Available compliance rules
This page lists the compliance rules that you can select for the individual platforms.
| Rule | Description |
|---|---|
| Managed required | Select actions that will be executed when a device is no longer managed. |
| Device administrator management allowed | Select actions that will be executed for devices where Sophos Mobile is a device administrator. Device administrator is an obsolete management mode, only available for devices with Android 9 or earlier. We recommend that you migrate devices that use this mode to Android Enterprise. See Migrate from device administrator to Android Enterprise. Applies to:
|
| Tamper protection turned off | Select actions that will be executed when the Chrome Security policy has been tampered with. Applies to:
|
| Minimum SMC version | The earliest allowed version of the Sophos Mobile Control app. Applies to:
|
| Minimum Sophos Chrome Security version | The earliest allowed version of the Sophos Chrome Security extension. Applies to:
|
| Root access allowed | Select whether devices with root rights are allowed. This also allows the following devices if they are classified as insecure by the operating system:
Applies to:
|
| Apps from unknown sources allowed | Select whether apps from outside Google Play (Android) or the Chrome Web Store (Chrome OS) are allowed. Applies to:
|
| Android Debug Bridge (ADB) allowed | Select whether ADB (Android Debug Bridge) is allowed. Applies to:
|
| Allow jailbreak | Select whether jailbroken devices are allowed. Applies to:
|
| Screen lock required | Select whether a device password or other screen lock mechanism (like pattern or PIN) is required. For Android, this includes the display lock types Pattern, PIN, and Password, but not Swipe. Apple User Enrollment devices comply with this rule if the policy that you assign to them contains a Password policies configuration. Applies to:
|
| Minimum OS version | The earliest allowed version of the operating system. |
| Maximum OS version | The latest allowed version of the operating system. |
| Mandatory OS updates | Select if devices must have the latest available or the latest critical update installed. Some updates are classified as critical by Apple. The latest available update might be more recent than the latest critical update. Applies to:
|
| Maximum interval between native MDM agent synchronizations | The maximum allowed interval at which the operating system’s Mobile Device Management (MDM) software must synchronize with Sophos Central. Applies to:
|
| Maximum interval between SMC synchronizations | The maximum allowed interval at which Sophos Mobile Control must synchronize with Sophos Central. Applies to:
|
| Maximum interval between Intercept X for Mobile synchronizations | The maximum allowed interval at which Sophos Intercept X for Mobile must synchronize with Sophos Central. Applies to:
|
| Maximum interval between Sophos Chrome Security synchronizations | The maximum allowed interval at which Sophos Chrome Security must synchronize with Sophos Central. Applies to:
|
| Maximum interval between Intercept X for Mobile scans | The maximum allowed interval at which Sophos Intercept X for Mobile must perform malware scans. Applies to:
|
| Intercept X for Mobile permissions can be denied | Select whether the device becomes non-compliant if the user denies the app permissions for Sophos Intercept X for Mobile. We recommend that you set this rule to No when using Web Filtering. With this setting, the device becomes non-compliant when Web Filtering stops working because the user turned off the Sophos Accessibility Service. Applies to:
|
| Malware apps allowed | Select whether malware apps detected by Sophos Intercept X for Mobile are allowed. Applies to:
|
| Suspicious apps allowed | Select whether suspicious apps detected by Sophos Intercept X for Mobile are allowed. Applies to:
|
| PUAs allowed | Select whether Potentially Unwanted Apps (PUAs) detected by Sophos Intercept X for Mobile are allowed. Applies to:
|
| Encryption required | Select whether encryption is required for devices. Users must additionally enable the Require PIN to start device or Require Password to start device setting when they set a screen lock. See Encryption is not active on Android devices. iPhones and iPads are always encrypted. For macOS, this setting applies to FileVault full-disk encryption. Applies to:
|
| Third-party profiles allowed | Configuration profiles not managed by Sophos Mobile are allowed. Applies to:
|
| Data roaming allowed | Data roaming is allowed. Applies to:
|
| Container configured | A container must be set up and enabled on the device. This can be a Sophos container, a Samsung Knox container, or an Android work profile. Applies to:
|
| Locate permission required | This setting refers to the Locate function. Select whether the user has to allow the Sophos Mobile Control app at installation time to retrieve location data in order to be compliant. Applies to:
|
| SMC permissions can be denied | The Sophos Mobile Control app needs permissions on the device to work properly. The user has to grant these permissions when the app is installed. Select whether a denial of the required permissions results in a compliance violation. Applies to:
|
| App is able to locate | Location services must be turned on and the Sophos Mobile Control app must be allowed to use them. Applies to:
|
| Firewall required | The macOS firewall must be turned on. Applies to:
|
| System Integrity Protection required | System Integrity Protection must be turned on. Note System Integrity Protection is a macOS security feature that limits the actions the root user can perform. System Integrity Protection can be configured when the Mac starts up from macOS Recovery. Applies to:
|
| Security updates required | Automatic installation of macOS security updates must be turned on. Applies to:
|
| Installed apps | Select either Allowed apps or Forbidden apps and then select the app group containing the apps you want to allow or forbid. Android system apps are always allowed. For Chrome OS, app groups can contain apps and extensions. Applies to:
|
| Mandatory apps | Specify apps that must be installed. Select the app group containing the mandatory apps from the list. For iOS, don’t configure system apps as mandatory. Sophos Mobile can’t tell if a system app is installed and sets all devices as non-compliant. For Chrome OS, app groups can contain apps and extensions. |
| Unmanaged apps from unknown sources allowed | Apps installed manually through an IPA file are allowed. These are self-developed apps signed with an ad hoc provisioning profile. Applies to:
|
| Web Filtering turned on | The Web Filtering feature of Intercept X for Mobile must be turned on. Applies to:
|
| Windows Defender must be turned on | The Windows Defender setting real-time protection must be turned on. Applies to:
|
| Clean status from Windows Defender required | Device is not compliant when Windows Defender shows alerts. Applies to:
|
| Up-to-date Windows Defender definitions required | Windows Defender must use the latest spyware definitions. Applies to:
|