Sophos Mobile Control 6.1 release notes

Sophos Mobile Control platforms

Note: The multi user feature available on some devices running Android 4.2 is not fully supported. If the 4.2 multi user feature is used on a device, only the first user that is registered in Sophos Mobile Control can be managed.

Note: Sophos supports only official Android versions. Sophos does not guarantee that the SMC Android client is working with all the different custom ROMs available.

What’s new in version 6.1

For further information, see https://community.sophos.com/kb/123975.

Installation

For details on installing the Sophos Mobile Control server, refer to the Sophos Mobile Control installation guide. For details on installing and setting up Sophos Mobile Control on end user devices by using the Sophos Mobile Control Self Service Portal, refer to the Sophos Mobile Control user help. You can download the product documentation at http://www.sophos.com/en-us/support/documentation/mobile-control.aspx.

License reporting

Sophos Mobile Control 6.1 comes with license reporting. For further information, see http://www.sophos.com/en-us/support/knowledgebase/120127.aspx.

Known issues

Setup

Scheduled tasks

Sophos Mobile Control license in a folder with Japanese characters in the folder name (DEF85338)

If the Sophos Mobile Control license file is placed in a folder with Japanese characters in the name for installation, the installation process fails.

Changing the server URL post-installation

After changing the URL of the server using the Configuration Wizard the SMC standard license needs to be reactivated. To do so, go to Setup>System setup>License, enter your standard license key in the input field and then click “Activate”.

End user device

Android

On some SAMSUNG SAFE devices removing an Android profile with a certificate does not remove the certificate from the device

On some SAMSUNG SAFE devices (e.g. seen on a Samsung S3 mini with Android 4.1.2), installing a root certificate via a profile works fine without any issues. If the profile is removed again from the device via the Sophos Mobile Control web console, the devices synchronizes with the server but the certificate itself is not removed from the device. This is an issue of the Samsung API. According to Samsung, the issue will be fixed by the next Android (Kitkat) upgrade of affected devices, e.g. Samsung S3 mini with Android 4.1.2.

On some SAMSUNG SAFE devices it is not possible to add a profile with a root certificate

On some SAMSUNG SAFE devices (e.g. seen on a Samsung Galaxy S2 with Android 4.0.3), installing a root certificate via a profile does not work. This is an issue of the Samsung API where a call to a Samsung API returns success although the root certificate could not be installed on the device. 

On some SAMSUNG SAFE devices it is not possible to remove the VPN profile from the device

On some SAMSUNG SAFE devices (e.g. seen on a Samsung Galaxy S2 with Android 4.0.3), removing a VPN profile via the SMC admin does not work. This is an issue on the Samsung API on the device where removing the profile via a call to the Samsung API succeeds although the VPN profile is actually not removed on the device. 

On some SAMSUNG SAFE devices a Wi-Fi configuration is transferred to the device but when connecting to the Wi-Fi the user gets an error message "Failed to connect to network" 

On some SAMSUNG SAFE devices (e.g. seen on a Samsung S3 mini with Android 4.1.2), Wi-Fi configuration are installed correctly but when the user connecting to the Wi-Fi does not work giving the user an error message "Failed to connect to network". This is an issue of the Samsung API. According to Samsung, the issue will be fixed by the next Android (Kitkat) upgrade of affected devices, e.g. Samsung S3 mini with Android 4.1.2

Baidu push service does not work on devices with Android 6.0 or higher

The current Baidu library used by the Sophos Mobile Control client basically does not offer support of Android 6 or higher. Furthermore, Android 6 introduces new features (App-doze and stand-by mode) that impact the receiving of push notifications and that are not supported by the Baidu library.

On Sony devices it is not possible to use VPN profiles with L2TP/IPSec PSK  

On Sony devices it is not possible to configure VPN profiles with L2TP/IPSec PSK with some VPN servers (for example Sophos UTM). 

Allow Fingerprint setting in the General payload of a Sophos container policy has no effect

Currently due to technical limitations, the Sophos container apps do not support fingerprint for logon. Therefore, the setting in the General payload of a Sophos container policy currently has no effect. With upcoming releases of the Sophos Secure Workspace and Sophos Secure Email, fingerprint will be supported for logon and the SMC payload setting will be applied.

iOS

When use of Safari (iOS Browser) is restricted via a profile, recommended and required apps cannot be installed via an iTunes link

Installing a recommended or required app via an iTunes link on an iOS device requires the use of Safari. If the use of Safari is restricted, recommended and required apps cannot be installed via an iTunes link.

Automatic synchronization of the SMC app against the server does not work reliably

In some cases the silent trigger sent by the SMC server does not result in an automatic background synchronization. In those cases the user can still synchronize the app manually.

Managed Sophos Secure Workspace looses the management status after upgrade of app

When upgrading a Sophos Secure Workspace for iOS app that is already managed by Sophos Mobile Control, it may happen in very rare cases that Sophos Secure Workspace is no more managed on the device. This is caused by an undefined behavior of the Apple iOS mechanism used for managing the app: the managed settings are lost. Installing the profile again for the device through the Sophos Mobile Control web console takes the app under management again.

Single App Mode profile changes do not affect the device

Updating an iOS Single App Mode profile does not update all contained settings. The "disable…" options are updated correctly. All other options only work on the first installation of the profile. For switching those settings, the profile has to be removed and installed again. This is an issue in Apple iOS.

Windows Phone

Windows Phone 8.1 devices < GDR1 do not set Exchange account names correctly

Windows Phone devices running 8.1 < GDR1 do not use the Exchange account display name as configured. Instead, they just use a numbering scheme. This display issue does not affect the actual synchronization. Newer Windows Phone 8.1 versions use the name as configured.

