What’s new in Sophos Mobile?

I’m pleased to share an update on recent enhancements to Sophos Mobile. Read on for details.

XDR network logging

Customers can now choose to capture network logs from Android and iOS devices. When enabled, devices will upload network traffic details to Sophos Central ready for it to be queried alongside other data points in the Threat Analysis Center. Admins can search for communication with specific sites and correlate information with any other products or data sources in the data lake. Pre-canned queries are available to make it easy to find network connections by IP address, hostname, or app.

See the Central Help document for details on enabling network logging.

Critical Attack Warning Integration

The Critical Attack Warning focuses on detecting attacks on desktops and servers. When Sophos Endpoint identifies a high severity attack in a customer’s environment, an email is sent to all Sophos Central admins notifying them of the threat.

In addition to email, admins will now also receive a notification via the Intercept X for Mobile app on Android and iOS. This helps provide another channel of communication to warn of the threat and encourage customers to take response actions.


These mobile notifications leverage the User Activity Verification feature in Sophos Mobile, so we encourage customers to ensure they have this setting enabled (General Settings > User Activity Verification).

User-less enrolment for Android

Android devices can be enrolled without an assigned user. This can be particularly useful when it comes to managing shared or kiosk devices. Admins can choose to enrol these devices via QR code or Android Zero-Touch. Users can still be assigned to the device after enrolment if needed.

Further information is in the Central Help.

Disable iOS alternative app store installation

Users in the EU will have the ability to install apps from alternative app marketplaces in iOS 17.4 and later. Admins can disable this via a new iOS Restriction policy setting in Sophos Central. The specific setting is called “Allow alternative app marketplace” and will be available in Sophos Central from 4th March 2024.

Enrol Intercept X for Mobile via QR code

Customers now have the option to enrol Intercept X for Mobile via a re-usable QR code. This can be helpful for situations where a device management product is not used to manage the device and deploy apps remotely. Customers can take the Connection Code value from the ‘Intercept X auto-enrollment’ tab (Mobile> Setup> Sophos Setup) and create a QR code. This code can then be scanned to enrol the Intercept X for Mobile app. Users can still be assigned to the device after enrolment if needed.

Sophos Container apps (Secure Email, Secure Workspace) end-of-life

A reminder that the Sophos Secure Email and Sophos Secure Workspace apps reached end-of-life in December 2023. The apps are now unsupported and will be removed from the Google and Apple app stores.  

Any documents uploaded to Sophos Central as part of Sophos Secure Workspace’s document-sharing feature will soon be deleted. Customers that require these documents should export them from the Documents section of the Sophos Mobile admin console.

We encourage any remaining customers still using the apps to transition to the native functionality of the Android Work Profile and iOS User Enrolment management modes. Please see this article for details on the steps involved.

New flow for setting up Google accounts – April 2024

Managing Android devices requires a connection between Sophos Mobile and a customer’s Google account. Google is rolling out a new process for configuring this integration. From April, new customers will be prompted to specify a work email address rather than a dedicated Gmail address during setup, and customers no longer choose whether to use Managed Google Play or Managed Domain. We’ll provide more details on this topic nearer the time.