These are the release notes for Sophos Mobile 9.6.
Sophos Central migration
New assistant that enables migration from Sophos Mobile on-premise server or SaaS hosted to Sophos Mobile in Sophos Central.
- Migration of policies, task bundles, apps, app lists, compliance rules, documents and settings
- Migration of enrolled devices without re-enrollment
- Migration supported by an intuitive migration assistant
Enhanced iOS management
- Additional Exchange payload options
- WPA v3 is now supported in Wi-Fi payload
- Single App Mode policy extended with additional options
- Added additional restrictions
- Continuous Path Keyboard
- Disable device sleep (e.g. for tvOS)
- Hide Find My
- Find My Friends
- Wi-Fi On/Off
- Allow shared iPad (new in iOS 13.4)
Enhanced macOS management
- New policy payload: Enable Sophos Endpoint disk access via Privacy Preferences Control settings
- WPA v3 is now supported in the Wi-Fi payload
- Private key of certificates can be configured to be non-extractable
Enhanced Android management
- Optionally allow access to all apps to be installed from the Google Play Store for Android Enterprise managed devices
- The Android Enterprise app list is now the top-level app list. Position switched with the legacy Android app list
Sophos Exchange ActiveSync (EAS) proxy improvements
- Support for a proxy server configuration within the EAS proxy setup
Sophos Secure Email improvements
This description consolidates improvements to the Sophos Secure Email app since the release of Sophos Mobile 9.5. Improvements apply to iOS and Android.
- Improved UI for the Sophos container email policy
- Support for Outlook Notes
- Support for Outlook Tasks
- Management of multiple email accounts
- Configure the email signature in policy
- Support for S/MIME
- Support iOS Dark Mode in all apps
- Update device sync time option to 4h and higher only
- Sophos Mobile Control app will show an outdated server warning if connected server version is 7.1 or earlier as they are out of support
- Upgrade to Sophos Mobile 9.6 is supported from version 9.0 and 9.5.
Server operating system
|Microsoft Windows Server||
|OpenJDK||The version included in the Sophos Mobile installer (11.0.7)|
|Microsoft SQL Server||
Device operating system
|Windows||Windows 10 version 1511 or later, editions
Pro, Enterprise, Education, Home, or S mode
Device operating systems that are no longer supported
Microsoft ended support for the Windows Phone 8.1
operating system on July 11, 2017.
|Windows Mobile||Windows 10, editions Mobile, Mobile Enterprise||
Microsoft ended support for the Windows Mobile 10
operating system on December 10, 2019.
Windows Mobile 10 is still available as a device platform in Sophos Mobile 9.6, but Sophos no longer supports Windows Mobile 10 nor does it guarantee any functioning of Windows Mobile 10 devices with Sophos Mobile 9.6. Windows Mobile 10 won’t be available in the next release of Sophos Mobile in 2020.
The Sophos Mobile Admin and Self Service Portal web consoles support the following web browsers.
|Microsoft Internet Explorer||11|
|Mozilla Firefox||66 or later|
|Google Chrome||75 or later|
|Microsoft Active Directory||The version provided by the Windows Server operating
Lightweight Domain Services (AD LDS) aren’t supported.
|Microsoft Azure AD||The version provided by Microsoft|
|Zimbra OpenLDAP||The version provided by the Zimbra email system|
|NetIQ eDirectory||8.8 SP6|
|389 Directory Server
(open source variant of the Red Hat Directory Server)
|Google Cloud Directory||Secure LDAP in Cloud Identity|
|Lotus Domino Traveler||9.0|
Certification authority (CA) server
|Microsoft Windows Server||
For details on installing the Sophos Mobile server, see the Sophos Mobile installation guide.
For details on enrolling devices with Sophos Mobile using the Sophos Mobile Self Service Portal, see the Sophos Mobile user help.
You can download the product documentation at www.sophos.com/en-us/support/documentation/sophos-mobile.aspx.
By default, there are scheduled tasks that stop (at 4:00 am) and restart (at 4:05 am) the Sophos Mobile server. If you want to update Sophos Mobile during that period, disable these tasks before the update and re-enable them after the update is finished.
