Prenventing unenrollment from Corporate Management in Interceptx for Mobile

Hi Malek,

Thanks for reaching out to the Sophos Community Forum.

I was able to get this to work as expected by selecting the following option from Sophos Mobile under "Setup > General > SMC app"

I enrolled the Intercept X app with Sophos Mobile by applying a Mobile Threat Defense policy to the mobile device in question after it was managed in the SMC portal. Is this the same way you've set your device up?

Hello Qoosh , and thanks a lot for your answer. 

The option in Sophos Mobile under "Setup > General > SMC app" was in deed already activated, but the Intercept X option was still accessible for the user.

Here's the task bundle followed from the enrollment : 

The test device used correclty appears as managed and received, and received the MTD policy from the bundle. 

Qoosh said:

I enrolled the Intercept X app with Sophos Mobile by applying a Mobile Threat Defense policy to the mobile device in question after it was managed in the SMC portal. Is this the same way you've set your device up?

I think we've followed the same steps here, didn't we ? Did you apply the MTD in the task bundle too ? Even though I don't think this would change anything...

I was also wondering : is there a way with Sophos Mobile to prevent the user from changing the parameters from the MTD policy using the Intercept X app ? Because from our tests, it seems that if he decides to launche the app, he can then modify the web reputation parameters for instance. 
Do you know a way to prevent that ? 

Again, thank you for your answer. 

Malek

The behaviour I see on my side is much different, though I'm unsure why this may be the case. Could you try applying the MTD policy to the mobile device manually after you have finished enrolling the device? You'll need to remove the "Assign policy > MTD policy" step from your task bundle to test this. I suggest cloning the task bundle.

You may also want to check if the option to "unenroll" is available from the "Control" app. If you're able to see this option from the IXM app I would expect the Control app will also show the same. 

Thanks again for your answer Qoosh . I'll give it a try and keep you posted in a few days. 

Regards. 

Hey Qoosh ! 

We've followed the same steps you provided (applying the MTD policy to the mobile device manually after you have finished enrolling the device), yet we have the same results : the user can unenroll, and also modify the security policy locally (deactivate the web reputation for instance). 

Is there a way, through Central Mobile Security, to allow the application to run without the user to access it ? Is that possible with the Application Control feature maybe (even though i think it might just stop Intercept X for Mobile to launch...) ? 

The idea here is to prevent the user from modifying the security parameters applied through the policy on an Android device, just as the tamper protection would on an endpoint with Sophos Central.  

I'd suggest opening a support case so this can be looked into a bit further, since the results we're getting don't quite match up.

I'd suggest opening a support case so this can be looked into a bit further, since the results we're getting don't quite match up.