Skip to content

Available compliance rules

This page lists the compliance rules that you can select for the individual platforms.

Rule Description
Managed required Select actions that will be executed when a device is no longer managed.
Device administrator management allowed Select actions that will be executed for devices where Sophos Mobile is a device administrator.

Device administrator is an obsolete management mode, only available for devices with Android 9 or earlier. We recommend that you migrate devices that use this mode to Android Enterprise. See Migrate from device administrator to Android Enterprise.

Applies to:

  • Android devices
Tamper protection turned off Select actions that will be executed when the Chrome Security policy has been tampered with.

Applies to:

  • Chromebooks
Minimum SMC version The earliest allowed version of the Sophos Mobile Control app.

Applies to:

  • Android devices
  • iPhones and iPads
Minimum Sophos Chrome Security version The earliest allowed version of the Sophos Chrome Security extension.

Applies to:

  • Chromebooks
Root access allowed Select whether devices with root rights are allowed.

This also allows the following devices if they are classified as insecure by the operating system:

  • Sony devices with Enterprise API level 4 or later.
  • Samsung devices with Knox Standard SDK 5.5 (API level 17) or earlier.

Applies to:

  • Android devices
Google SafetyNet compatibility required The device must pass the Compatibility Test Suite (CTS), a Google SafetyNet test for Android compatibility.

Applies to:

  • Android devices
Apps from unknown sources allowed Select whether apps from outside Google Play (Android) or the Chrome Web Store (Chrome OS) are allowed.

Applies to:

  • Android 7.x devices
  • Chromebooks
Android Debug Bridge (ADB) allowed Select whether ADB (Android Debug Bridge) is allowed.

Applies to:

  • Android devices
Allow jailbreak Select whether jailbroken devices are allowed.

Applies to:

  • iPhones and iPads
Screen lock required Select whether a device password or other screen lock mechanism (like pattern or PIN) is required.

For Android, this includes the display lock types Pattern, PIN, and Password, but not Swipe.

Apple User Enrollment devices comply with this rule if the policy that you assign to them contains a Password policies configuration.

Applies to:

  • Android devices
  • iPhones and iPads
  • Windows computers
Minimum OS version The earliest allowed version of the operating system.
Maximum OS version The latest allowed version of the operating system.
Mandatory OS updates Select if devices must have the latest available or the latest critical update installed.

Some updates are classified as critical by Apple. The latest available update might be more recent than the latest critical update.

For iOS 14, iPadOS 14, and later, only supervised devices support this rule.

Apple User Enrollment devices don’t support this rule.

Applies to:

  • iPhones and iPads
Maximum interval between synchronizations The maximum allowed interval at which the device must synchronize with Sophos Mobile.
Maximum interval between SMC synchronizations The maximum allowed interval at which Sophos Mobile Control must synchronize with Sophos Mobile.

Applies to:

  • iPhones and iPads
Maximum interval between Intercept X for Mobile synchronizations The maximum allowed interval at which Sophos Intercept X for Mobile must synchronize with Sophos Mobile.

Applies to:

  • Android devices
  • iPhones and iPads
Maximum interval between Intercept X for Mobile scans The maximum allowed interval at which Sophos Intercept X for Mobile must perform malware scans.

Applies to:

  • Android devices
Intercept X for Mobile permissions can be denied Select whether the device becomes non-compliant if the user denies the app permissions for Sophos Intercept X for Mobile.

We recommend that you set this rule to No when using Web Filtering. With this setting, the device becomes non-compliant when Web Filtering stops working because the user turned off the Sophos Accessibility Service.

Applies to:

  • Android devices
Malware apps allowed Select whether malware apps detected by Sophos Intercept X for Mobile are allowed.

Applies to:

  • Android devices
Suspicious apps allowed Select whether suspicious apps detected by Sophos Intercept X for Mobile are allowed.

Applies to:

  • Android devices
PUAs allowed Select whether Potentially Unwanted Apps (PUAs) detected by Sophos Intercept X for Mobile are allowed.

Applies to:

  • Android devices
Encryption required Select whether encryption is required for devices.

Users must additionally enable the Require PIN to start device or Require Password to start device setting when they set a screen lock. See Sophos knowledge base article 123947.

iPhones and iPads are always encrypted.

For macOS, this setting applies to FileVault full-disk encryption.

Applies to:

  • Android devices
  • Macs
  • Windows computers
Third-party profiles allowed Configuration profiles not managed by Sophos Mobile are allowed.

Apple User Enrollment devices don’t support this rule.

Applies to:

  • iPhones and iPads
Data roaming allowed Data roaming is allowed.

Apple User Enrollment devices don’t support this rule.

Applies to:

  • Android devices
  • iPhones and iPads
Container configured A container must be set up and enabled on the device. This can be a Sophos container, a Samsung Knox container, or an Android work profile.

Applies to:

  • Android devices
Locate permission required This setting refers to the Locate function. Select whether the user has to allow the Sophos Mobile Control app at installation time to retrieve location data in order to be compliant.

Applies to:

  • Android devices
SMC permissions can be denied The Sophos Mobile Control app needs permissions on the device to work properly. The user has to grant these permissions when the app is installed.

Select whether a denial of the required permissions results in a compliance violation.

Applies to:

  • Android devices
App is able to locate Location services must be turned on and the Sophos Mobile Control app must be allowed to use them.

Applies to:

  • iPhones and iPads
Firewall required The macOS firewall must be turned on.

Applies to:

  • Macs
System Integrity Protection required System Integrity Protection must be turned on.

Note System Integrity Protection is a macOS security feature that limits the actions the root user can perform. System Integrity Protection can be configured when the Mac starts up from macOS Recovery.

Applies to:

  • Macs
Security updates required Automatic installation of macOS security updates must be turned on.

Applies to:

  • Macs
Installed apps Select either Allowed apps or Forbidden apps and then select the app group containing the apps you want to allow or forbid.

Android system apps are always allowed.

For Chrome OS, app groups can contain apps and extensions.

Apple User Enrollment devices don’t support this rule.

Applies to:

  • Android devices
  • iPhones and iPads
  • Macs
  • Chromebooks
Mandatory apps Specify apps that must be installed. Select the app group containing the mandatory apps from the list.

For iOS, don’t configure system apps as mandatory. Sophos Mobile can’t tell if a system app is installed and sets all devices as non-compliant.

For Chrome OS, app groups can contain apps and extensions.

Unmanaged apps from unknown sources allowed Apps installed manually through an IPA file are allowed.

These are self-developed apps signed with an ad hoc provisioning profile.

Applies to:

  • iPhones and iPads
Web Filtering turned on The Web Filtering feature of Intercept X for Mobile must be turned on.

Applies to:

  • iPhones and iPads
Windows Defender must be turned on The Windows Defender setting real-time protection must be turned on.

Applies to:

  • Windows computers
Clean status from Windows Defender required Device is not compliant when Windows Defender shows alerts.

Applies to:

  • Windows computers
Up-to-date Windows Defender definitions required Windows Defender must use the latest spyware definitions.

Applies to:

  • Windows computers