Deploy Intercept X for Mobile through VMware Workspace ONE

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

 

Intercept X for Mobile can be deployed through 3rd party device management products. This article provides an overview of the steps involved in deploying Sophos Intercept X through VMware Workspace ONE.

The key steps involved are:

  1. Generate a connection code in Sophos Central
  2. In Workspace ONE, use app configuration settings to deploy the Intercept X app to Android and iOS devices
  3. Complete the installation on end user devices

 Prerequisites:

  • This guide assumes VMWare Workspace ONE UEM is used to manage Android and iOS devices
  • Android devices must be managed with Android Enterprise (Fully Managed or Work Profile)
  • iOS devices must be managed, and it is recommended that they are in supervised mode

 

Generate a connection code in Sophos Central

  • Log in to Sophos Central and navigate to the Mobile section

  • Click on Sophos setup and select the ‘Third-party EMM’ tab. Click ‘Generate connection code’. A code is generated, and we will use this later in the Workspace ONE console.

 

  

Deploy Intercept X for Mobile through Workspace ONE

  • Log in to the Workspace ONE UEM console

 

Android app

  • First we will deploy the Intercept X Android app. Navigate to the section Apps & Books> Native> Public and click ‘Add Application’

 

  • Select the platform as Android and enter the name as Intercept X

 

  • Select Intercept X from the Play Store and approve the app

 

  • Configure any desired settings (e.g. the app category) and click ‘Save & Assign’

  • In the ‘Distribution’ tab, use ‘Assignment Groups’ to select devices that should have the Intercept X app installed. Select ‘Auto’ for the 'App Delivery Method' and the Intercept X app will automatically be installed on the selected devices.

 

  • In the ‘Application Configuration’ section, enable ‘Send Configuration’ and add the configuration values.
    • The ‘Connection code’ is the code we generated earlier in the Sophos Mobile console
    • The other configuration values are detailed in our Help Documentation

 

  • Click ‘Create’ – the Intercept X app is shown in the apps list and will be deployed to the devices that were selected in 'Assignment Groups'

 

 

iOS app

  • Now we add the Intercept X iOS app. Navigate to the section Apps & Books> Native> Public and click ‘Add Application’

 

  • Select the platform as Apple iOS and name as Intercept X

  • Select Intercept X from the Apple Store 

  • Configure any desired settings (e.g. the app category) and click ‘Save & Assign’

  • In the ‘Distribution’ tab, use ‘Assignment Groups’ to select devices that should have the Intercept X app installed – select ‘Auto’ for the 'App Delivery Method' and the Intercept X app will automatically be installed on user devices

  • In the ‘Application Configuration’ section, enable ‘Send Configuration’ and add the configuration keys and values.
    • The ‘Connection code’ is the code we generated earlier in the Sophos Mobile console
    • The other configuration values are detailed in our Help Documentation

 

  • Click 'Create', followed by 'Save' and then 'Publish'

 

  • The Intercept X iOS app is shown in the app list and will be installed on the devices that were selected in 'Assignment Groups'

 

 

 

 

 

Complete the installation on end user devices

  • If you selected ‘Auto’ as the app delivery method, the app will have been installed automatically on end user devices
    • Note - after the Intercept X app has been installed on devices, the device will not be registered with Sophos Central until the user has opened the app and accepted the permissions required to enable protection capabilities
  • Open the Intercept X app on Android and iOS devices and accept the requested permissions

 

  • Devices protected by Intercept X are now visible in the Sophos Central console



Updated the disclaimer.
[edited by: Gladys at 5:09 AM (GMT -7) on 6 Apr 2023]
  • Hello!  The Sophos technical support team advised they can't assist with the information of the "Default Scheme" value for Intercept X deployment for a 3rd party MDM like VMware Workspace ONE. I did not see the Default Scheme value throughout this community article or in the "Use Sophos Intercept X for Mobile with third-party EMM software" article. Can anyone please assist? We have followed directions but the final install fails. We are deploying Sophos Intercept X to iPads via VMware Workspace ONE (AirWatch).

    A VMware article states:

    Public/Purchased applications – Public apps are only available as on-demand, recommended apps. They are not considered containerized and do not support SSO, branding, console commands, or updated badges.

    • These apps can be installed from the AirWatch Container springboard if a Default Scheme is included in the application information in the UEM console. If the Default Scheme is not included in the application information, the app will be available in the App Catalog.
    • To review an application's Default Scheme, navigate to Apps & Books > List View. From the Actions menu, select Edit
    • If no default scheme populates in the application information, then contact the appropriate vendor for that information.
    • Note: Irrespective of the default scheme applied or not, the internal applications and public applications (other that Workspace ONE UEM applications) do not reside inside Container but will be seen on the device screen and App Catalog.
  • Hi

    That article seems to be referring to an app's Custom URL scheme, but the URL scheme is not relevant for app installation. Therefore I suspect something else is causing the install to fail. Please could you share any further details regarding what you are seeing? You could put it here or in the Support Ticket and we can discuss further that way.

    Regards

    Tom

  • Hi Tom,

    Thanks for the reply! I had to send a private message to you as it seems this community article comment section would only allow me to provide screenshots if they had a URL.

  • Hello,

    I'm currently testing intensively the integration with WSO and seems to work quite easly but I have few questions:

    1) MTD rule appied

    When enrolment is done, Sophos InterceptX Mobile is succesfully deployed to the device. Then I have to open the app and from threre a message told me the device is enrolled into Mobile Control (I confirm) ...but MTD rule is not yet deployed. From Sophos Mobile side, I have no message or no status telling me the rules are not applied, do you confirm ? The status I have is Managed = Managed

    To make it working, I have to close Sophos InterceptX Mobile and reopen it. From threre a new popup appears and I need to install a new configuration profile (from a user experience, it's not really nice because it is a kind of a "new enrolement". From there, my security rules are applied.

    2) Unenroll the device

    Now I want to unenroll my device from Workspace One. I'm using the offical way to "entreprise wipe" the device and the process ended correctly, except my Sophos InterceptX Mobile app is still there and security rules too. Sophos Mobile Security profile is still installed.

    So I'm going now to Sophos Mobile, the status is still "management mode = Mobile Threat defense" and Managed = managed.

    I select an action for the device = Unenroll and i receive on the device a message saying "Device successfully Unenrolled"...but my security profile is still present.

    Regarding my security rules, there are deactivated. Is it normal my security profile remains installed ? Is it normal to have Sophos InterceptX Mobile App still installed on the device (even the rules are deactivated)?


    On Sophos Mobile, the status of the device is Management mode = not managed and Managed = Unenrolled

    And a last questions : In term of reporting, do we have the possibilty to see the user activity ? (when a filter block something etc..etc.)?

    Thanks for your feedback.

    Jullll

  • Hello 

    Thanks for getting in touch. It sounds like you are using iOS devices? If so, the Intercept X configuration profile can be deployed via Workspace One which removes the need for the user to download it. Please see this page https://docs.sophos.com/central/Mobile/help/en-us/AdminHelp/MTDWithIXM/AutomateProfileInstallation/index.html 

    For the 2nd point, please could you raise a Support Ticket so the team can take a look at what you are seeing.

    thanks

    Tom

  • Hello Tom, 

    I was a bit long to answer but it was due to intensive test Smiley

    So all my points are solved. Technically it works fine and on the user experience side it is much better. Thanks for your link, it allow me to integrate the mobile provision file into my managed profiles (I add to trick a bit the file but at the end, working well).

    Appreciate your help.

    Have a great day !