Endpoint

Sophos Mobile

Version 8.5

About these release notes

These are the release notes for Sophos Mobile version 8.5.

For improvements and new features in Sophos Mobile, see Sophos knowledge base article 132302.

Supported platforms

Server operating system

Product Version
Microsoft Windows Server 2008 R2 SP1 (64-bit)
2012 (64-bit)
2012 R2 (64-bit)
2016 (64-bit)

Java

Product Version
Oracle Java JDK The version that is delivered with the Sophos Mobile installer (8u172)

Database

Product Version
Microsoft SQL Server 2012 SP3 (64-bit)
2014 SP2 (64-bit)
2014 SP2 Express
2016 SP1 (64-bit)
2017 (64-bit)
MySQL 5.6

Device operating systems

Product Version
Android 5.0 or later
6.0 or later
7.0 or later
8.0 or later
Android Things (project-based) 1.0, on Raspberry Pi 3
iOS 10.0 or later
11.0 or later
macOS OS X El Capitan (10.11 or later)
macOS Sierra (10.12 or later)
macOS High Sierra (10.13 or later)
Windows Windows 10 Threshold 2 (1511) or later, editions Pro, Enterprise, Education, Home, S
Windows Phone 8.1
Windows Mobile Windows 10, editions Mobile, Mobile Enterprise
Windows IoT (project-based) Windows 10 IoT Core (Build 16299), on Raspberry Pi 2 or 3

Browser

The Sophos Mobile Admin and Self Service Portal web consoles support the following web browsers.

Product Version
Microsoft Internet Explorer 11
Microsoft Edge 36
Mozilla Firefox 50 or later
Google Chrome 56 or later

Directory servers

Product Version
Microsoft Active Directory The version that is provided by the used Windows Server operating system. Lightweight Domain Services (AD LDS) are not supported.
Zimbra OpenLDAP The version that is provided by the used Zimbra email system.
NetIQ eDirectory 8.8 SP6
IBM Domino 8.5.3
389 Directory Server (open source variant of the Red Hat Directory Server) 1.3

Email systems

Product Version
Microsoft Exchange 2013
2016
Lotus Domino Traveler 9.0
Zimbra 8.0

Certification authority (CA) servers

Product Version
Microsoft Windows Server
2012 with latest service pack
2012 R2 with latest service pack
2016 with latest service pack

Installation

For details on installing the Sophos Mobile server, see the Sophos Mobile installation guide.

For details on enrolling end user devices with Sophos Mobile using the Sophos Mobile Self Service Portal, see the Sophos Mobile user help.

You can download the product documentation at www.sophos.com/en-us/support/documentation/sophos-mobile.aspx.

License reporting

Sophos Mobile 8.5 comes with license reporting. For detailed information, see Sophos knowledge base article 120127.

Known issues and limitations

Setup

Scheduled tasks

If you are planning to update Sophos Mobile overnight please disable the scheduled tasks to stop and restart the Sophos Mobile server (default: 4:00 am and 4:05 am) if those times interfere with the update and migration procedure. You can re-enable them after the update is finished.

Changing the server URL after installation

After changing the URL of the server using the Configuration Wizard, the Sophos Mobile standard license needs to be reactivated. To do so, go to Setup > System setup > License, enter your standard license key in the input field and then click Activate.

Certificate validation error with Windows Server 2008 R2

If you download the setup file to a Windows Server 2008 R2 computer, Internet Explorer reports a certificate validation error. This is because Windows Server 2008 R2 doesn’t support SHA-2 verification.

For details, see the Microsoft security advisory 3033929 Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2 (external link).

Android devices

Some Samsung Knox devices must be restarted to turn on Kiosk Mode

Samsung devices with Knox Standard (formerly called SAFE) SDK version < 5.4 must be manually restarted after a Kiosk Mode profile was installed. Otherwise, the user would be able to stop all running apps in the task manager and then switch to the default launcher home screen.

