User roles

Sophos Mobile administrators have different roles. The role affects what an administrator can do.

The available roles are:




This role can perform all available actions.

Limited Administrator

This role can enroll and manage devices, but cannot specify essential settings and cannot manage other administrators.


This role can view the list of devices and is able to create reports. For example, an auditor or an employee who needs to document the settings in Sophos Mobile.

Content admin

This role is intended for employees responsible for uploading, updating or removing documents. Usually this role is assigned to a person outside the IT department. The permissions are set to limit visibility and access only the content in the Documents menu.


This role can perform actions for support purposes, including enrolling devices and installing apps. This role does not have access to critical functions, such as defining settings and creating, deleting or editing devices/device groups, packages and profiles.


This role has read-only access to all settings that are available to the Administrator role.

App Group Administrator

This role can manage app groups. A typical user is an administrator that accesses the Sophos Mobile web service interface to create, update or read app groups.


This role is required for integration with the Duo Security authentication software. Administrators with the Duo API role can access the Sophos Mobile web service interface for requesting the management status of devices.

See Duo Security integration.

Tip Your Sophos Mobile product delivery includes the Role Editor. Role Editor lets you easily modify existing user roles or create your own custom roles. You can find it in the %MDM_HOME%\tools\Wizard folder, where %MDM_HOME% is the Sophos Mobile installation folder.

For information on how to use the Role Editor, see Sophos knowledgebase article 122066 or contact the Sophos support team.