Configure LDAP connection

If you’ve set up federated authentication you can configure an LDAP connection between Sophos Mobile and Azure Active Directory (Azure AD). You must do this if you want to use Apple DEP, Google zero-touch, or Samsung KME.

The following devices enroll automatically with Sophos Mobile when users set them up:

  • iPhones, iPads, and Macs registered for the Apple device enrollment program (DEP)
  • Android devices registered for Google zero-touch enrollment
  • Samsung Android devices registered for Knox Mobile Enrollment (KME)

During the enrollment process, Sophos Mobile connects to Azure AD to authenticate the user.

To configure an LDAP connection:

  1. On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the LDAP connection tab.
  2. Click Configure external LDAP.
  3. On the Server details page, configure the following settings:
    1. In the Primary URL field, enter the IP address or name of the primary directory server.
      The server must support LDAPS (LDAP over SSL/TLS).
    2. Optional In the Secondary URL field, enter the IP address or name of a directory server Sophos Mobile uses as fallback in case the primary server isn’t available.
    3. In the User and Password fields, enter the credentials Sophos Mobile uses to authenticate with the LDAP server.

      Use one of the following formats:

      • <domain>\<user name>
      • <user name>@<domain>.<domain code>
      Note

      For security reasons, we recommend you select an account with no write permissions for the directory.

  4. On the Search base page, enter the distinguished name (DN) of the search base object.
    The search base object defines the location in the directory from which the LDAP search begins.
  5. Select Apply.