Configure network access

Before you can configure network access for a device, Network Access Control (NAC) must be enabled in Sophos Mobile.

For Sophos Mobile on Premise, NAC is enabled by the super administrator. See the Sophos Mobile super administrator guide.

For Sophos Mobile as a Service, NAC is always enabled.

There are two options to configure network access for a device:

  1. Allow or deny network access unconditionally.
  2. Disable network access when the device violates a compliance rule, enable network access otherwise.
Note Sophos Mobile does not control the network access by itself. Instead, it provides a Deny network status that can be used by external NAC software like Sophos UTM to block network communication.
Note Network Access Control is not possible for Macs connected via Ethernet. Sophos Mobile can only retrieve the MAC address of a Mac’s Wi-Fi network adapter, not that of its Ethernet adapter. Because devices are identified by their MAC address, a Mac connected to the network via its Ethernet port is treated as an unknown device when your external NAC software asks Sophos Mobile for the device’s network status.
To configure network access for a device:
  1. On the menu sidebar, under MANAGE, click Devices.
  2. On the Devices page, select the devices for which you want to set the network access mode.
  3. Click Actions, and then click Set network access.
  4. Select the network access mode:
    • Allow: Network access for the selected devices is allowed.
    • Deny: Network access for the selected devices is denied.
    • Auto mode: Network access for the selected devices is based on the compliance status of the devices.
  5. Click Yes to save the changes.
Note You can’t deny network access for devices where Sophos Mobile only manages the Sophos container.
For information on how to configure network access in compliance rules, see Create compliance policy.