SMC cant see SSE

The worst thing is, this whole Container topic isn't described anywhere. Neither in the install doc, startup guide, super admin guide, deployment guide.. Nowhere.. Except the amazing description:

Sophos Secure Email
Sophos Secure Email is an app for Android and iOS devices that provides a secure container for managing your email, calendar and contacts. All data is encrypted and is protected from third-party
access.

Sounds great, isn't it? :)

For what I have figured out myself (Currently testing SMC with trial license, so I have also the Advanced options) you need to create a new policy of the type Sophos Container Policy under Profiles, policies. 
There you can add a configuration called Corporate Email.
You can deploy it with a new (Or your default) task bundle.

So far, I think I'm on the right path. Except I can't get it to work either. Tested on multiple devices (Sony, Samsung) with different OS versions, connected via mobile data or WiFi.

After starting, I also get the message that it needs to be managed by Sophos Mobile Control. 
When I press the RESYNC button: Sync failed. Please check your internet connection. 
Of course the devices have a working internet connection, and the SMC app syncs fine.

You're right, the doku is not exactly good.
I am now in contact with the sophos presales of switzerland. They are good, fast and helpful.
Under policies, you can select the Sophos container policy. In it then point to corporate email. As soon as the profile is assigned to a device, the SSE should also be configured.

For me the point container policy appears however only under the superadmin.

Just test it and report then again.

As superadmin, I have a container policy. It is targetting all operation system versions, and "all" customers.

My task bundle performs:
Enroll
Install device policy
Install container policy
Install SSE

After checking and trying some more, I'm convinced that my container policy is installed/enrolled fine.
If I check the task log for a specific device, I only see 1 "Install profile" task, being the device profile.
My device is managed and visible by SMC, settings from my device policy are applied (e.g. predefined WiFi networks, device pin)
The container policy requires a PIN or password, and the device asks for this. So that's why I'm quite sure that the policy itself is pushed to the device.

So now the interesting part
The following was found in our Sophos UTM9 firewall log. When I start the SSE app, it tries to connect, but is receiving a 403 error.

Sophos UTM log
2016:11:03-09:26:12 sophosutm-1 reverseproxy: id="0299" srcip="188.206.*.*" localip="<External WAN>" size="0" user="-" host="188.206.*.*" method="POST" statuscode="403" reason="-" extra="-" exceptions="-" time="66733" url="/client-api/enroll/checkin/14" server="smc.domain.com" referer="-" cookie="-" set-cookie="-"

access_log (SMC install dir wildfly\standalone\log)
127.0.0.1 (188.206.*.*) - - [03/Nov/2016:09:26:12 +0100] "POST /client-api/enroll/checkin/14 HTTP/1.1" 403 - "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; SM-A310F Build/MMB29K)" default task-569

Not sure where to go next tho...

As superadmin, I have a container policy. It is targetting all operation system versions, and "all" customers.

My task bundle performs:
Enroll
Install device policy
Install container policy
Install SSE

After checking and trying some more, I'm convinced that my container policy is installed/enrolled fine.
If I check the task log for a specific device, I only see 1 "Install profile" task, being the device profile.
My device is managed and visible by SMC, settings from my device policy are applied (e.g. predefined WiFi networks, device pin)
The container policy requires a PIN or password, and the device asks for this. So that's why I'm quite sure that the policy itself is pushed to the device.

So now the interesting part
The following was found in our Sophos UTM9 firewall log. When I start the SSE app, it tries to connect, but is receiving a 403 error.

Sophos UTM log
2016:11:03-09:26:12 sophosutm-1 reverseproxy: id="0299" srcip="188.206.*.*" localip="<External WAN>" size="0" user="-" host="188.206.*.*" method="POST" statuscode="403" reason="-" extra="-" exceptions="-" time="66733" url="/client-api/enroll/checkin/14" server="smc.domain.com" referer="-" cookie="-" set-cookie="-"

access_log (SMC install dir wildfly\standalone\log)
127.0.0.1 (188.206.*.*) - - [03/Nov/2016:09:26:12 +0100] "POST /client-api/enroll/checkin/14 HTTP/1.1" 403 - "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; SM-A310F Build/MMB29K)" default task-569

Not sure where to go next tho...

Hi Sander,

to successfully use the Sophos Container apps you must make sure that your SMC customer has an SMC advanced license activated.
This can be done by editing the SMC customer as a super administrator and enabling the checkbox for the "Advanced license" setting.

Once that is given, the SMC app must be installed on the mobile device.
When you use the "Install container policy" task, there is no real task sent out as it is done for the profiles.
Instead, the policy is assigned to the device and you should see the current status within the device itself at the "Policy" tab.
The SMC app will receive the necessary configuration and then then hand it over to Sophos Secure Email.

If you are trying to deploy a policy which uses placeholders, make sure a user is linked to the device in question.
If Sophos Secure Email should retrieve emails via the built in EAS Proxy, make sure that the device is compliant and that the email status is set to allowed.

In case the issue persists please raise a support request.

Please note: Additional information about managing the container apps can be found here in the SMC admin guide.

Best regards
Stefan