pushing a global template (allowed appl) from partner portal, deactivates the possibility to create a global template (allowed appl) at customer level


after configuring an 'Allowed application' through the partner portal (Sophos Central Portal -> Settings & Policies -> Global template ...), we noticed this disables the feature in the Sophos Central Admin portal. This results in our customers not being able to manage e.g. allowed application anymore, as they need to be pushed from the partner portal.

Is this the expected behavior? If so, is there a possibiltiy to push allowed apps from the central partner portal, and having to possibility to do this through the central admin portal at the same time?


Thank you for you answers.




  • Hi Steven,

    There were some issues in configuring an Application Control policy with the partner portal. I would request you to check this article and see if it helps you to resolve the issue. If you still face the issue, please let me know. 

  • Hi Steven,

    Pushing out a global template to a customer will stop the ability to configure the Base Policy in Central Admin portal.  This is expected behavior.  If you want to push a global template to a customer and also modify it, navigate to the customer's Central Admin Portal, clone the global template or create a new policy and make the changes there.  Also apply this to the users/computers you wish this to apply to.  The policies apply similar to firewall rules where the first policy it matches will be the one it takes. Any users/computers that do not match any policies will take the default global policy/base policy.

  • In reply to MEric:

    Hi all,

    thank you for your answers.


    Following your explanation, this would mean that for every new global template being published to our customers, we need to clone this global template in all of our customers Central Admin portals, so they would preserve the possibiltiy to change/overrule this themselves? Or am I missing something? Putting 'managed through Central Partner / Central Admin' in a more generic context and keeping your and my remark in mind, this would leave us with two options:

    - Managed through Central Partner portal

    - policies are pushed from the central partner portal

    - policies cannot be changed through Central Admin, unless cloned from the pushed global template -> might not be feasible considering the number of new templates to be pushed and the amount of customers


    - Managed through Central Admin portal

    - all policies are applied from the Central Admin portal

    - no policies are pushed from the Central Partner portal


    Does this make sense?


    Thank you for your answers.




  • In reply to Steven Lievens:

    Hi Steven,

    Policies are applied to users and computers in order from top to bottom.  When two policies are applied to the same user or computer, the one on top will take precedence and the lower ones are ignored.  Base policies will always be at the bottom and are by default a "Take this policy if no other policies are assigned to you".  Base policies always exist regardless of whether a global template is pushed out through Partner Portal or not; global templates only modify the base policy.

    Global templates pushed from Central Partner Portal cannot be modified through Central Admin, however any administrator of that Central Admin can create a new policy or clone the base policy (Global template) and modify that.  For users that you assign the new policy to, they will only take the new policy and ignore the global template.


    Could you elaborate on what is the end goal result you would like to see?  This may help me better understand your current situation as well as provide any possible methods to get this to work in a way you desire.