If Policies override eachother... then why don't I see two Protection Policies applied?

Hello Michelle99 

If there are 2 policies assigned to your devices, only the topmost assigned in the list will be applied to your device.

You may refer to this document for reference (under "How are policies prioritized"): http://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ep_aboutpolicies.html 

I had the exact same question (which is how I found this topic).

Since this is a security application it's only logical to think about these policies in terms of firewall rules. As such, a phrase like "The policies at the top of the list override the policies at the bottom of the list" is bound to be interpreted as cumulative, not exclusive.

It gets even more confusing with phrases like "You can set up additional policies to override some or all of the settings in the Base policy." (from the documentation link)

Better to make it clear that "Only one policy can be applied per user or device".

Aside from the verbiage, it really is a pity that the policies are not cumulative. For an educational setting I am trying to limit the applications students can run to just Chrome and Acrobat Reader. I started with a policy that blocks all applications and I figured I would place a policy above that to allow Chrome and Acrobat. Via this topic I found out that this approach doesn't work since only one policy can apply. The only way I can think of now is to create a policy that blocks everything but Chrome and Acrobat. Unfortunately, in the overview of the rule only the applications that are blocked are shown - not the ones that weren't selected for blocking. It still works, but it's a kludge and administratively it's a boondoggle.

Hello Arie,

[I'm not Sophos and I'm not using Central]
Admittedly the wording could be improved. But IMO the How are policies prioritized? paragraph is sufficiently clear. I'd rephrase the sentence to something like One and only one policy of a certain type is in effect at a particular time. English isn't my first language so maybe that's the reason I'd not interpret override as augment.

this is a security application it's only logical to think about these policies in terms of firewall rules
I can't really endorse this argument for several reasons. Firewall is not the representative security application. There's neither a standard for grouping rules in policies, how policies/rules are prioritized, inherited, or merged, nor how the resultant set of rules is determined. 

a pity that the policies are not cumulative
this would work if additional policies contain more entries than the base. In the converse case it could get quite complicated. You'd still need prioritisation anyway.

only the applications that are blocked are shown
As I'm not using Central I can't comment on the GUI, its details, possible workflows, and potential deficiencies.

Christian

Hi Dianne, Arie and Christian,

Thank you for your replies.

Words are slippery things. I think the problem is that everyone draws a different meaning from the word “override” depending on what background you come from. To make it obvious how policies are applied ( without even referring to the docs) I’d change little message on the policy page in central to:

“If a user or device is assigned to multiple policies, *only* the top most policy in the list will be applied.”

In keeping with the firewall rule thinking, maybe even say something like "only the first policy that matches the criteria is applied"?

In keeping with the firewall rule thinking, maybe even say something like "only the first policy that matches the criteria is applied"?