Knox premium restriction "Prevent installation of another administrator app" can only be applied on the device when there is no other device administrator app active

The Knox premium restriction Prevent installation of another administrator app can only be applied on a device, when there is no other device administrator app activated. If another device administrator app is already activated, e.g. the Android Device Manager, the user has to first manually disable the device administrator for this app so that the policy can be applied (see also This policy can only be applied if there are no other administrators activated in the Samsung Knox documentation).

Android 6 power saving features might impact Baidu push notifications

The App doze and Stand-by mode power saving features introduced with Android 6 can impact the receiving of Baidu push notifications.

On Sony devices it is not possible to protect or control so called small apps (with an app protection or app control profile)

Small apps are Sony specific apps on Sony devices that overlay existing apps. Due to the technology of these type of apps, they can’t be controlled or protected by the Sophos Mobile Control app or by App Protection.

Password reset on Android 7.x device was removed

With the release of Android 7.0, Google removed the methods for resetting device passwords.

Email accounts can't be removed from the Android work profile (only if you remove the complete profile)

If an Exchange email account is transferred to an Android work profile, the account stays on the profile even if the policy gets removed. It is possible to send another policy containing another Email configuration to the device. Always the last Email configuration gets used. However, it is not possible to remove the configuration from the work profile. In case the configured account should get removed, the whole Android work profile must be removed from the device.

No compliance violation “Installation from unknown sources” on Android 8

Starting with Android 8, the installation of apps from unknown sources is not a device setting anymore. Instead, it is a permission setting of apps that are able to install other apps - like for example a file manager app. Currently, it is not possible for Sophos Mobile to check if any third party app has this permission. Therefore, the Apps from unknown sources compliance rule is ignored for devices with Android 8.

Android enterprise: No manual enrollment for “Managed Google Play Account” scenario

If Android enterprise is set up using the "Managed Google Play Account" scenario, devices can only be enrolled by scanning the QR code or by using the Configure app link from the enrollment email.

Android enterprise: Chrome app enabled in work profiles by default

There is a known Android issue related to the work profile. Starting with Android 8, the Android internal WebView app is no longer enabled by default. As a result, apps in the work profile that rely on the WebView app may stop working. Google resolved this issue by enabling the Chrome app, which in turn enables the internal WebView app. However, you may not want to allow a browser app in the work profile. As a work around, use the App Control configuration of your Sophos Mobile Android enterprise policy to block the Chrome app.

For more information regarding this issue, see the Google article https://support.google.com/work/android/answer/7506908 (external link).

Android enterprise: On some devices, Factory Reset Protection (FRP) can’t be turned on

On some devices capable of Factory Reset Protection (FRP) according to their specification, we have noticed an Frp is not supported error when FRP is turned on via Sophos Mobile. This issue is not caused by Sophos Mobile.

iOS devices

When use of Safari (iOS Browser) is restricted via a profile, recommended and required apps can’t be installed via an iTunes link

Installing a recommended or required app via an iTunes link on an iOS device requires the use of Safari. If the use of Safari is restricted, recommended and required apps can’t be installed via an iTunes link.

Automatic synchronization of the Sophos Mobile Control app against the server does not work reliably

In some cases the silent trigger sent by the Sophos Mobile server does not result in an automatic background synchronization. In those cases the user can still synchronize the app manually.

Managed Sophos Secure Workspace looses the management status after upgrade of app

When upgrading a Sophos Secure Workspace for iOS app that is already managed by Sophos Mobile, it may happen in very rare cases that Sophos Secure Workspace is no more managed on the device. This is caused by an undefined behavior of the Apple iOS mechanism used for managing the app: the managed settings are lost. Installing the profile again for the device in the Sophos Mobile admin console takes the app under management again.

Single App Mode profile changes do not affect the device

Updating an iOS Single App Mode profile does not update all contained settings. The Disable… options are updated correctly. All other options only work on the first installation of the profile. For switching those settings, the profile must be removed and installed again. This is an issue in Apple iOS.

