Skip to content

Management modes

Depending on the device type, there are different management modes. You select the management mode when you enroll a device with Sophos Mobile.

Android devices

Sophos Mobile supports the following management modes for Android devices.

Android Enterprise full device

Sophos Mobile can monitor and manage all settings, apps, and data.

See Android Enterprise.

Android Enterprise work profile

Sophos Mobile can only monitor and manage settings, apps, and data within the work profile. You can use this mode for devices owned by the user, that is, for a Bring Your Own Device (BYOD) scenario.

See Android Enterprise.

Android Enterprise dedicated device

Devices are locked to a single app or a set of apps. You can use this mode for devices that serve a specific purpose, for example, a kiosk application.

Sophos Mobile doesn’t use a separate management mode for Android Enterprise dedicated devices. You enroll the device as an Android Enterprise fully managed device and assign it a Kiosk mode configuration.

See Kiosk mode configuration (Android Enterprise device policy).

Android device administrator

This is a legacy management mode. We recommend that you unenroll any devices still using this mode and re-enroll them in an Android Enterprise mode.

You can’t use the device administrator mode for devices with Android 10 or later.

Sophos container

Use this mode to manage the Sophos Secure Workspace and Sophos Secure Email apps.

There’s also a Sophos container policy to manage Sophos Secure Workspace and Sophos Secure Email when the device uses one of the other management modes.

See Sophos container.

Mobile Threat Defense

Sophos Mobile manages Sophos Intercept X for Mobile on the device, protecting the device against malware and other mobile threats.

See Mobile Threat Defense with Sophos Intercept X for Mobile.

iPhones and iPads

Sophos Mobile supports the following management modes for iPhones and iPads.

Apple Device Enrollment

Sophos Mobile manages the whole device.

Apple User Enrollment

Use this mode for devices owned by the user, that is, for a Bring Your Own Device (BYOD) scenario.

In addition to the user’s Apple ID, the device gets another Apple ID owned by your organization (Managed Apple ID). Sophos Mobile can only monitor and manage settings, apps, and data of the Managed Apple ID.

Apple User Enrollment requires iOS 13, iPadOS 13, or later.

You can’t enroll supervised devices in Apple User Enrollment management mode.

See Apple User Enrollment.

Sophos container

Use this mode to manage the Sophos Secure Workspace and Sophos Secure Email apps.

There’s also a Sophos container policy to manage Sophos Secure Workspace and Sophos Secure Email when the device uses one of the other management modes.

See Sophos container.

Mobile Threat Defense

Sophos Mobile manages Sophos Intercept X for Mobile on the device, protecting the device against malware and other mobile threats.

See Mobile Threat Defense with Sophos Intercept X for Mobile.

Macs

Sophos Mobile uses only one management mode for Macs, but there are two policy types:

  • Device policy: A device policy applies to all users that sign in to the Mac.
  • User policy: A user policy applies to the user who has enrolled the Mac with Sophos Mobile and to users from your LDAP directory with an account for Sophos Mobile Self Service Portal.

See About macOS policies.

Windows computers

For Windows computers, Sophos Mobile uses a single management mode, Device.

Chrome devices

For Chromebooks and other Chrome devices, Sophos Mobile uses a single management mode, Sophos Chrome Security. This mode lets you manage Sophos Chrome Security on the device.

See Sophos Chrome Security.