Policies, exclusions to a specific device or group of devices

Hi all,

I'm looking for a paradigm of using Policies and device groups. Could you please tell me what would be the right way of using policy to address next issues.

Here is the problem: We are in process of introducing Sophos MDR in our company and Sophos perform some tests and give us some advises how to organize our policies. In essence we have  a lot of Global or Policy Exclusions which apply to all devices in company. On each exclusion we have got advice:  Limit the exclusion to a specific device or group of devices.

I have decided to leave Base Policy as it is by default and create new policy for each additional settings or modifications. Those modifications will be applied to certain group of devices and for the rest of them Base Policy will be applied.

Than I have created 2 policies, BarracuaExcclusions and KeyLinkAppExclusions. I have created 2 groups accordingly and associate to those policies.Than I wanted to put computers in each of those groups. Here is the problem. Device can be only in one group. So I wanted that devices A,B,C have BarracudeExclusions but only B and C to have KeyLinkAppExclusions. Moreover, If I want to use policy to block USB on certain devices this complicates story even more. it seams groups cannot be used and that I have to put each device in Policy manually.

Is there a way to have a Default groups? For example: I want to block USB on each new device which has been added automatically and that policy is applied on some default devices group?

How do you handle problem like this? So I want to have base policy intact, each new changes are in new policies. How do you maintain settings in those policies later on ? Imagine, we have 10 Threat Policies each of them are applied on certain devices. If there is a need to change some "shared property" in policy, we would have to do it manually in 10 places, isn't it?

So in essence I need a practical example of policy usage which can address issues mentioned above.

Thank you in advance,


Edited TAGs
[edited by: Gladys at 3:05 AM (GMT -7) on 28 Apr 2023]
  • Hello Nikola,

    Thank you for reaching the community forum.

    As per the design of our Sophos Central dashboard, there's no way for multiple policies (of the same nature) to work on a single device, as this will cause conflict and may lead to the inability to use the policies applied. 

    For the default group, we only have one, which is the Base policy. This is applied to any policy available in your central dashboard.

    I would suggest you reach with your Sophos Sales Engineer as they can help you discuss the best course of action on what to do in your set-up. If you don't know or you don't have the contact information of your Account Manager or Sales Engineer, feel free to Drop me a DM so that I can share it with you. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids