Server operating system

Java

Database

Mobile operating systems

Browser

The Sophos Mobile Control admin console and the Self Service Portal support the following web browsers.

Directory servers

Email systems

Certification authority (CA) servers

Setup

Scheduled tasks

If you are planning to run the update to SMC 7 overnight please disable the scheduled tasks to stop and restart the SMC server (default: 4:00 am and 4:05 am) if those times interfere with the update and migration procedure. You can re-enable them after the update is finished.

Sophos Mobile Control license in a folder with Japanese characters in the folder name (DEF85338)

If the Sophos Mobile Control license file is placed in a folder with Japanese characters in the name for installation, the installation process fails.

Changing the server URL after installation

After changing the URL of the server using the Configuration Wizard, the SMC standard license needs to be reactivated. To do so, go to Setup > System setup > License, enter your standard license key in the input field and then click Activate.

Android devices

On some Samsung Knox devices it is not possible to add a profile with a root certificate

On some Samsung Knox devices (e.g. seen on a Samsung Galaxy S2 with Android 4.0.3), installing a root certificate via a profile does not work. This is an issue of the Samsung API where a call to a Samsung API returns success although the root certificate could not be installed on the device.

On some Samsung Knox devices it is not possible to remove the VPN profile from the device

On some Samsung Knox devices (e.g. seen on a Samsung Galaxy S2 with Android 4.0.3), removing a VPN profile via the Sophos Mobile Control admin console does not work. This is an issue on the Samsung API on the device where removing the profile via a call to the Samsung API succeeds although the VPN profile is actually not removed on the device.

Knox premium restriction "Prevent installation of another administrator app" can only be applied on the device when there is no other device administrator app active

The Knox premium restriction Prevent installation of another administrator app can only be applied on a device, when there is no other device administrator app activated. If another device administrator app is already activated, e.g. the Android Device Manager, the user has to first manually disable the device administrator for this app so that the policy can be applied (see also This policy can only be applied if there are no other administrators activated in the Samsung Knox documentation).

Android 6 power saving features might impact Baidu push notifications

The App doze and Stand-by mode power saving features introduced with Android 6 can impact the receiving of Baidu push notifications.

Allow Fingerprint setting in the General payload of a Sophos container policy has no effect

Due to current technical limitations, the Sophos container apps don’t support fingerprint for logon. Therefore, the setting in the General payload of a Sophos container policy currently has no effect. With upcoming releases of the Sophos Secure Workspace and Sophos Secure Email apps, fingerprint authentication is supported for logon and the SMC payload setting will be applied.

On Sony devices it is not possible to protect or control so called small apps (with an app protection or app control profile)

Small apps are Sony specific apps on Sony devices that overlay existing apps. Due to the technology of these type of apps, they can’t be controlled or protected by SMC App Control or App Protection.

Password reset on Android 7.x device was removed

With the release of Android 7.0, Google removed the methods for resetting device passwords.

Email accounts can't be removed from the Android work profile (only if you remove the complete profile)

If an Exchange email account is transferred to an Android work profile, the account stays on the profile even if the policy gets removed. It is possible to send another policy containing another Email configuration to the device. Always the last Email configuration gets used. However, it is not possible to remove the configuration from the work profile. In case the configured account should get removed, the whole Android work profile must be removed from the device.

iOS devices

When use of Safari (iOS Browser) is restricted via a profile, recommended and required apps can’t be installed via an iTunes link

Installing a recommended or required app via an iTunes link on an iOS device requires the use of Safari. If the use of Safari is restricted, recommended and required apps can’t be installed via an iTunes link.

Automatic synchronization of the SMC app against the server does not work reliably

In some cases the silent trigger sent by the SMC server does not result in an automatic background synchronization. In those cases the user can still synchronize the app manually.

Managed Sophos Secure Workspace looses the management status after upgrade of app

When upgrading a Sophos Secure Workspace for iOS app that is already managed by Sophos Mobile Control, it may happen in very rare cases that Sophos Secure Workspace is no more managed on the device. This is caused by an undefined behavior of the Apple iOS mechanism used for managing the app: the managed settings are lost. Installing the profile again for the device through the Sophos Mobile Control admin console takes the app under management again.

Single App Mode profile changes do not affect the device

Updating an iOS Single App Mode profile does not update all contained settings. The Disable… options are updated correctly. All other options only work on the first installation of the profile. For switching those settings, the profile must be removed and installed again. This is an issue in Apple iOS.

Windows Mobile devices

Windows Phone 8.1 devices < GDR1 do not set Exchange account names correctly

Windows Phone devices running 8.1 < GDR1 do not use the Exchange account display name as configured. Instead, they just use a numbering scheme. This display issue does not affect the actual synchronization. Newer Windows Phone 8.1 versions use the name as configured.

