Apply policies to all mailboxes

We use Sophos Central Email Security and have been just using the base policy with some modifications. This weekend, Sophos seems to have set the base policy settings back to default, and I am no longer able to change any settings on the base policy despite being Super Admin. Apparently this can now only be changed by a Sophos Central Partner, but the techs at our MSP are also unable to edit the base policy.

So, in order to modify the email policy I have created a new one and changed the settings accordingly. However there does not seem to be an easy way to apply the policy to all mailboxes. We sync our 365/AAD into Sophos which brings over all the dynamic 365 groups e.g. 'All Users' but when using these on policies they do not apply to any users. It seems like the only way to achieve this is to create a new 'static' group in 365 or Sophos, manually add all mailboxes, then apply the policy to that group. Then remember to add new mailboxes to the group when they are created.

Hoping there is an easier way, especially now we are unable to edit base policy!



Edited TAGs
[edited by: Gladys at 9:42 AM (GMT -8) on 19 Jan 2023]
  • Hi lakesdan,

    Thanks for reaching out to the Sophos Community Forum. 

    It sounds like your Sophos Partner may have turned on Global Templates. You can find out more about this in the following article.
    - Global Templates

    I suggest reaching out to them to request that your site be removed from the template they have created, this way, your Base Policy will return to normal so you can configure it as needed. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks Kushal, our partner was able to reverse the changes so the base policy was unlocked, but all the settings have reverted to default so there has been some trial and error getting it back to how it was before.

    To stop this happening again, I still want to set up my own policy and apply it to all users, so my question regarding applying a policy to all mailboxes without using static groups is still unanswered. If I apply the policy to no users or groups, but apply it instead to the whole domain(s), will that effectively apply to all mailboxes?

  • I suggest manually creating a policy with the desired settings. You can clone the Base Policy if it has now been configured appropriately. 

    If you have AD Sync running, you can configure this to synchronize a group in your domain that contains all of the users. This will replicate any group changes to Sophos Central. By applying that same group in Sophos Central to the desired policy you can ensure that the Base Policy is ignored, and your users will instead receive your desired policy. 

    I don't believe this is possible to do with a static group unfortunately. If this is something you need, I'd suggest ensuring that your Sophos Partner does not apply any policy templates to the ones you need to maintain.  

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids