Available compliance rules

This section lists the compliance rules that you can select for the individual platforms.

Rule

Description

Platforms

Managed required

Select actions that will be executed when a device is no longer managed.

Android

iOS

macOS

Windows Mobile

Windows

Chrome OS

Tamper protection turned off

Select actions that will be executed when the Chrome Security policy has been tampered with.

Chrome OS

Minimum SMC version

The earliest allowed version of the Sophos Mobile Control app.

Android

iOS

Windows Mobile

Minimum Sophos Chrome Security version

The earliest allowed version of the Sophos Chrome Security extension.

Android

iOS

Windows Mobile

Root access allowed

Select whether devices with root rights are allowed.

This also allows the following devices if they are classified as insecure by the operating system:

  • Sony devices with Enterprise API level 4 or later
  • Samsung devices with Knox Standard SDK 5.5 (API level 17) or earlier

Android

Google SafetyNet compatibility required

The device must pass the Compatibility Test Suite (CTS), a Google SafetyNet test for Android compatibility.

Android

Apps from unknown sources allowed

Select whether apps from outside Google Play (Android) or the Chrome Web Store (Chrome OS) are allowed.

For Android, this rule only affects devices with Android 7.x or earlier.

Android

Chrome OS

Android Debug Bridge (ADB) allowed

Select whether ADB (Android Debug Bridge) is allowed.

Android

Allow jailbreak

Select whether jailbroken devices are allowed.

iOS

Screen lock required

Select whether a device password or other screen lock mechanism (like pattern or PIN) is required.

For Android, this includes the display lock types “Pattern”, “PIN” and “Password”, but not “Swipe”.

Windows Mobile devices that have no password policy assigned are always reported as non-compliant. This is a Windows limitation.

Android

iOS

Windows Mobile

Windows

Minimum OS version

The earliest allowed version of the operating system.

Android

iOS

macOS

Windows Mobile

Windows

Chrome OS

Maximum OS version

The latest allowed version of the operating system.

Android

iOS

macOS

Windows Mobile

Windows

Chrome OS

Mandatory OS updates

Select if devices must have the latest available or the latest required update installed.

Some iOS updates are classified as required by Apple. The latest available update might be newer than the latest required update.

iOS

Maximum interval between synchronizations

The maximum allowed interval at which the device must synchronize with Sophos Mobile.

Android

iOS

macOS

Windows Mobile

Windows

Chrome OS

Maximum interval between SMC synchronizations

The maximum allowed interval at which Sophos Mobile Control must synchronize with Sophos Mobile.

iOS

Windows Mobile

Maximum interval between Intercept X for Mobile synchronizations

The maximum allowed interval at which Sophos Intercept X for Mobile must synchronize with Sophos Mobile.

Android

iOS

Maximum interval between Intercept X for Mobile scans

The maximum allowed interval at which Sophos Intercept X for Mobile must perform malware scans.

Android

Intercept X for Mobile permissions can be denied

Select whether the device becomes non-compliant if the user denials the app permissions for Sophos Intercept X for Mobile.

Android

Malware apps allowed

Select whether malware apps detected by Sophos Intercept X for Mobile are allowed.

Android

Suspicious apps allowed

Select whether suspicious apps detected by Sophos Intercept X for Mobile are allowed.

Android

PUAs allowed

Select whether Potentially Unwanted Apps (PUAs) detected by Sophos Intercept X for Mobile are allowed.

Android

Encryption required

Select whether encryption is required for devices.

Users must additionally enable the Require PIN to start device or Require Password to start device setting when they set a screen lock. See Sophos knowledge base article 123947.

For macOS, this setting applies to FileVault full-disk encryption.

For Windows Mobile, a violation is only reported if the restriction Forbid unencrypted device is set as well. This is a Windows limitation.

This rule is not available for iOS because iPhones and iPads are always encrypted.

Android

macOS

Windows Mobile

Windows

Third-party profiles allowed

Configuration profiles not managed by Sophos Mobile are allowed.

iOS

Data roaming allowed

Data roaming is allowed.

Android

iOS

Container configured

A container must be set up and enabled on the device. This can be a Sophos container, a Samsung Knox container, or an Android work profile.

Android

Locate permission required

This setting refers to the Locate function. Select whether the user has to allow the Sophos Mobile Control app at installation time to retrieve location data in order to be compliant.

Android

SMC permissions can be denied

The Sophos Mobile Control app needs permissions on the device to work properly. The user has to grant these permissions when the app is installed.

Select whether a denial of the required permissions results in a compliance violation.

Android

App is able to locate

Location services must be turned on and the Sophos Mobile Control app must be allowed to use them.

For Windows Mobile, this rule only affects Windows Phone 8.1 devices.

iOS

Windows Mobile

Firewall required

The macOS firewall must be turned on.

macOS

System Integrity Protection required

System Integrity Protection must be turned on.

Note System Integrity Protection is a macOS security feature that limits the actions the root user can perform. System Integrity Protection can be configured when the Mac starts up from macOS Recovery.

macOS

Security updates required

Automatic installation of macOS security updates must be turned on.

macOS

Allowed apps / Forbidden apps

You can specify either Allowed apps or Forbidden apps. Select the desired option from the first list and then select the app group containing the apps that should be allowed or forbidden from the second list. For information on creating app groups, see App groups.

If you specify Allowed apps, only the listed apps are allowed. If other apps are detected the device will no longer be compliant.
Note Android system apps are automatically allowed.

If you specify Forbidden apps, the device will no longer be compliant if these apps are detected.

For Chrome OS, app groups can contain apps and extensions.

Android

iOS

macOS

Chrome OS

Mandatory apps

Specify apps that must be installed. Select the app group containing the mandatory apps from the list. For information on creating app groups, see App groups.

For Chrome OS, app groups can contain apps and extensions.

Android

iOS

macOS

Windows

Chrome OS

Unmanaged apps from unknown sources allowed

Apps installed manually through an IPA file are allowed.

These are self-developed apps signed with an ad hoc provisioning profile.

iOS

Web Filtering turned on

The Web Filtering feature of Intercept X must be turned on.

iOS

Windows Defender must be turned on

The Windows Defender setting real-time protection must be turned on.

Windows

Clean status from Windows Defender required

Device is not compliant when Windows Defender shows alerts.

Windows

Up-to-date Windows Defender definitions required

Windows Defender must use the latest spyware definitions.

Windows