Sophos Mobile 6
von: Sven Berger | 28. April 2016
Sophos Mobile
Product Matrix, June 2016
| Feature | Sophos Mobile Control Advanced | Sophos Mobile Control Standard | Sophos Central Mobile | Sophos Central Mobile Security |
|---|---|---|---|---|
| Deployment method | SaaS or on-premise | SaaS or on-premise | via Sophos Central | via Sophos Central |
| Management console | Dedicated console | Dedicated console | via Sophos Central | via Sophos Central |
| Reports | Extensive | Extensive | Limited | Limited |
| Dashboard | Advanced | Advanced | Basic | Basic |
Mobile Device Management |
||||
| Profiles and policies | Extended | Extended | Basic | AV only |
| Certificate support | Root, client, SCEP | Root, client, SCEP | ||
| Inventory tracking | Advanced | Advanced | Basic | Basic |
| iOS device support | ||||
| Android device support | ||||
| Windows 10 Mobile device support | ||||
| Windows 10 Desktop device support | ||||
Mobile Application Management |
||||
| Enterprise App Store | ||||
| Deliver apps | ||||
| Apple VPP support | ||||
| Apple DEP support | ||||
| View installed apps per device | ||||
| Whitelisting and blacklisting | ||||
| Samsung KNOX Workspace | ||||
| App Management SDK | ||||
Mobile Content Management |
||||
| Secure document publishing | ||||
| Secure document collaboration | ||||
| Text and PDF editing | ||||
| File encryption for cloud storage | ||||
| Containerized Corporate Browser | ||||
Mobile Email Management |
||||
| Remote email configuration | ||||
| Containerized Secure Email | ||||
| Email Gateway | ||||
BYOD support |
||||
| Self Service Portal | ||||
| Display editable use policy | ||||
| Track ownership | ||||
For more information, please see the full feature matrix.
Sophos Mobile Control
Feature Matrix, June 2016
| Apple iOS | Android | ||
|---|---|---|---|
Server |
|||
Device compliance rules |
|||
| Group-based compliance rules | |||
| Jailbreak or rooting detection | |||
| Minimum or maximum OS version required | |||
| Last synchronization of the device | |||
| Last synchronization of the Sophos app | |||
| Sideloading of apps | |||
Inventory and device information |
|||
| User and device based inventory | |||
| Automatic device model detection | |||
| Automatic OS version detection | |||
| Management state | |||
| Compliance state | |||
| Device user | |||
| Enrollment date | |||
| Last check in | |||
Device enrollment |
|||
| By email with either QR code, link or server information | |||
| Automatic assignment of policies based on user directory group membership | |||
Devices |
|||
SMC app functionality |
|||
| Device enrollment via QR code | |||
| Show compliance violations | |||
| Trigger device check-in | |||
Device commands |
|||
| Check-in (request the device to sync with Sophos Cloud) | |||
| Password reset | |||
| Device Wipe | |||
| Device Lock | |||
| Company Wipe and delete (removal of all profiles and data associated to it) | |||
| Locate | |||
Password settings |
|||
| Password complexity (none, PIN, alphabetic, complex) | |||
| Minimum length of the password | |||
| Inactivity time (time in minutes up to the query of the password) | |||
| Maximum number of attempts until the device will be reset | |||
| Minimum length of the password | |||
| Maximum password age (expiration) | |||
Restrictions |
|||
| Disable App Store | 1, 2, 3 | ||
| Disable camera | |||
| Block taking screenshots | 1 | ||
| Disable native browser | 1, 2, 3 | ||
| Disable sending diagnostic data on app crashes | 1, 2, 3 | ||
| Disable iCloud backup | |||
| Disable TouchID to unlock | |||
| Disable sharing docs from managed to unmanaged accounts or apps | |||
| Disable sharing docs from unmanaged to managed accounts or apps | |||
| Hide control center on the lock screen (e.g. Wi-Fi, volume, Bluetooth,...) | |||
| Hide notifications on the lock screen (e.g. SMS, email, calls,...) | |||
Exchange e-mail configuration |
|||
| Configure Microsoft Exchange settings | 1, 2, 3 | ||
| Generic account and user account | 1, 2, 3 | ||
Wi-Fi configuration |
|||
| Configure Wi-Fi settings (WEP, WPA, WPA2) | |||
| Connect automatically | |||
| Support hidden networks | |||
| Support proxy configuration | |||
1) requires Samsung SAFE v2 or higher compatible devices
2) requires LG Gate compatible phones
3) requires Sony Enterprise API compatible phones
