Configure NAC support

Prerequisite: You have configured Network Access Control (NAC) in Sophos Mobile Admin.

Unless otherwise noted in the description below, you find detailed information about each step in the Sophos Mobile administrator help.

To configure network access:

  1. For Sophos Mobile on Premise, log in to the web console with a super administrator account and then enable NAC support.

    From the menu sidebar, go to Setup > Sophos setup > Network Access Control, and then select Web service from the list. For details, see the Sophos Mobile super administrator guide.

    Sophos Mobile also includes product-specific NAC integration for Sophos UTM, Cisco ISE and Check Point. If you use one of these system, you can select the relevant option from the list. These options also enable the web service interface.

    Note For Sophos Mobile as a Service, this step is not required. NAC support is always enabled.
  2. Log in to the web console with a standard administrator account.
  3. Configure compliance policies.
    From the menu sidebar, go to Compliance policies and then create or edit compliance policies. For each rule within a compliance policy, you can select the Deny network action to block network access for devices that violate the rule.
  4. Assign the compliance policies to device groups.
    From the menu sidebar, go to Device groups and then create or edit a device group. Assign a compliance policy to the device group. You can select different compliance policies for corporate and personal devices.
  5. Assign devices to device groups.
    From the menu sidebar, go to Devices and then add or edit a device. Under Device group, select the device group that has the relevant compliance policy assigned.
  6. In addition to network access based on compliance policies, you can set the network access status of certain devices to a fixed value.
    From the menu sidebar, go to Devices. Select the devices for which you want to set network access unconditionally. Then click Actions > Set network access and select either Allow or Deny.

When devices synch with the Sophos Mobile server, they are checked for compliance. You can also check the current compliance status of all devices by using Check now on the Compliance policies page. If a compliance rule that contains the Deny network action is violated, the network access status of the device is set to Deny.