Prenventing unenrollment from Corporate Management in Interceptx for Mobile

Hello everyone ! 

Basically, I'd like to know if there is a way to prevent a user from unenrolling from Corporate Manamgent in Interceptx for Mobile 

Here's the big picture : I'm using it in an Android Enterprise policy, deployed in my environment through a task bundle. 
The device enrollment method is the Managed Google Play Account Scenario (using afw#sophos) . 

Right now, I've already set a restriction to uninstall apps in my Android Enterprise device policy in place, and also one to unenroll from SMC in the general settings. 

Yet, I can't find a way to prevent user from being able to unenroll from Interceptx, either in the mobile defense policy or anywhere else. 

Does anyone know a way to do so ? 

Thanks for your help. 

Malek



Edited TAGs
[edited by: Qoosh at 8:08 PM (GMT -8) on 20 Jan 2023]
Parents
  • Hi Malek,

    Thanks for reaching out to the Sophos Community Forum.

    I was able to get this to work as expected by selecting the following option from Sophos Mobile under "Setup > General > SMC app"

    I enrolled the Intercept X app with Sophos Mobile by applying a Mobile Threat Defense policy to the mobile device in question after it was managed in the SMC portal. Is this the same way you've set your device up?

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hello  , and thanks a lot for your answer. 

    The option in Sophos Mobile under "Setup > General > SMC app" was in deed already activated, but the Intercept X option was still accessible for the user.

    Here's the task bundle followed from the enrollment : 


    The test device used correclty appears as managed and received, and received the MTD policy from the bundle. 

    I enrolled the Intercept X app with Sophos Mobile by applying a Mobile Threat Defense policy to the mobile device in question after it was managed in the SMC portal. Is this the same way you've set your device up?

    I think we've followed the same steps here, didn't we ? Did you apply the MTD in the task bundle too ? Even though I don't think this would change anything...

    I was also wondering : is there a way with Sophos Mobile to prevent the user from changing the parameters from the MTD policy using the Intercept X app ? Because from our tests, it seems that if he decides to launche the app, he can then modify the web reputation parameters for instance. 
    Do you know a way to prevent that ? 

    Again, thank you for your answer. 

    Malek

  • The behaviour I see on my side is much different, though I'm unsure why this may be the case. Could you try applying the MTD policy to the mobile device manually after you have finished enrolling the device? You'll need to remove the "Assign policy > MTD policy" step from your task bundle to test this. I suggest cloning the task bundle.

    You may also want to check if the option to "unenroll" is available from the "Control" app. If you're able to see this option from the IXM app I would expect the Control app will also show the same. 

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks again for your answer  . I'll give it a try and keep you posted in a few days. 

    Regards. 

  • Hey  ! 

    We've followed the same steps you provided (applying the MTD policy to the mobile device manually after you have finished enrolling the device), yet we have the same results : the user can unenroll, and also modify the security policy locally (deactivate the web reputation for instance). 

    Is there a way, through Central Mobile Security, to allow the application to run without the user to access it ? Is that possible with the Application Control feature maybe (even though i think it might just stop Intercept X for Mobile to launch...) ? 

    The idea here is to prevent the user from modifying the security parameters applied through the policy on an Android device, just as the tamper protection would on an endpoint with Sophos Central.  

  • I'd suggest opening a support case so this can be looked into a bit further, since the results we're getting don't quite match up.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children
No Data