Sophos Mobile Control 6.0
Feature Matrix 12/2015
| Apple iOS | Android | Windows10 Mobile | |
|---|---|---|---|
Server |
|||
Admin User Interface |
|||
| Easy-to-use web interface | |||
| Flexible Dashboard with 18 different widgets | |||
| Flexible filter mechanism | |||
| Role-based access | |||
| Multitenancy | |||
| Communication from superadmin to all tenants (administration and SSP UI) | |||
| Sophos technical notifications | |||
| Sending of text messages (via APNS, GCM, Baidu, MPNS) | |||
Self Service Portal |
|||
| Register new device | |||
| Device wipe | |||
| Device lock | |||
| Device locate | |||
| Passcode reset for Device, App Protection (Android), Sophos Container (iOS, Android) | |||
| Trigger device checkin | |||
| Decommission device from management (incl. corporate wipe on iOS, Samsung SAFE, Windows 10 Mobile) | 5 | ||
| Delete decommissioned device from inventory | |||
| Monitor device status and compliance information | |||
| Show acceptable use policy with new device registration | |||
| Display post-enrollment message | |||
| Control registration by OS type | |||
| Configure maximum number of devices per user | |||
| Company specific configuration of commands available to users | |||
User Directory and Management |
|||
| Comprehensive password policies | |||
| Password recovery by the user | |||
| Internal user directory including batch upload capability | |||
| Microsoft ActiveDirectory integration | |||
| Novell eDirectory integration | |||
| Lotus Notes Directory integration | |||
| Red Hat Directory integration | |||
| Zimbra Directory integration | |||
Device compliance enforcement rules |
|||
| Group assignment or ownership-based compliance rules | |||
| Compliance violations analytics | |||
| Device under management | |||
| Jailbreak or rooting detection | |||
| Encryption required | |||
| Passcode required | |||
| Minimum OS version required | |||
| Maximum OS version allowed | |||
| Last synchronization of the device | |||
| Last synchronization of the SMC app | |||
| Blacklisted apps | |||
| Whitelisted apps | |||
| Mandatory apps | |||
| Block installation from unknown sources (sideloading) | |||
| Data roaming setting | |||
| USB debugging setting | |||
| SMC client version | |||
| Malware detection | 4 | ||
| Suspicious apps detection | 4 | ||
| Potentially unwanted apps detection | 4 | ||
| Last malware scan | 4 | ||
| Locate for SMC app enabled | |||
Security |
|||
| Encrypted connection to web interface | |||
| Encrypted communication with devices | |||
| Control email access by compliance state (Exchange gateway) | |||
| 2FA device authentication at Exchange gateway (password, certificate) | |||
| Control network access by compliance state (Generic NAC interface, Sophos UTM, Cisco ISE, Checkpoint) | |||
| USSD code protection (e.g. *#2314#) | 4 | ||
| SPAM protection (call, SMS, MMS) | 4 | ||
| Protection from malicous websites (web filtering) | 4 | ||
| Protect corporate apps with additional authentication (App Protection) | 4 | ||
| Web productivity filtering by 14 categories + allow/deny lists by IP address, DNS name and IP range | 4 | ||
Inventory |
|||
| Device groups | |||
| User oriented view on devices | |||
| Automatic transfer of unique device ID (IMEI, MEID, UDID) and further device data | |||
| Automatic OS version detection | |||
| Automatic device model resolution into a user friendly name | |||
| Marker for company-owned and privately-owned devices | |||
| Customer defined device properties with template support | |||
| Import/export of device information | |||
Provisioning / Device enrollment |
|||
| Device enrollment wizard for admins | |||
| By email | |||
| Online registration from the device | |||
| Bulk provisioning (by email) | |||
| Apple Configurator deployment | |||
| Definition of standard rollout packages | |||
| Automatic assignment of initial policies and groups based on user directory group membership | |||
Task management |
|||
| Scheduled task generation | |||
| Tasks can be generated for single devices or groups | |||
| Detailed status tracking for each task | |||
| Intelligent strategies for task repetition | |||
Reporting |
|||
| Inventory export with applied filters | |||
| Export of all tables in the system as XLS or CSV | |||
| Malware reports (2 different kind) | |||
