Sophos Mobile Control 6 - Release Notes

Sophos Mobile Control platforms

Supported platforms

Detailed version

Operation system

Version

Windows Server 2008 64 bit

SP 1

Windows Server 2008 R2 64 bit

SP 1

Windows Server 2012 (64 bit)

 

Windows Server 2012 (64 bit) R2

 

Java JDK version

Version

JDK 8 (delivered with the installer)

8u66

Database version

Version

Microsoft SQL Server 2008 (32/64 bit)

SP 3

Microsoft SQL Server 2008 R2 (64 bit)

SP 2

Microsoft SQL Server 2012 (64) bit)

SP 1

Microsoft SQL Server 2014 Express

SP 1

MySQL

5.6

Mobile operation system

Version

Apple iOS

7.x

8.x

9.x

Android

4.0.3 or higher (tablets and smartphones)

5.0 or higher

6.0 or higher

Windows Phone 8

 

Windows 10 Mobile

8.0.x  

8.1.x

10.x

Browser

Version

Internet Explorer

9, 10, 11

Edge (Microsoft) 

10

Mozilla Firefox

30 or higher

Google Chrome

35 or higher

Directory servers

Version

Microsoft ActiveDirectory

As included in the Windows Server versions above.

Only Active Directory Domain Services, no AD LDS support

OpenLDAP

As provided by the Zimbra server below

Novell eDirectory

8.8 SP 6

Lotus Domino

8.5.3

Email systems

Version

Microsoft Exchange

2003 SP2

2007 SP3

2010 SP3

2013

Lotus Domino Traveler

9.0

Zimbra

8.0

CA server

Version

Windows Server 2008 32/64 bit

SP1

Windows Server 2008 R2 64 bit

SP1

Windows Server 2012 64 bit

Latest SP

Windows Server 2012 R2 64 bit

Latest SP

Note: The multi user feature available on some of the Android 4.2 devices is not fully supported. If the 4.2 multi user feature is used on a device, only the first user that is registered in Sophos Mobile Control can be managed.

Note: Sophos supports only official Android versions. Sophos does not guarantee that the SMC Android client is working with all the different custom roms available.

What’s new in version 6

For further information, see https://community.sophos.com/kb/122938

Installation

For details on installing the Sophos Mobile Control Server, refer to the Sophos Mobile Control installation guide. For details on installing and setting up Sophos Mobile Control on end user devices by using the Sophos Mobile Control Self Service Portal, refer to the Sophos Mobile Control user guides for Android, Apple iOS, Windows Phon and Windows Mobile. You can download the product documentation at http://www.sophos.com/en-us/support/documentation/mobile-control.aspx.

License reporting

Sophos Mobile Control 6.0 comes with license reporting. For further information, see http://www.sophos.com/en-us/support/knowledgebase/120127.aspx.

Known issues

Setup

Scheduled tasks

If you are planning to do the update to SMC 5 overnight please disable the scheduled tasks to stop and restart the SMC server (default: 4:00 am and 4:05 am) if those times could interfere with the update and migration procedure. You can re-enable them after the update is finished.

Sophos Mobile Control license in a folder with Japanese characters in the folder name (DEF85338)

If the Sophos Mobile Control license file is placed in a folder with Japanese characters in the name for installation, the installation process fails.

Changing the server URL post-installation

After changing the URL of the server using the Configuration Wizard the SMC standard license needs to be reactivated. To do so go to Setup – System setup – License, enter your standard license key in the input field and click “Activate”.

End user device

Android

On some SAMSUNG SAFE devices removing an Android profile with a certificate does not remove the certificate from the device

On some SAMSUNG SAFE devices (e.g. seen on a Samsung S3 mini with Android 4.1.2) installing a Root-certificate via a profile works fine without any issues. If the profile is removed again from the device via the Sophos Mobile Control console the devices synchronizes with the server but the certificate itself is not removed from the device. This is an issue of the Samsung API that according to Samsung will be fixed within the next Android (Kitkat) upgrade of affected devices, e.g. Samsung S3 mini with Android 4.1.2

On some SAMSUNG SAFE devices it is not possible to add a profile with a root certificate

On some SAMSUNG SAFE devices (e.g. seen on a Samsung Galaxy S2 with Android 4.0.3) installing a root certificate via a profile does not work. This is an issue of the Samsung API where a call to a Samsung API returns success although the root certificate could not be installed on the device. 

On some SAMSUNG SAFE devices it is not possible to remove the VPN profile from the device

On some SAMSUNG SAFE devices (e.g. seen on a Samsung Galaxy S2 with Android 4.0.3) removing a VPN profile via the SMC admin does not work. This is an issue on the Samsung API on the device where removing the profile via a call to the Samsung API succeeds although the VPN profile is actually not removed on the device. 