Restricting app removal does not work reliably

On some devices, users are able to uninstall apps even if the Allow app removal restriction is disabled in the iOS device profile. This is an issue in Apple iOS.

macOS devices

Network Access Control (NAC) not possible for Macs connected via Ethernet

Sophos Mobile can only retrieve the MAC address of a Mac’s Wi-Fi network adapter, not that of its Ethernet adapter. Because for Network Access Control (NAC) devices are identified by their MAC address, a Mac connected to the network via its Ethernet adapter is treated as an unknown device when your external NAC software asks Sophos Mobile for the device’s network status.

Windows Mobile devices

Windows Phone 8.1 devices < GDR1 do not set Exchange account names correctly

Windows Phone devices running 8.1 < GDR1 do not use the Exchange account display name as configured. Instead, they just use a numbering scheme. This display issue does not affect the actual synchronization. Newer Windows Phone 8.1 versions use the name as configured.

A "no passcode" compliance violation is reported although a passcode is set on the device

The Password required compliance rule does not work correctly for Windows Phone and Windows 10 Mobile devices if no passcode policy is enforced by Sophos Mobile. The devices do not report a passcode being set if the user does this without being forced to by a policy. This is an issue in Windows Phone and Windows 10 Mobile.

A "no encryption" compliance violation is reported although the device is encrypted

The Encryption required compliance rule does not work correctly for Windows Phone and Windows 10 Mobile devices if encryption is not enforced by an Sophos Mobile Restrictions policy. The devices do not report a device to be encrypted if the user does this without being forced to by a policy. This is an issue in Windows Phone and Windows 10 Mobile.

SafeSearch restriction

The Windows Phone 8.1 restriction SafeSearch permission is not working correctly. Due to an issue in Windows Phone 8.1, the restriction is ignored on the device and defaults to “moderate”.

Windows 10 Mobile devices can’t be checked for compliance rule "Data roaming allowed"

On devices that run Windows 10 Mobile, Sophos Mobile can’t check for compliance with the Data roaming allowed rule because the operating system does not provide the Sophos Mobile Control app with the relevant information. When you forbid data roaming, a Windows 10 Mobile device with data roaming enabled is still reported as compliant.

Windows Phone 8.1 devices ignore email configuration changes

In some cases, Windows Phone 8.1 devices ignore changes that you make to the IMAP/POP configuration of a Windows Mobile policy. To get around this issue, change the email configuration in two steps: First remove the IMAP/POP configuration from the profile, then make the required changes to the configuration and add it again.

Sophos Mobile Admin console

Synchronizing an Android device with an Exchange server

Android devices are automatically enabled through the EAS proxy, if the device was enrolled through the Self Service Portal. If an administrator has added the device to Sophos Mobile, it is required to enter the sAMAccountName value in the respective property of the device details view to make ActiveSync synchronization possible. If devices are registered with an LDAP entry and SSP, this is not necessary (this only applies to Microsoft Active Directory). It also is not necessary if the device's Active Sync ID is already known. That is the case when using Sophos Secure Email or Samsung Knox.

Admin console may look corrupted in Internet Explorer

Internet Explorer may classify the Sophos Mobile Admin console as an intranet site. As a result, compatibility mode is activated by default which results in a corrupted view and erroneous behavior. To turn off this browser feature, clear the Display intranet sites in Compatibility View check box in the Compatibility View settings of Internet Explorer.

Plain Exchange ActiveSync traffic is no longer supported using the internal EAS proxy

Exchange ActiveSync traffic without encryption (SSL/TLS) is no longer supported by the internal EAS proxy.

Customers having Apple Device Enrollment Program can’t be deleted

The deletion of customers having Apple DEP profiles configured fails. To delete those customers, the Apple DEP profiles need to be deleted manually before deleting the customer.

Task bundle tasks for profile removal do not list the current profile names in some cases

When profiles are installed on devices and then later are renamed the list for profile, removal tasks in task bundles might be confusing. Tasks might display the profile with the old name.