A "no passcode" compliance violation is reported although a passcode is set on the device

The “password required” compliance rule does not work correctly for Windows Phone and Windows 10 Mobile devices if no passcode policy is enforced by SMC. The devices do not report a passcode being set if the user does this without being forced to by a policy. This is an issue in Windows Phone and Windows 10 Mobile.

A "no encryption" compliance violation is reported although the device is encrypted

The “encryption required” compliance rule does not work correctly for Windows Phone and Windows 10 Mobile devices if encryption is not enforced by an SMC "Restrictions" policy. The devices do not report a device to be encrypted if the user does this without being forced to by a policy. This is an issue in Windows Phone and Windows 10 Mobile.

SafeSearch restriction

The Windows Phone 8.1 restriction “SafeSearch permission” is not working correctly. Due to an issue in Windows Phone 8.1 the restriction is ignored on the device and defaults to “moderate”.

Windows 10 Mobile devices cannot be checked for compliance rule "Data roaming allowed"

On devices that run Windows 10 Mobile, Sophos Mobile Control cannot check for compliance with the "Data roaming allowed" rule because the operating system does not provide the Sophos Mobile Control app with the relevant information. When you forbid data roaming, a Windows 10 Mobile device with data roaming enabled is still reported as compliant.

Sophos Mobile Control web console

Synchronizing an Android device with an Exchange server

Android devices are automatically enabled through the EAS proxy, if the device was registered with the Self Service Portal. If an administrator has added the device to Sophos Mobile Control, it is required to enter the sAMAccountName in the respective property of the device details view to make ActiveSync synchronization possible. If devices are registered with an LDAP entry and SSP, this is not necessary (this only applies to Microsoft ActiveDirectory). It also is not necessary if the device's ActiveSync Id is already known. That is the case when using Sophos Secure Email or Samsung KNOX.

Password fields may look corrupted in Internet Explorer 10

When entering a password, e.g. in an Exchange email configuration, it may happen that the password is cut off and not all asterisks are shown. The user can still enter any password, although the input field does not show the correct amount of characters entered. This is caused by a defect in the web control within the standard framework used by Sophos Mobile Control. 

Web console may look corrupted in Internet Explorer

Internet Explorer may classify the Sophos Mobile Control web console as an intranet site. As a result, compatibility mode is activated by default which results in a corrupted view and erroneous behavior. This browser feature can be disabled in the Compatibility View settings of Internet Explorer by unchecking “Display intranet sites in Compatibility View”.

Plain Exchange ActiveSync traffic is no longer supported using the internal EAS proxy

Exchange ActiveSync traffic without encryption (SSL/TLS) is no longer supported by the internal EAS proxy.

Cancelling deletion of entries in the device list disables the list actions

Using the context to delete single devices and then cancelling the dialog leads to disabled actions and links in the device list. Reloading the device list enables them again.

Wrong label for Android profile restriction

The Android restrictions "Allow app install" and "Allow app uninstall" are labelled with "SAFEv2" but should be labelled "SAFEv3".

Android Kiosk mode profile payload does not validate empty fields correctly

When creating a Kiosk mode payload for Android with a custom app the app identifier is a required field. However, this is not correctly validated and saved without app identifier anyway.

Customers having Apple Device Enrollment Program cannot be deleted

The deletion of customers having Apple DEP profiles configured fails. To delete those customers, the Apple DEP profiles need to be deleted manually before deleting the customer.

Task bundle tasks for profile removal do not list the current profile names in some cases

When profiles are installed on devices and then later are renamed the list for profile, removal tasks in task bundles might be confusing. It might list the profile with the old name.

List of Windows Mobile root certificates may not reflect the actual state

Installing root certificates as part of policies is always reported as successful. The actual list of installed certificates can be checked in the device details.

Empty Windows Mobile policies are not correctly listed in the installed policy details

Assigning empty policies without any settings to a Windows Mobile device does not correctly update the installed policy details displayed in the web console. Instead, settings of previously applied policies might be shown.

Restricting copy and paste on Windows 10 Mobile does not work with all apps

The restriction for Copy & Paste on Windows 10 Mobile does not work for some apps. Those apps still allow Copy & Paste actions.

Link to EAS proxy setup in web console is outdated

The link to the EAS proxy setup file in the web console (Setup>System setup>EAS proxy) points to an outdated file of the last SMC release. The new setup file can be downloaded from the MySophos portal.

REST web service interface changes

The web service interface for apps has been modified to allow configuring the app category and managed installation flags.

The generic NAC web service interface is deprecated. Customers should switch to the REST web service which offers the same functionality.

The web service resource "appreputation" is deprecated. Customers should use the "appgroups" resource instead.

All web service resources now have additional create and update methods which no longer rely on form data. Instead, they can be used with JSON-formatted data which is easier to produce.

The deprecated interfaces will be removed in a future version.

Technical support

You can find technical support for Sophos products in any of these ways:

• Visit the Sophos community at http://community.sophos.com/products/mobile-device-protection/ and search for other users who are experiencing the same problem.
• Visit the Sophos support knowledgebase at http://www.sophos.com/support.aspx.
• Download the product documentation at http://www.sophos.com/en-us/support/documentation/mobile-control.aspx.
• Send an email to support@sophos.com, including your Sophos software version number(s), operating system(s) and patch level(s), and the text of any error messages.
• Follow the mobile team on twitter for all product updates at https://twitter.com/SMCSophos

Legal notices

Copyright © 2016 Sophos Limited. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.