Changing the server URL after installation
After changing the server URL using the Configuration Wizard you need to reactivate the Sophos Mobile standard license. To do this, go to Setup > System setup > License, enter your standard license key in the input field and then click Activate.
Knox container can’t be created on Android 5.0 devices
You can only create Knox containers on devices with Android 5.0.1 or later. Existing containers on Android 5.0 devices aren’t affected. This is a restriction of the Samsung Knox SDK version Sophos Mobile 9.6 uses.
Some Samsung Knox devices must be restarted to turn on Kiosk Mode
You must restart Samsung devices with Knox Standard (formerly called SAFE) SDK version earlier than 5.4 after installing a Kiosk Mode profile. If you don’t, the user could stop all running apps in the task manager and switch to the default launcher home screen.
Preventing additional device administrators on Samsung Knox devices
The Knox premium restriction Prevent installation of another administrator app on a device is ignored if there’s already another device administrator activated. Make sure Sophos Mobile Control is the only device administrator before you assign the restriction.
Android 6 power-saving features might impact Baidu push notifications
The App doze and Stand-by mode power saving features introduced with Android 6 can impact the receiving of Baidu push notifications.
On Sony devices, it’s not possible to protect or control so-called small apps (with an app protection or app control profile)
Small apps are Sony specific apps on Sony devices that overlay existing apps. These apps can’t be controlled or protected by the Sophos Mobile Control app or by App Protection.
Password reset removed for “Device administrator” devices with Android 7 and later
You can’t reset the password for devices running Android 7 or later. This applies to devices where Sophos Mobile is the device administrator. This is because Google removed the “Password reset” command from the device administrator API. Android Enterprise devices aren’t affected.
Email accounts can't be removed from the Android work profile (only if you remove the complete profile)
If an Exchange email account is transferred to an Android work profile, the account stays with the profile even if the policy is removed. You can send a policy containing another Email configuration to the device. The latest Email configuration is always used. However, it’s not possible to remove the configuration from the work profile. If the configured account is removed, you must remove the whole Android work profile from the device.
No compliance violation “Installation from unknown sources” on Android 8
Starting with Android 8, the installation of apps from unknown sources isn’t a device setting. It’s a permission setting for apps that are able to install other apps. For example a file manager app. It isn’t possible for Sophos Mobile to check if any third-party app has this permission. The Apps from unknown sources compliance rule is ignored for devices running Android 8.
Android Enterprise: Chrome app enabled in work profiles by default
There’s a known Android issue related to the work profile. Starting with Android 8, the Android internal WebView app isn’t enabled by default. As a result, apps in the work profile that rely on the WebView app may stop working. Google resolved this issue by enabling the Chrome app, which enables the internal WebView app. However, you might not want to allow a browser app in the work profile.
As a workaround, use the App Control configuration of your Sophos Mobile Android Enterprise policy to block the Chrome app.
For more information regarding this issue, see the Google article https://support.google.com/work/android/answer/7506908.
On some Android Enterprise devices, Factory Reset Protection (FRP) can’t be turned on
On some devices capable of Factory Reset Protection (FRP), we’ve noticed an FRP is not supported error when FRP is turned on using Sophos Mobile. This issue isn’t caused by Sophos Mobile.
Enrolling unencrypted Android Enterprise fully managed devices sometimes fails
Normally when you enroll an Android Enterprise fully managed device that is unencrypted, the device is initially encrypted and then enrolled. On some devices (including Samsung devices using Android 6.x or earlier) the process stops after the encryption and the device remains unenrolled.
As a workaround, restart the enrollment after the device was encrypted.
Enrolling Android Enterprise through the Sophos NFC Provisioning app sometimes fails for Chinese
Some devices (e.g. seen on a Samsung Galaxy A3) fail to enroll as an Android Enterprise fully managed device if the language of the Sophos NFC Provisioning app is set to Chinese.
As a workaround, use a different language.
SMC Android app version 9.0 or later required for Samsung devices with Android 10+
Due to changes in the Samsung KNOX SDK, Samsung devices with Android 10.0 or later require Sophos Mobile Control 9.0 or later. Earlier versions of the Sophos Mobile Control app aren’t supported on these devices and might fail.
