Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 6945 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Order/Preference when applying policies in Sophos Central

Vini

We're in the process of moving from OnPrem to Central. Getting our head around the differences, and how it works differently to our outgoing OnPrem solution is proving to be fun to say the least.

Regarding policies and the presumed cascading of... how does this work? Under policies in the Central web console, it states; The policies at the top of the list override the policies at the bottom of the list.

 

So we've configured a "Global" policy that lives at the bottom of the pile, this includes baseline configuration and some global exceptions. Above that, we have another policy with slightly different exceptions aimed at a smaller group of users (say Developers). Do policies merge as they "fall down" the pile, or does the highest applying policy simply win and no further policies are processed?? How does it work?

 

KR,

James Vincent

 



This thread was automatically locked due to age.
  • +1

    Hello James Vincent,

    Central is maybe the better forum.

    Anyway, please be careful with the terms: There are Global Settings and Base Policies. In the About Policies page there's also How are policies prioritized? IIRC there used to be a slightly more detailed description, to rephrase: The policies are inspected top-down, the first that is applied to either the user or device wins and only its settings are in effect (similar to SEC where only the policy assigned via the group is in effect). No merge takes place.
    The order of the policies in the list is important. Consider two custom policies PolU07 and PolC08 (there are others, all numbers from top to bottom), two computers (PC-A and PC-B), and two users (UserVIP and UserGen22). PolU07 is assigned to UserVIP, PolC08 assigned to PC-A. The winning policy when a user logs on to a computer is:

      Computer            PC-A           PC-B
    User  
    UserVIP         PolU07      PolU07
    UserGen22         PolC08        Base

    If someone decides to assign PolC03 to all computers named PC-* then it would be PolC03 in all cases.

    Christian

Unfiltered HTML