Create compliance policy

  1. On the menu sidebar, under CONFIGURE, click Compliance policies.
  2. On the Compliance policies page, click Create compliance policy, and then select the template the policy will be based on:
    • Default template: A selection of compliance rules, with no actions defined.
    • PCI template, HIPAA template: Compliance rules and actions based on the HIPAA and the PCI DSS security standard, respectively.
    Your choice of template doesn’t restrict your subsequent configuration options.
  3. Enter a name and, optionally, a description for the compliance policy.

Repeat the following steps for all required platforms.

  1. Make sure that the Enable platform check box on each tab is selected.
    If this check box is not selected, devices of that platform are not checked for compliance.
  2. Under Rule, configure the compliance rules for the particular platform.
    Note Each compliance rule has a fixed severity level (high, medium, low) that is depicted by a blue icon. The severity helps you to assess the importance of each rule and the actions you should implement when it is violated.
    Note For devices where Sophos Mobile manages the Sophos container instead of the whole device, only a subset of compliance rules is applicable. In Highlight rules, select a management type to highlight the rules that are relevant.
  3. Under If rule is violated, define the actions that will be taken when a rule is violated:
    OptionDescription
    Deny email Forbid email access.

    This action can only be taken if the super administrator has configured a connection to the internal or to the standalone EAS proxy. See the Sophos Mobile super administrator guide.

    This action is only available for Android, iOS, Windows and Windows Mobile devices.

    Lock container Disable the Sophos Secure Workspace and Secure Email apps. This affects document, email and web access that is managed by these apps.

    This action can only be taken when you have activated a Mobile Advanced license.

    This action is only available for Android and iOS devices.

    Deny network Forbid network access.

    This action can only be taken if the super administrator has configured Network Access Control. See the Sophos Mobile super administrator guide.

    This action is not available for devices where Sophos Mobile only manages the Sophos container.

    Create alert Trigger an alert.

    The alerts are displayed on the Alerts page.

    Transfer task bundle Transfer a specific task bundle to the device.

    Select a task bundle from the list, or select None to transfer no task bundle when the compliance rule is violated.

    This action is only available for Android, iOS, macOS and Windows devices.

    CAUTION When used incorrectly, task bundles may misconfigure or even wipe devices. To assign the correct task bundles to compliance rules, an in-depth knowledge of the system is required.
    Note When an Android Enterprise fully managed device becomes non-compliant, all apps are disabled.
  4. When you have made the settings for all required platforms, click Save to save the compliance policy under the name that you specified.