These are the release notes for Sophos Mobile 9.7. For Sophos Mobile, managed by Sophos Central, see the Sophos Mobile release notes.
View the product documentation at Sophos Mobile.
The Apple User Enrollment management mode is designed for user-owned iPhones and iPads. Enrolling in this mode creates a new volume on the device, where work apps and data are stored, separate from the user’s personal data.
For details, see the Sophos Mobile help.
Customers no longer need to enter a migration token before migrating from Sophos Mobile on-premise to Sophos Central.
For details, see the Sophos Mobile migration guide.
A new setting Show notifications is available for the Android Enterprise Kiosk mode policy, to turn notifications on or off for devices in kiosk mode.
Additional settings are available for the iOS Web content filter policy, to configure integration with third-party web filtering services.
Additional settings are available for the iOS Per App VPN policy, to configure domains that establish a VPN connection when opened in the Calendar, Contacts, or Mail app.
In this version, we end support for several older operating systems. We no longer support the following operating systems:
Additionally, new Android 10 or later devices now need to be enrolled using Android Enterprise. Enrolling these devices using the legacy Device administrator mode will fail.
For details on Google’s deprecation of the Device administrator mode, see this article.
Upgrade to Sophos Mobile 9.7 is supported from version 9.6.
| Product | Version |
|---|---|
| Microsoft Windows Server |
|
| Product | Version |
|---|---|
| OpenJDK | The version included in the Sophos Mobile installer (11.0.11) |
| Product | Version |
|---|---|
| Microsoft SQL Server |
|
| MySQL |
|
These are the requirements for using Sophos Mobile Control (Android, iOS, iPadOS)
or the operating system’s native MDM client (macOS, Windows) with Sophos Mobile.
Other
Sophos Mobile apps (Sophos Secure Email, Sophos Secure Workspace, Sophos Intercept X for Mobile)
might have differing requirements.
For details, see the release notes for each app.
| Platform | Version |
|---|---|
| Android |
|
| iOS |
|
| iPadOS |
|
| macOS |
|
| Windows |
|
| Chrome OS |
|
| Platform | Version | Details |
|---|---|---|
| Android |
Android 5 Android 6 |
No longer supported. |
| iOS | iOS 11 | No longer supported. |
| macOS | macOS 10.13 | No longer supported. |
| Windows |
Windows 10 Enterprise, version 1709 Windows 10 Education, version 1709 Windows 10 Pro, version 1903 Windows 10 Home, version 1903 |
No longer supported. |
| Windows Mobile |
Windows 10 Mobile Windows 10 Mobile Enterprise |
Microsoft ended support for the Windows Mobile 10 operating
system on December 10, 2019. |
The Sophos Mobile Admin and Self Service Portal web consoles support the following web browsers.
| Product | Version |
|---|---|
| Microsoft Internet Explorer | 11 |
| Microsoft Edge | 90 and later |
| Mozilla Firefox | 88 and later |
| Google Chrome | 90 and later |
| Apple Safari | 14 and later |
| Product | Version |
|---|---|
| Microsoft Active Directory | The version provided by the Windows Server operating system. Lightweight Domain Services (AD LDS) aren’t supported. |
| Microsoft Azure AD | The version provided by Microsoft. |
| Zimbra OpenLDAP | The version provided by the Zimbra email system. |
| NetIQ eDirectory | 8.8 SP6 |
| IBM Domino | 8.5.3 |
| 389 Directory Server (open source variant of the Red Hat Directory Server) |
1.3 |
| Product | Version |
|---|---|
| Microsoft Exchange |
|
| IBM Traveler | 9.0 |
| Zimbra | 8.0 |
| Product | Version |
|---|---|
| Microsoft Windows Server |
|
For details on installing the Sophos Mobile server, see the Sophos Mobile installation guide.
For details on enrolling devices with Sophos Mobile using the Sophos Mobile Self Service Portal, see the Sophos Mobile user help.
