Configure Network Access Control

Sophos Mobile includes an interface to third-party Network Access Control (NAC) systems. By configuring connections to NAC systems, you allow them to obtain a list of devices and their compliance states. Also, when you configure Network Access Control as described in this section, you can later define a compliance policy that denies network access when certain compliance rules are violated.

For information on how to define compliance policies, see the administrator help.

To configure Network Access Control:
  1. On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the Network Access Control tab.
  2. Select one of the available NAC integrations from the list:
    • Sophos UTM

      This option enables Sophos UTM integration (for version 9.2 and higher). The integration requires you to set the SMC server URL and admin user credentials in the WebAdmin interface of Sophos UTM, under Management > Sophos Mobile. For details, see the Sophos UTM administration guide.

    • Cisco ISE

      This option enables Cisco ISE integration. Configure the following settings:

      User name

      The user name that has to be specified in Cisco ISE. It is used by Cisco ISE to log in to Sophos Mobile.

      Password

      Enter a password for logging in to Sophos Mobile.

      Password confirmation

      Repeat the password.

      Redirection page for blocked devices

      A URL to which devices are redirected if they are not allowed to access the network.

      We recommend that you use the URL of Sophos Mobile Self Service Portal or of an information page with a link to Sophos Mobile Self Service Portal.

      On Cisco ISE, you must configure the relevant settings so that it uses the URL of the Sophos Mobile server and the credentials that you entered here when connecting to the NAC interface.

    • Check Point

      This option enables Check Point integration (for version R77.10 and higher). Configure the following settings:

      User name

      The user name that has to be specified in Check Point. It is used by Check Point to log in to Sophos Mobile.

      Password

      Enter a password for logging in to Sophos Mobile.

      Password confirmation

      Repeat the password.

      In the Check Point Mobile Access Gateway, you must configure some specific settings, as described in the Check Point Support Center article MDM cooperative enforcement for Mobile clients.

    • Web service

      This option allows you to connect a third-party NAC system to the web service interface.

      Sophos Mobile offers a RESTful web service interface that delivers MAC addresses and network access status of the managed devices.

      A third-party NAC system can connect to that interface by using the login credentials of a Sophos Mobile administrator account.

      For implementation details of the web service interface see the Network Access Control interface guide.

    • Custom

      This option allows you to configure certificate based access to the NAC interface.

      Note The legacy Custom option is deprecated and will be removed in a future release. Use the Web service option instead to connect a third-party NAC system to Sophos Mobile.

      Click Upload a file and navigate to the certificate of the third-party NAC system. The certificate is uploaded and displayed in a table.

      A third-party NAC system that presents the certificate to the Sophos Mobile server will gain access to the NAC interface.

  3. On the Network Access Control tab, click Save.