List of Windows Mobile root certificates may not reflect the actual state

Installing root certificates as part of policies is always reported as successful. The actual list of installed certificates can be checked in the device details.

Empty Windows Mobile policies are not correctly listed in the installed policy details

Assigning empty policies without any settings to a Windows Mobile device does not correctly update the installed policy details displayed in the web console. Instead, settings of previously applied policies might be shown.

Restricting Copy & Paste on Windows 10 Mobile does not work with all apps

The restriction for Copy & Paste on Windows 10 Mobile does not work for some apps. Those apps still allow Copy & Paste actions.

Detecting deactivated Defender on Windows 10 Desktop does not work in some cases

In some cases, Windows 10 Desktop devices might be reported as compliant even if Windows Defender is disabled. This is because the compliance rule Defender activated can only check if the Defender service is running. It does not check if real-time protection is enabled.

Removing duplicated Android profiles using a task bundle does not work

An Android profile that has been created by using the Duplicate command in an older version of Sophos Mobile can't be removed from devices using a task bundle.

Some Windows 10 devices do not register correctly for push notifications

Some Windows 10 Mobile and Windows 10 Desktop devices do not register correctly for the Windows Notification Service (WNS). There is a time out of their push registration after 30 days, and the devices fail to renew the registration automatically. Although the Sophos Mobile server enforces the renewal, some devices send the old, invalid push registration information to the Sophos Mobile server when they re-register. As a result, the Sophos Mobile server can't send push notifications to these devices to synchronize the built-in MDM agent. This is an issue in Windows 10.

Accurate server time required to set up Android enterprise

If the system time of your Sophos Mobile server deviates by more than 15 minutes from accurate time, you will not be able to set up Android enterprise for your organization using the Managed Google Play Account scenario. This is because the Sophos service that manages Android enterprise communication classifies the request from your Sophos Mobile server as malicious and rejects it.

Configuring the external directory connection not possible because of Chrome issue (field content disappears)

When configuring the external directory connection, Google Chrome automatically tries to fill in a saved user account. The field content is automatically removed and added again, and it is not possible to configure the user credentials. Also, when configuring the SMTP tab for the super administrator, saved credentials are automatically inserted.

This issue is caused by a defect in Google Chrome 59. Because of that, the issue can’t be solved by Sophos Mobile. As a workaround, use a different browser to configure the external directory connection or the SMTP settings.

Number of users invited to Apple VPP at the same time is limited

When you invite too many users to the Apple Volume Purchase Program (VPP) at once, Apple might reject further requests for a few minutes. If you are experiencing this issue, please reduce the number of users included in the invitation.

This issue will be fixed in a future version of Sophos Mobile.

Android zero-touch enrollment and Samsung Knox Mobile Enrollment not possible with self-signed certificate

If you use a self-signed SSL/TLS certificate for your Sophos Mobile sever, you can’t use Android zero-touch enrollment or Samsung Knox Mobile Enrollment. We suggest you use a certificate issued by a globally trusted certificate authority (CA) instead.

Not possible to save HTML-formatted text

In some cases, you get an error “Text contains forbidden HTML elements” when you try to save SSP enrollment texts or system messages that contain HTML formatting, although the text you’ve entered is valid. This issue is caused by an error in the HTML parser library.

As a workaround, change the font size of underlined text and delete any “style” attributes.

Self Service Portal

Self Service Portal enrollment of Windows computers is disabled after update from Sophos Mobile 7.1

If you’ve configured Self Service Portal enrollment for Windows computers, you must adjust the configuration after you’ve updated Sophos Mobile from version 7.1. In Sophos Mobile 7.1, the initial package is a policy while in Sophos Mobile 8.1 and later it is a task bundle.

For information on how to re-enable Self Service Portal enrollment for Windows computers, see the Sophos Mobile installation guide, section Post-update tasks.

Get support

You can get support in any of these ways:

Legal notices

Copyright © 2018 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.