App Protection and App Control can only control direct interaction through the user interface
Due to technical limitations of the Android platform, the App Protection and App Control features can only prevent direct interaction with an app through its user interface. Users might still be able to interact with a protected app through other apps like Google Assistant or through Android system functionality.
Also note that App Protection can’t stop interaction with an app that runs in multi-window mode, for example split-screen, floating windows, or tiny windows.
For details, see knowledge base article 135017.
iOS and iPadOS
When Safari is restricted via a profile, recommended and required apps can’t be installed via an iTunes link
Installing a recommended or required app via an iTunes link on an iOS device requires the Safari web browser. If Safari is restricted, recommended and required apps can’t be installed via an iTunes link.
Automatic synchronization of the Sophos Mobile Control app against the server doesn’t work reliably
In some cases, the silent trigger sent by the Sophos Mobile server doesn’t result in an automatic background synchronization. The user can synchronize the app manually.
Managed Sophos Secure Workspace loses the management status after an upgrade
This is a rare issue. Sophos Secure Workspace becomes unmanaged after upgrading. This is caused by a problem with the Apple iOS mechanism used for managing the app. The managed settings are lost. Installing the profile again for the device in the Sophos Mobile admin console resolves the problem.
Single App Mode profile changes do not affect the device
Updating an iOS Single App Mode profile doesn’t update all contained settings. The Disable… options are updated correctly. All other options only work on the first installation of the profile. To change these settings you need to remove and reinstall the profile. This is an issue in Apple iOS.
Restricting app removal doesn’t work reliably
On some devices, users are able to uninstall apps even if the Allow app removal restriction is disabled in the iOS device policy. This is an issue in Apple iOS.
Email synchronization is broken with the internal EAS proxy
After upgrading to Sophos Mobile 9.0.2, the iOS Email app can’t synchronize with your mail server if you use the internal EAS proxy. This issue is related to the HTTP/2 protocol that Sophos Mobile 9.0.2 uses. Sophos Mobile 9.5 (like earlier versions) uses HTTP/1.
For more information and a workaround, see knowledge base article 133752.
A "no passcode" compliance violation is reported although a passcode is set on the device
The Password required compliance rule doesn’t work correctly for Windows Phone and Windows 10 Mobile devices if no passcode policy is enforced by Sophos Mobile. The devices don’t report that a passcode is set if the user does this without being forced to by a policy. This is an issue in Windows Phone and Windows 10 Mobile.
A "no encryption" compliance violation is reported although the device is encrypted
The Encryption required compliance rule doesn’t work correctly for Windows Phone and Windows 10 Mobile devices if encryption isn’t enforced by a Sophos Mobile Restrictions policy. The devices don’t report a device to be encrypted if the user does this without being forced to by a policy. This is an issue in Windows Phone and Windows 10 Mobile.
Windows 10 Mobile devices can’t be checked for "Data roaming allowed" compliance rule
On devices that run Windows 10 Mobile, Sophos Mobile can’t check for compliance with the Data roaming allowed rule because the operating system doesn’t provide the Sophos Mobile Control app with the relevant information. When you forbid data roaming, a Windows 10 Mobile device with data roaming enabled is still reported as compliant.
Pages layout corrupted after Sophos Mobile update
Some pages of Sophos Mobile Admin might look corrupted after you’ve updated your installation of Sophos Mobile. To correct this, clear your browser cache and reload the page.
Synchronizing an Android device with an Exchange server
Android devices are automatically enabled through the EAS proxy if the device was enrolled through the Self Service Portal. If an administrator has added the device to Sophos Mobile, it’s required to enter the sAMAccountName value in the respective property of the device details view to make ActiveSync synchronization possible. If devices are registered with an LDAP entry and SSP, this isn’t necessary (this only applies to Microsoft Active Directory). It’s also not necessary if the device's Active Sync ID is already known. That is the case when using Sophos Secure Email or Samsung Knox.
Admin console may look corrupted in Internet Explorer
Internet Explorer may classify the Sophos Mobile Admin console as an intranet site. As a result, compatibility mode is activated by default which results in a corrupted view and erroneous behavior. To turn off this browser feature, clear the Display intranet sites in Compatibility View check box in the Compatibility View settings of Internet Explorer.
