Available compliance rules

This section lists the compliance rules that you can select for the individual platforms.

Rule

Description

Platforms

Managed required

Define the action that will be executed when a device is no longer managed.

Android

Android Things

iOS

macOS

Windows Mobile

Windows

Windows IoT

Minimum SMC version

Enter the minimum Sophos Mobile Control app version that has to be installed onto the device.

Android

Android Things

iOS

Windows Mobile

Root access allowed

Select whether devices with root rights are allowed.

Note For Sony devices with Enterprise API version 4 or above and for Samsung devices with Knox version 5.5 or below, this includes all devices that are classified insecure by the MDM API, for example because the bootloader is unlocked.

Android

Apps from unknown sources allowed

Select whether apps from unknown sources are allowed.

This rule only affects devices with Android 7.x or earlier. With Android 8, the system setting to restrict app installation sources was removed.

Android

Android Debug Bridge (ADB) allowed

Select whether ADB (Android Debug Bridge) is allowed.

Android

Allow jailbreak

Select whether jailbroken devices are allowed.

iOS

Screen lock required

Select whether a device password or other screen lock mechanism (like pattern or PIN) is required.

For Android, this includes the display lock types Pattern, PIN and Password, but not Swipe.

Windows Mobile devices that have no password policy assigned are always reported as non-compliant. This is a Windows limitation.

Android

iOS

Windows Mobile

Windows

Minimum OS version

Select the earliest operating system version required.

Android

Android Things

iOS

macOS

Windows Mobile

Windows

Windows IoT

Maximum OS version

Select the latest operating system version allowed.

Android

Android Things

iOS

macOS

Windows Mobile

Windows

Windows IoT

Mandatory OS updates

Select if devices must have the latest available or the latest required update installed.

Some iOS updates are classified as required by Apple. The latest available update might be newer than the latest required update.

iOS

Maximum synchronization gap

The maximum allowed gap between device synchronization events.

Android

Android Things

iOS

macOS

Windows Mobile

Windows

Windows IoT

Maximum SMC synchronization gap

The maximum allowed gap between Sophos Mobile Control app synchronization events.

iOS

Windows Mobile

Maximum SMSec synchronization gap

The maximum allowed gap between Sophos Mobile Security app synchronization events.

Android

iOS

Maximum SMSec scan gap

The maximum allowed gap between malware scans performed by the Sophos Mobile Security app.

Android

Denial of SMSec permissions allowed

Sophos Mobile Security needs permissions on the device to work properly. The user has to grant these permissions when the app is installed.

Select whether a denial of the required permissions results in a compliance violation.

Android

Malware apps allowed

Select whether malware apps that have been detected by Sophos Mobile Security are allowed.

Android

Suspicious apps allowed

Select whether suspicious apps that have been detected by Sophos Mobile Security are allowed.

Android

PUAs allowed

Select whether Potentially Unwanted Apps (PUAs) that have been detected by Sophos Mobile Security are allowed.

Android

Encryption required

Select whether encryption is required for devices.

Users must additionally enable the Require PIN to start device or Require Password to start device setting when they set a screen lock. See Sophos knowledgebase article 123947.

For macOS, this setting applies to FileVault full-disk encryption.

For Windows Mobile, a violation is only reported if the restriction Forbid unencrypted device is set as well. This is a Windows limitation.

Android

iOS

macOS

Windows Mobile

Windows

Data roaming allowed

Select whether data roaming is allowed for devices.

Android

iOS

Container configured

Select whether a container must be set up and enabled on the device. This can be a Sophos container, a Samsung Knox container or an Android work profile.

Android

Locate permission required

This setting refers to the Locate function. Select whether the user has to allow the Sophos Mobile Control app at installation time to retrieve location data in order to be compliant.

Android

Denial of SMC permissions allowed

The Sophos Mobile Control app needs permissions on the device to work properly. The user has to grant these permissions when the app is installed.

Select whether a denial of the required permissions results in a compliance violation.

Android

App is able to locate

Location services must be turned on and the Sophos Mobile Control app must be allowed to use them.

For Windows Mobile, this rule only affects Windows Phone 8.1 devices.

iOS

Windows Mobile

Firewall required

The macOS firewall must be turned on.

macOS

System Integrity Protection required

System Integrity Protection must be turned on.

Note System Integrity Protection is a macOS security feature that limits the actions the root user can perform. System Integrity Protection can be configured when the Mac starts up from macOS Recovery.

macOS

Security updates required

Automatic installation of macOS security updates must be turned on.

macOS

Allowed apps / Forbidden apps

You can specify either Allowed apps or Forbidden apps. Select the desired option from the first list and then select the app group containing the apps that should be allowed or forbidden from the second list. For information on creating app groups, see App groups.

If you specify Allowed apps, only the listed apps are allowed. If other apps are detected the device will no longer be compliant.
Note Android system apps are automatically allowed.

If you specify Forbidden apps, the device will no longer be compliant if these apps are detected.

Android

iOS

macOS

Mandatory apps

Specify apps that must be installed. Select the app group containing the mandatory apps from the list. For information on creating app groups, see App groups.

Android

iOS

macOS

Windows

Windows Defender must be turned on

The Windows Defender setting real-time protection must be turned on.

Windows

Clean status from Windows Defender required

Device is not compliant when Windows Defender shows alerts.

Windows

Up-to-date Windows Defender definitions required

Windows Defender must use the latest spyware definitions.

Windows