You can download the product documentation at www.sophos.com/en-us/support/documentation/sophos-mobile.aspx.
| Issue | Description |
|---|---|
| Scheduled tasks |
By default, there are scheduled tasks that stop (at 4:00 am) and restart (at 4:05 am) the Sophos Mobile server. If you want to update Sophos Mobile during that period, turn these tasks off before the update and re-enable them after the update has finished. |
| Changing the server URL after installation |
After changing the server URL using the Configuration Wizard, you need to reactivate the Sophos Mobile standard license. To do this, go to Setup > System setup > License, enter your standard license key in the input field and then click Activate. |
| Issue | Description |
|---|---|
| Some Samsung Knox devices require a restart to turn on Kiosk Mode | You must restart Samsung devices with Knox Standard (formerly called SAFE) SDK version earlier than 5.4 after installing a Kiosk Mode profile. If you don’t, users can stop all running apps in the task manager and switch to the default launcher home screen. |
| Preventing additional device administrators on Samsung Knox devices |
The device ignores the Knox premium restriction Prevent installation of another administrator app on a device if there’s already another device administrator activated. Solution: Make sure Sophos Mobile Control is the only device administrator before you assign the restriction. |
| On Sony devices, it’s not possible to protect or control small apps | Small apps are Sony-specific apps on Sony devices that overlay existing apps. You can’t control or protect these apps with the Sophos Mobile Control app or App Protection. |
| Password reset removed for Device administrator devices with Android 7 and later |
You can’t reset the password for devices running Android 7 or later. This applies to devices where Sophos Mobile is the device administrator. This is because Google removed the Android Enterprise devices aren’t affected. |
| Removing mail accounts from the Android work profile |
When you transfer an Exchange mail account to an Android work profile, the account remains configured in the profile when you remove the policy. You can assign a policy with a different Email configuration to the device. The device always uses the latest Email configuration. However, you can’t remove the configuration from the work profile. Workaround: To remove the configured account, remove the whole Android work profile from the device. |
| No compliance violation “Installation from unknown sources” on Android 8 |
Starting with Android 8, the installation of apps from unknown sources isn’t a device setting. It’s a permission setting for apps that can install other apps. For example, a file manager app. Sophos Mobile can’t check if any third-party app has this permission. Devices with Android 8 ignore the Apps from unknown sources compliance rule. |
| Android Enterprise: Chrome app enabled in work profiles by default |
There’s a known Android issue related to the work profile. Starting with Android 8, the Android internal WebView app is disabled by default. As a result, apps in the work profile that rely on the WebView app might stop working. Google resolved this issue by enabling the Chrome app, which enables the internal WebView app. However, you might not want to allow a browser app in the work profile. For more information regarding this issue, see the Google article https://support.google.com/work/android/answer/7506908. Solution: To disable Chrome in the work profile, use the App Control configuration of your Sophos Mobile Android Enterprise policy. |
| Can’t turn on Factory Reset Protection (FRP) on some Android Enterprise devices |
On some devices capable of Factory Reset Protection (FRP), we’ve noticed an FRP is not supported error when you turn on FRP via Sophos Mobile. This issue isn’t caused by Sophos Mobile. |
| Enrolling Android Enterprise via the Sophos NFC Provisioning app sometimes fails for Chinese |
Some devices fail to enroll as an Android Enterprise fully managed device when you set the language of the Sophos NFC Provisioning app to Chinese. For example, we’ve seen this behavior with Samsung Galaxy A3 devices. Workaround: Use a different language. |
| App Protection and App Control can only control direct interaction through the user interface |
Due to technical limitations of the Android platform, the App Protection and App Control features can only prevent direct interaction with an app through its user interface. Users can still interact with a protected app via other apps like Google Assistant or via Android system functionality. Also, note that App Protection can’t stop interaction with an app that runs in multi-window mode, for example, split-screen, floating windows, or tiny windows. For details, see knowledge base article 135017. |
| Issue | Description |
|---|---|
| When Safari is restricted via a profile, recommended and required apps can’t be installed via an iTunes link | Installing a recommended or required app via an iTunes link on an iOS device requires the Safari web browser. When you restrict Safari, users can’t install recommended and required apps via an iTunes link. |
| Automatic synchronization of the Sophos Mobile Control app against the server doesn’t work reliably |
In some cases, the silent trigger sent by the Sophos Mobile server doesn’t result in automatic background synchronization. Workaround: Let your users synchronize the app manually. |
| Managed Sophos Secure Workspace loses the management status after an upgrade |