Plain Exchange ActiveSync traffic is no longer supported using the internal EAS proxy
Exchange ActiveSync traffic without encryption (SSL/TLS) is no longer supported by the internal EAS proxy.
Customers having Apple Device Enrollment Program can’t be deleted
The deletion of customers with Apple DEP profiles configured fails. To delete those customers, you need to delete the Apple DEP profiles before deleting the customer.
Task bundle tasks for profile removal don’t list the current profile names in some cases
When profiles are renamed, removal tasks may display the profile with the old name.
List of Windows Mobile root certificates may not reflect the actual state
Installing root certificates as part of policies is always reported as successful. You should check the list of installed certificates in the device details.
Empty Windows Mobile policies aren’t correctly listed in the installed policy details
Assigning empty policies to a Windows Mobile device doesn’t correctly update the installed policy details displayed in the web console. Instead, settings of previously applied policies might be shown.
Restricting Copy & Paste on Windows 10 Mobile doesn’t work with all apps
The restriction for Copy & Paste on Windows 10 Mobile doesn’t work for some apps. Those apps still allow Copy & Paste actions.
Detecting deactivated Defender on Windows 10 computers doesn’t work in some cases
In some cases, Windows 10 computers might be reported as compliant even if Windows Defender is disabled. This is because the compliance rule Defender activated can only check if the Defender service is running. It doesn’t check if real-time protection is enabled.
Removing duplicated Android profiles using a task bundle doesn’t work
An Android profile that has been created by using the Duplicate command in an older version of Sophos Mobile can't be removed from devices using a task bundle.
Some Windows 10 devices don’t register correctly for push notifications
Some Windows 10 mobile devices and computers don’t register correctly for the Windows Notification Service (WNS). There is a time out of their push registration after 30 days, and the devices fail to renew the registration automatically. Although the Sophos Mobile server enforces the renewal, some devices send the old, invalid push registration information to the Sophos Mobile server when they re-register. As a result, the Sophos Mobile server can't send push notifications to these devices to synchronize the built-in MDM agent. This is a known issue in Windows 10.
Accurate server time required to set up Android Enterprise
If the system time of your Sophos Mobile server deviates by more than 15 minutes from accurate time, you won’t be able to set up Android Enterprise for your organization using the Managed Google Play Account scenario. This is because the Sophos service that manages Android Enterprise communication classifies the request from your Sophos Mobile server as malicious and rejects it.
Configuring the external directory connection not possible because of Chrome issue (field content disappears)
When configuring the external directory connection, Google Chrome automatically tries to fill in a saved user account. The field content is automatically removed and added again, and it’s not possible to configure the user credentials. Also, when configuring the SMTP tab for the super administrator, saved credentials are automatically inserted.
This issue is caused by a defect in Google Chrome 59. As a workaround, use a different browser to configure the external directory connection or the SMTP settings.
Number of users invited to Apple VPP at the same time is limited
When you invite too many users to the Apple Volume Purchase Program (VPP) at once, Apple might reject further requests for a few minutes. If you are experiencing this issue, please reduce the number of users included in the invitation.
This issue will be fixed in a future version of Sophos Mobile.
Android zero-touch enrollment and Samsung Knox Mobile Enrollment not possible with self-signed certificate
If you use a self-signed SSL/TLS certificate for your Sophos Mobile server, you can’t use Android zero-touch enrollment or Samsung Knox Mobile Enrollment. We suggest you use a certificate issued by a globally trusted certificate authority (CA) instead.
Not possible to save HTML-formatted text
In some cases, you get an error “Text contains forbidden HTML elements” when you try to save SSP enrollment texts or system messages that contain HTML formatting, although the text you’ve entered is valid. This issue is caused by an error in the HTML parser library.
As a workaround, change the font size of underlined text and delete any styling attributes.
Sophos Mobile 9.6 comes with license reporting. For details, see knowledge base article 120127.
You can find technical support for Sophos products in any of these ways:
- Visit the Sophos Community at community.sophos.com/ and search for other users who are experiencing the same problem.
- Visit the Sophos support knowledge base at www.sophos.com/en-us/support.aspx.
- Download the product documentation at www.sophos.com/en-us/support/documentation.aspx.
- Open a ticket with our support team at https://secure2.sophos.com/support/contact-support/support-query.aspx.
Copyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.