| Compliance log of all administrator activities in all customers | |||
| Compliance violation reports (2 different kind) | |||
| Device reports (8 different kind) | |||
| App reports (6 different kind) | |||
Programming interface (API) |
|||
| Web service (REST) API for device information and provisioning from 3rd party systems | |||
Devices |
|||
SMC app functionality |
|||
| Enterprise App Store (required and recommended apps) | |||
| Show compliance violations | |||
| Show server messages | |||
| Show technical contact | |||
| Trigger device synchronization | |||
Mobile application management |
|||
| Installing apps (with or without user interaction, including managed apps on iOS) | |||
| Uninstalling apps (with or without user interaction) | |||
| List of all installed apps | |||
| Support for Apple Volume Purchasing Program (VPP) | |||
| Allow/forbid installation of apps | |||
| Block app deinstallation | 5, 15, 16 | ||
| Remote configuration of company apps (managed settings) | |||
| Block specific apps from running (app blocker) | |||
Security |
|||
| Jailbreak (iOS)/Rooting (Android) detection | |||
| Tamper detection | |||
| Anti-theft protection: remote wipe | |||
| Anti-theft protection: remote lock | |||
| Anti-theft protection: device locate | |||
| Enforce password strength and complexity | |||
| Inactivity time (time in minutes up to the query of the password) | |||
| Maximum number of attempts until the device will be reset | |||
| Minimum length of the password | |||
| Password history | |||
| Password expiration time | |||
| Minimum length of lower/upper case, non-letter or symbol characters in the passcode | |||
| Passcode reset (unlock)/administrator defines new passcode | |||
| Activation Lock bypass | 11 | ||
| Activation of storage encryption | 3 | ||
| Access to the memory card can be prohibited | |||
| Activation/deactivation of device data encryption | |||
| Blocking installation from unknown sources (sideloading) | 5 | ||
| Blocking of Wi-Fi | 11 | 5 | |
| Blocking of Bluetooth | 5 | ||
| Blocking of data transfer via Bluetooth | 13 | ||
| Blocking of data transfer via NFC | 13 | ||
| Blocking of USB connections | |||
| Blocking of camera | 5, 7 | ||
| Protection of settings against modification/removal by the user | |||
| Allow/forbid use of iTunes Store / Google Play / Windows Store | 5 | ||
| Allow/forbid use of YouTube app | |||
| Allow/forbid use of Browser | 5 | ||
| Allow/forbid explicit content | |||
| Allow/forbid camera on lock screen | 7 | ||
| Allow/forbid widgets on lock screen | 7 | ||
| Prevent email forwarding | |||
| S/MIME enforcement | |||
| Allow/forbid 3rd party app usage of email | |||
| Allow/forbid iCloud autosync | |||
| Allow/forbid to send crash data to Apple / Google / Samsung / Microsoft (Telemetry) | 5 | ||
| Allow/forbid certificates from untrusted sources | |||
| Allow/forbid WiFi auto-connect | |||
| Allow/forbid shared photo stream | |||
| Allow/forbid Passbook on lock screen | |||
| Allow/forbid device act as hotspot | |||
| Configuration of profile lifetime | |||
| Allow/forbid recent contacts to sync | |||
| Allow/forbid Siri (iOS) or Cortana (Microsoft) | |||
| Allow/forbid Siri querying content from the web | 11 | ||
| Support for SCEP certificate provisioning | |||
| Allow/forbid "Open with…" functionality to share data between managed and unmanaged apps | |||
| Allow/forbid fingerprint reader (Touch ID) to unlock device | |||
| Allow/forbid account modification | 11 | ||
| Allow/forbid modification of cellular data usage per app | 11 | ||
| Allow/forbid Control Center on lock screen | |||
| Allow/forbid Notification Center on lock screen | |||
| Allow/forbid Today view on lock screen | |||
| Allow/forbid over-the-air PKI updates | |||
| Allow/forbid find my friends modification | 11 | ||
| Allow/forbid host pairing | 11 | ||
| Allow/forbid AirDrop | 11 | ||
| Allow/forbid single app mode (app lock or kiosk mode) | 11 | ||
| Allow/forbid iBooks store | |||
| Allow/forbid explicit sexual content in iBooks store | |||
| Allow/forbid iMessage | |||
| Allow/forbid user to reset the device | |||
| Allow/forbid device unenrollment from MDM management | 5, 15, 16 | ||
| Allow/forbid user to create screenshots | |||
| Allow/forbid user to use copy/paste | |||
| Filter access to web sites (blacklisting) or whitelist web sites with bookmarks | 11 | ||