On some SAMSUNG SAFE devices a WiFi configuration is transferred to the device but when connecting to the WiFi the user gets an error message "Failed to connect to network" 

On some SAMSUNG SAFE devices (e.g. seen on a Samsung S3 mini with Android 4.1.2) WiFi configuration are installed correctly but when the user connecting to the WiFi does not work giving the user an error message "Failed to connect to network". This is an issue of the Samsung API that according to Samsung will be fixed within the next Android (Kitkat) upgrade of affected devices, e.g. Samsung S3 mini with Android 4.1.2

Baidu push service does not work on Android M+ devices

The current Baidu library used by the Sophos Mobile Control client basically does not offer support of Android 6+. Furthermore, Android 6+ introduces new features (App-doze and stand-by mode) that impact the receiving of push notifications and that are not supported by the Baidu library.

iOS

When use of Safari (iOS Browser) is restricted via a profile recommended and required apps cannot be installed via an iTunes link

Installing a recommended or required app via an iTunes link on an iOS device requires the use of Safari. If the use of Safari is restricted, recommended and required apps cannot be installed via an iTunes link.

Automatic synchronization of the SMC app against the server does not work reliably

In some cases the silent trigger sent by the SMC server does not result in an automatic background synchronization. In those cases the user can still synchronize the app manually.

Managed Sophos Secure Workspace looses the management status after upgrade of app

When upgrading a Sophos Secure Workspace for iOS app that is already managed by Sophos Mobile Control it may happen in very rare cases that Sophos Secure Workspace is no more managed on the device. This is caused by an undefined behavior of the Apple iOS mechanism used for managing the app: the managed settings get lost. Installing the profile again for the device from the Sophos Mobile Control admin takes the app under management again.

Single app mode profile changes do not affect the device

Updating an iOS Single App Mode profile does not update all contained settings. The "disable…" options are updated correctly. All other options only work on the first installation of the profile. For switching those settings the profile has to be removed and installed again. This is an issue in Apple iOS.

Windows Phone

Windows Phone 8.1 devices < GDR1 do not set Exchange account names correctly

Windows Phone devices running 8.1 < GDR1 do not use the Exchange account display name as configured. Instead, they just use a numbering scheme. This display issue does not affect the actual synchronization. Newer Windows Phone 8.1 versions use the name as configured.

A "no passcode" compliance violation is reported although a passcode is set on the device

The “password required” compliance rule does not work correctly for Windows Phone devices if no passcode policy is enforced by SMC. The devices do not report a passcode being set if the user does this without being forced to by a policy. This is an issue in Windows Phone.

SafeSearch restriction

The Windows Phone 8.1 restriction “SafeSearch permission” is not working correctly. Due to an issue in Windows Phone 8.1 the restriction is ignored on the device and defaults to “moderate”.

Windows 10 Mobile devices cannot be checked for compliance rule "Data roaming allowed"

On devices that run Windows 10 Mobile, Sophos Mobile Control cannot check for compliance with the "Data roaming allowed" rule because the operating system does not provide the Sophos Mobile Control app with the relevant information. When you forbid data roaming, a Windows 10 Mobile device with data roaming enabled is still reported as compliant.

Sophos Mobile Control Web Console

Email settings are already included in iOS container policy

Although Sophos Secure Email for iOS has not yet been released yet, the Sophos container policy for iOS already includes a Corporate Email section to configure settings that are relevant to Sophos Secure Email. These settings will have no effect as long as the app is unavailable on the Apple App Store. When the app becomes available, the settings will apply to Sophos Secure Email automatically.

Synchronizing an Android device with an Exchange Server

Android devices are automatically enabled through EAS Proxy, if the device was registered with the Self Service Portal. If an administrator has added the phone to Sophos Mobile Control, it is required to enter the sAMAccountName in the respective property of the device details view to make ActiveSync synchronization possible. If devices are registered with an LDAP entry and SSP, this is not necessary (this only applies to Microsoft ActiveDirectory).

Password fields may look corrupted in Internet Explorer 10

When entering a password, e.g. in an Exchange email configuration, it may happen that the password is cut off and not all asterisks are shown. The user can still enter any password, although the control does not show the right amount of characters entered. This is caused by a bug in the web control within the standard framework used by Sophos Mobile Control. 

Blocking of email access (DEF76982)

If several Android devices are registered for the same user in the Self Service Portal and email access is blocked for one of the devices, access is blocked for another device, not for the one intended. This problem is caused by limitations in the Android operating system.

Web Console may look corrupted in Internet Explorer

Internet Explorer may classify the Web Console as an intranet site. As a result, compatibility mode is activated by default which results in a corrupted view and erroneous behavior. This browser feature can be disabled in the Compatibility View Settings of Internet Explorer by unchecking “Display intranet sites in Compatibility View”.

Android device support of the restriction to force encryption is not labelled correctly

In the Web Console the restriction "Force encryption" in Android device profiles is labelled with support for just SONYv1+. It is still also supported on 4.0+ but the label is missing in the Web Console.

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2015 Sophos Ltd. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos is a registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.