A "no passcode" compliance violation is reported although a passcode is set on the device

The Password required compliance rule does not work correctly for Windows Phone and Windows 10 Mobile devices if no passcode policy is enforced by SMC. The devices do not report a passcode being set if the user does this without being forced to by a policy. This is an issue in Windows Phone and Windows 10 Mobile.

A "no encryption" compliance violation is reported although the device is encrypted

The Encryption required compliance rule does not work correctly for Windows Phone and Windows 10 Mobile devices if encryption is not enforced by an SMC Restrictions policy. The devices do not report a device to be encrypted if the user does this without being forced to by a policy. This is an issue in Windows Phone and Windows 10 Mobile.

SafeSearch restriction

The Windows Phone 8.1 restriction SafeSearch permission is not working correctly. Due to an issue in Windows Phone 8.1, the restriction is ignored on the device and defaults to “moderate”.

Windows 10 Mobile devices can’t be checked for compliance rule "Data roaming allowed"

On devices that run Windows 10 Mobile, Sophos Mobile Control can’t check for compliance with the Data roaming allowed rule because the operating system does not provide the Sophos Mobile Control app with the relevant information. When you forbid data roaming, a Windows 10 Mobile device with data roaming enabled is still reported as compliant.

Sophos Mobile Control admin console

Synchronizing an Android device with an Exchange server

Android devices are automatically enabled through the EAS proxy, if the device was enrolled through the Self Service Portal. If an administrator has added the device to Sophos Mobile Control, it is required to enter the sAMAccountName value in the respective property of the device details view to make ActiveSync synchronization possible. If devices are registered with an LDAP entry and SSP, this is not necessary (this only applies to Microsoft Active Directory). It also is not necessary if the device's Active Sync ID is already known. That is the case when using Sophos Secure Email or Samsung Knox.

Password fields may look corrupted in Internet Explorer 10

When entering a password, e.g. in an Exchange email configuration, it may happen that the password is cut off and not all asterisks are shown. The user can still enter any password, although the input field does not show the correct amount of characters entered. This is caused by a defect in the web control within the standard framework used by Sophos Mobile Control.

Admin console may look corrupted in Internet Explorer

Internet Explorer may classify the Sophos Mobile Control admin console as an intranet site. As a result, compatibility mode is activated by default which results in a corrupted view and erroneous behavior. This browser feature can be disabled in the Compatibility View settings of Internet Explorer by unchecking Display intranet sites in Compatibility View.

Plain Exchange ActiveSync traffic is no longer supported using the internal EAS proxy

Exchange ActiveSync traffic without encryption (SSL/TLS) is no longer supported by the internal EAS proxy.

Customers having Apple Device Enrollment Program can’t be deleted

The deletion of customers having Apple DEP profiles configured fails. To delete those customers, the Apple DEP profiles need to be deleted manually before deleting the customer.

Task bundle tasks for profile removal do not list the current profile names in some cases

When profiles are installed on devices and then later are renamed the list for profile, removal tasks in task bundles might be confusing. Tasks might display the profile with the old name.

List of Windows Mobile root certificates may not reflect the actual state

Installing root certificates as part of policies is always reported as successful. The actual list of installed certificates can be checked in the device details.

Empty Windows Mobile policies are not correctly listed in the installed policy details

Assigning empty policies without any settings to a Windows Mobile device does not correctly update the installed policy details displayed in the web console. Instead, settings of previously applied policies might be shown.

Restricting Copy & Paste on Windows 10 Mobile does not work with all apps

The restriction for Copy & Paste on Windows 10 Mobile does not work for some apps. Those apps still allow Copy & Paste actions.

Detecting deactivated Defender on Windows 10 Desktop does not work in some cases

In some cases, Windows 10 Desktop devices might be reported as compliant even if Windows Defender is disabled. This is because the compliance rule Defender activated can only check if the Defender service is running. It does not check if realtime protection is enabled.

Removing duplicated Android profiles using a task bundle does not work

An Android profile that has been created by using the Duplicate command in an older version of Sophos Mobile Control can't be removed from devices using a task bundle.

Some Windows 10 devices do not register correctly for push notifications

Some Windows 10 Mobile and Windows 10 Desktop devices do not register correctly for the Windows Notification Service (WNS). There is a time out of their push registration after 30 days, and the devices fail to renew the registration automatically. Although the SMC server enforces the renewal, some devices send the old, invalid push registration information to the SMC server when they re-register. As a result, the SMC server can't send push notifications to these devices to synchronize the built-in MDM agent. This is an issue in Windows 10.