In rare cases, Sophos Secure Workspace becomes unmanaged after an update. This is caused by a problem with the iOS mechanism used for managing the app. The managed settings are lost. Workaround: Install the profile again for the device in Sophos Mobile Admin. |
| Single App Mode profile changes don’t affect the device |
Updating an iOS Single App Mode profile doesn’t update all contained settings. The Disable… options are updated correctly. All other options only work on the first installation of the profile. This is an issue in iOS. Workaround: To change the settings, remove and reinstall the profile. |
| Restricting app removal doesn’t work reliably |
On some devices, users can uninstall apps even if you turn off the Allow app removal restriction in the iOS device policy. This is an issue in iOS. |
| Issue | Description |
|---|---|
| Pages layout corrupted after Sophos Mobile update |
Some pages of Sophos Mobile Admin might look corrupted after you’ve updated your installation of Sophos Mobile. Workaround: Clear your browser cache and reload the page. |
| Synchronizing an Android device with an Exchange server |
The Sophos Mobile EAS proxy automatically recognizes Android devices enrolled by the user in the Self Service Portal. When you enroll the device in Sophos Mobile Admin, you must enter the sAMAccountName value in the respective property of the device details view to allow ActiveSync synchronization. This isn’t required for devices registered with a Microsoft Active Directory account and the Self Service Portal or when Sophos Mobile knows the device’s Active Sync ID. The latter applies to devices using Sophos Secure Email or Samsung Knox. |
| Admin console might look corrupted in Internet Explorer |
Internet Explorer might classify the Sophos Mobile Admin console as an intranet site. As a result, the compatibility mode is turned on by default, resulting in a corrupted view and erroneous behavior. Solution: To turn off compatibility mode, clear the Display intranet sites in Compatibility View check box in the Compatibility View settings of Internet Explorer. |
| Plain Exchange ActiveSync traffic is no longer supported using the internal EAS proxy | Exchange ActiveSync traffic without encryption (SSL/TLS) is no longer supported by the internal EAS proxy. |
| Customers having Apple Device Enrollment Program can’t be deleted |
The deletion of customers with Apple DEP profiles configured fails. Solution: To delete those customers, delete the Apple DEP profiles before deleting the customer. |
| Task bundle tasks for profile removal don’t list the current profile names in some cases | When you rename profiles, removal tasks might show the old profile name. |
| Detecting deactivated Defender on Windows 10 computers doesn’t work in some cases | In some cases, Windows 10 computers might be reported as compliant even if Windows Defender is turned off. This is because the compliance rule Defender activated can only check if the Defender service is running. It doesn’t check if real-time protection is turned on. |
| Removing duplicated Android profiles using a task bundle doesn’t work | An Android profile that has been created by using the Duplicate command in an older version of Sophos Mobile can't be removed from devices using a task bundle. |
| Some Windows 10 devices don’t register correctly for push notifications |
Some Windows 10 computers don’t register correctly for the Windows Notification Service (WNS). There’s a time-out of their push registration after 30 days, and the devices fail to renew the registration automatically. Although the Sophos Mobile server enforces the renewal, some devices send the old, invalid push registration information to the Sophos Mobile server when they re-register. As a result, the Sophos Mobile server can't send push notifications to these devices to synchronize the built-in MDM agent. This is a known issue in Windows 10. |
| Accurate server time required to set up Android Enterprise | If the system time of your Sophos Mobile server deviates by more than 15 minutes from accurate time, you can’t set up Android Enterprise using the Managed Google Play Account scenario. This is because the Sophos service that manages Android Enterprise communication classifies the request from your Sophos Mobile server as malicious and rejects it. |
| Number of users invited to Apple VPP at the same time is limited | When you invite too many users to the Apple Volume Purchase Program (VPP) at
once, Apple might reject further requests for a few minutes. We will fix this issue in a future version of Sophos Mobile. Workaround: Reduce the number of users included in the invitation. |
| Android zero-touch enrollment and Samsung Knox Mobile Enrollment not possible with self-signed certificate |
If you use a self-signed SSL/TLS certificate for your Sophos Mobile server, you can’t use Android zero-touch enrollment or Samsung Knox Mobile Enrollment. Solution: Use a certificate issued by a globally trusted certificate authority (CA) instead. |
| Not possible to save HTML-formatted text |
In some cases, you get an Text contains forbidden HTML elements error when you try to save SSP enrollment texts or system messages that contain HTML formatting, although the text you’ve entered is valid. This issue is caused by an error in the HTML parser library. Workaround: Change the font size of underlined text and delete any styling attributes. |
Sophos Mobile 9.7 comes with license reporting. For details, see knowledge base article 120127.
You can find technical support for Sophos products in any of these ways:
Copyright © 2022 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.