Skip to content
Avanet
Sophos Mobile 9.5 - Web Filtering for Chromebooks and more

Sophos Mobile 9.5 - Web Filtering for Chromebooks and more

4. DECEMBER 2019

Sophos has released version 9.5 of Sophos Mobile, and for the first time Chrome OS is officially supported as a platform. The Android Enterprise device management has also been refined, and the name Intercept X now appears in Sophos’ mobile applications.

Info: The on-premises release of version 9.5 is already available, while Central customers still have to wait a little longer. The global rollout was initially planned for December 9, but I have heard it might slip to January 2020.

WCAG 2.1 compatible

Even though the layout of Sophos Mobile hasn’t changed much, the interface is now WCAG 2.1 compliant. This means that visually impaired users can operate the software much better. Sophos Mobile 9.5 has undergone accessibility testing and can now be comfortably used with screen readers.

Chromebook Security Management

With version 9.5, Sophos Mobile now supports the Chrome OS platform. To manage these devices, Sophos focused first on security management rather than Chromebook management. Google already offers a G Suite solution for Chromebook administration. This suite is even free for education customers, which is why Chromebooks are so popular in schools. In the corporate world, however, you need a license.

Because Google already provides a management solution, Sophos wanted to tackle a missing feature first: web filtering.

The “G Suite” also exposes APIs that make later integration of Chromebook management into Sophos Mobile very realistic.

To equip a Chromebook with Sophos Mobile web filtering, you need the Sophos Chrome Security extension from the Chrome Web Store. Once the Chromebook is successfully enrolled in Sophos Mobile, the usual 14 web filter categories are available in the policies, and you can build white- and blacklists.

If you are running Sophos Firewall and Sophos Central together, you already know the problem: the firewall’s web filter settings are not synchronized with the Central endpoint settings. If you want to protect laptops or mobile devices outside the network, you must configure web filtering separately for each platform. Sophos appears to be working on the ability to push firewall rules to computers, Chromebooks, and mobile devices in the future. 🥳

In addition to the web filtering, there are now a few compliance rules so that Chromebooks comply with corporate policies. A highlight is the built-in “Tamper Protection”. Chrome extensions are JavaScript-based and are not fully isolated from one another. It would be possible to craft an extension that disables the “Sophos Chrome Security” extension. Tamper Protection regularly checks on the Chromebook whether the Sophos extension still has the required permissions. Another rule can control which extensions may or may not be installed. You can even require that only extensions from the Google Play Store are allowed.

Android Enterprise – QR Code Enrollment

If you deploy Android Enterprise, there is a new distribution method called QR Code Enrollment, designed for “Fully Managed Devices.” You generate a QR code in Sophos Mobile that is no longer tied to a specific device or user and can be reused for any new enrollment.

QR Code Enrollment is very convenient and allows you to embed WLAN settings directly, unlike the Zero-Touch enrollment. Users no longer have to ask for the Wi-Fi password afterward. To use QR Code Enrollment, just need an Android smartphone with a camera—you don’t need to pay attention to special hardware as with Zero-Touch Enrollment.

Once you have generated a QR code, you can print it out to streamline the rollout of new devices. In the future, employees simply unpack the phone, power it up, and scan the QR code. The device configures itself fully, and the user only needs to enter their username and password. This creates a near-autonomous process that even the employee can trigger. You can copy the QR code into an email and send it with a short instruction. Unboxing and scanning the QR code is so easy that no trained mobile administrator is required.

Android Enterprise – App Management

Adding new apps from the Google Play Store to your allowed catalog is now very convenient through an iFrame in version 9.5. Previously, this required a cumbersome process through “Google Play for Work.” You can now also add custom APKs developed for your company via the iFrame. In addition to Play Store apps or private APKs, it is now possible to include “Web Apps” in the catalog. If you want to place shortcuts to specific websites on an employee’s Android home screen, that’s now supported as well.

Intercept X for Mobile

Intercept X for Mobile is not a new app but a rebranding of the former “Sophos Mobile Security” app. Sophos plans to gather all endpoint protection solutions under the Intercept X brand, regardless of platform—Windows, macOS, servers, or mobile devices.

Along with the new name, a complete rebranding took place. The app’s UI was redesigned, and a new unified design language was introduced. This refreshed visual style will appear across Sophos agents on all platforms.

Just like the Sophos Mobile 9.5 interface, the new Intercept X for Mobile app also follows WCAG guidelines. This means users with poor eyesight can now navigate it without problems. Sophos also updated their “Malware Detection” engine for Android, touching both the traditional signature-based engine and new machine learning models.

Sophos Secure Email improvements

The “Sophos Secure Email App” received a small update:

  • iOS & Android: Favorite folders – up to 10 folders sync automatically.
  • iOS: Contacts can now be saved as favorites.
  • iOS: Calendar entries can now be forwarded.
  • iOS: Documents scanned with the camera can be attached to emails.

Additional improvements

I didn’t cover every feature in detail in this post. Here is a list of the remaining improvements that don’t require much explanation:

  • Added support for Android 10
  • Added support for iOS 13
  • Added support for macOS 10.15
  • Added Windows Server 2019 as a Certification Authority server
  • Added support for Samsung OEM Config
  • New report: locate multiple devices, e.g., kiosk devices
  • Remote log level configuration is now possible
  • Log files can now be pulled remotely from the device

Removed features in Mobile 9.5

Finally, there are three platforms that are no longer supported in this release. Microsoft has already discontinued support for Windows Phone 8.1 on its own schedule:

  • Management support for Android Things and Windows 10 IoT
  • Support for Windows Phone 8.1 (devices remain visible)
David

David

David is responsible for content, structure, and digital implementation at Avanet. His focus is on making complex technical topics clear, precise, and search-friendly.