| Block OS upgrade | 5 | ||
Device configuration |
|||
| Microsoft Exchange settings for email | 5, 15, 16 | ||
| IMAP or POP settings for email | |||
| LDAP and CalDAV settings | |||
| Configuration of access points | |||
| Proxy settings | |||
| Wi-Fi settings | |||
| VPN settings | 5 | ||
| Install root certificates | 13 | ||
| Install client certificates | |||
| Per app VPN | 10 | ||
| Single sign on (SSO) for 3rd party apps (app protection) and company webpages (iOS 7 and higher) | 10 | ||
| Distribution of bookmarks | |||
| Automatically receive Wi-Fi and VPN settings from Sophos UTM appliances | |||
| Samsung KNOX: Container handling (create, lock, decommission) | 13 | ||
| Samsung KNOX: Configure Restrictions | 13 | ||
| Samsung KNOX: Configure Exchange | 13 | ||
| Samsung KNOX: Container Password | 13 | ||
| Managed domains | 14 | ||
Device information |
|||
| Internal memory utilization (free/used) | |||
| Battery charge level | |||
| IMSI (unique identification number) of SIM card | |||
| Currently used cellular network | |||
| Roaming mode | |||
| OS version | |||
| List of installed profiles | |||
| List of installed certificates | |||
| Malware detected on device | 4 | ||
| Remote screen sharing (requires AirPlay device) | 10 | ||
Corporate Browser (with Sophos Secure Workspace) |
|||
| Browsing restricted to predefined corporate domains | 4 | 4 | |
| Preconfigured corporate bookmarks | 4 | 4 | |
| Password manager | 4 | 4 | |
| Client or user certificates to authenticate against corporate websites | 4 | 4 | |
| Root certificates | 4 | 4 | |
| Restricted cut copy and paste | 4 | 4 | |
Mobile Content Management (with Sophos Secure Workspace) |
|||
| Publish documents from SMC server | 4 | 4 | |
| Content storage: Dropbox | 4 | 4 | |
| Content storage: Google Drive | 4 | 4 | |
| Content storage: Microsoft OneDrive | 4 | 4 | |
| Content storage: Telekom Mediacenter | 4 | 4 | |
| Content storage: Egnyte | 4 | 4 | |
| Content storage: OwnCloud | 4 | 4 | |
| Content storage: WebDAV (like Windows Server, Strato Hi-Drive, …) | 4 | 4 | |
| User authentication | 4 | 4 | |
| FIPS 140-2 encryption with AES256 | 4 | 4 | |
| DLP setting: Allow offline viewing | 4 | 4 | |
| DLP setting: Allow copy to clipboard | 4 | 4 | |
| DLP setting: Allow e-mailing in encrypted form | 4 | 4 | |
| DLP setting: Allow "open with" unencrypted, including e-mailing unencrypted | 4 | 4 | |
| Add files from mail or download to content app | 4 | 4 | |
| Select existing encryption key or create new user key | 4 | 4 | |
| Integrated with SafeGuard Cloud Storage | 4 | 4 | |
| Lock access on non-compliant devices | 4 | 4 | |
| Request call home time-based or by unlock count | 4 | 4 | |
| Create or edit text files | 4 | 4 | |
| Annotate PDF files | 4 | 4 | |
| Fill PDF forms | 4 | 4 | |
| Unlock app via fingerprint reader | 4 | ||
Secure Email (with Sophos Secure Email) |
|||
| Exchange email | 4 | 4 | |
| Exchange contacts | 4 | 4 | |
| Exchange calendar | 4 | 4 | |
| Geo-fencing | 4 | 4 | |
| Time-fencing | 4 | 4 | |
| Wi-Fi fencing | 4 | 4 | |
| Control cut and copy | 4 | 4 | |
| Show event details | 4 | 4 | |
| Export contacts to device | |||
Mobile SDK (to be embedded in apps) |
|||
| App expiration date | 4 | 4 | |
| App embedded EULA | 4 | 4 | |
| App password (with SSO across all SDK enabled apps) | 4 | 4 | |
| Geo-fencing of the app | 4 | 4 | |
| Time-fencing of the app | 4 | 4 | |
| Block app start on jailbroken or rooted devices | 4 | 4 | |
| Make Wi-Fi network mandatory for app usage | 4 | 4 | |
| Make available corporate Wi-Fi mandatory for app usage | 4 | 4 | |
Telecom Cost Control |
|||
| Disable data while roaming | 5 | ||
| Disable voice while roaming | 5 | ||
| Disable sync while roaming | 5 | ||
3) By setting a pin or passcode
4) If SMC Advanced is licensed
5) Requires a Samsung SAFE compatible device and optional an installation of the SAFE plugin
7) Requires Android 4 or higher
11) Requires a supervised device
13) Samsung KNOX V2.1 or higher
14) Requires iOS 8 or higher
15) Requires LG GATE enabled device
16) Required Sony extended MDM API enabled device
Autor:
Sven Berger
20+ Jahre IT-Sicherheits-Experte, Prokurist, Leitung des Bereichs IT-Sicherheit der ito consult GmbH/ UTMshop
Zertifizierungen: Dipl. Betriebswirt; Sophos Certified Architect