be set up and enabled on the device. This can be a Sophos container, a Samsung Knox container or an Android work profile. |
Android |
|
Locate permission required |
This setting refers to the Locate function. Select whether the user has to allow the Sophos Mobile Control app at installation time to retrieve location data in order to be compliant. |
Android |
|
Denial of SMC permissions allowed |
The Sophos Mobile Control app needs permissions on the device to work properly. The user has to grant these permissions when the app is installed. Select whether a denial of the required permissions results in a compliance violation. |
Android |
|
App is able to locate |
Location services must be turned on and the Sophos Mobile Control app must be allowed to use them. For Windows Mobile, this rule only affects Windows Phone 8.1 devices. |
iOS Windows Mobile |
|
Firewall required |
The macOS firewall must be turned on. |
macOS |
|
System Integrity Protection required |
System Integrity Protection must be turned on. Note System Integrity Protection is a macOS security feature that limits the actions
the root user can perform. System Integrity Protection can be configured when the Mac
starts up from macOS Recovery.
|
macOS |
|
Security updates required |
Automatic installation of macOS security updates must be turned on. |
macOS |
|
Allowed apps / Forbidden apps |
You can specify either Allowed apps or Forbidden apps. Select the desired option from the first list and then select the app group containing the apps that should be allowed or forbidden from the second list. For information on creating app groups, see App groups. If you specify Allowed apps, only the listed apps are allowed. If other apps are
detected the device will no longer be compliant.
Note Android system apps are automatically
allowed.
If you specify Forbidden apps, the device will no longer be compliant if these apps are detected. |
Android iOS macOS |
|
Mandatory apps |
Specify apps that must be installed. Select the app group containing the mandatory apps from the list. For information on creating app groups, see App groups. |
Android iOS macOS Windows |
|
Windows Defender must be turned on |
The Windows Defender setting real-time protection must be turned on. |
Windows |
|
Clean status from Windows Defender required |
Device is not compliant when Windows Defender shows alerts. |
Windows |
|
Up-to-date Windows Defender definitions required |
Windows Defender must use the latest spyware definitions. |
Windows |