About macOS policies
For Macs there are three types of policies:
- Device policy: When you assign a device policy to a Mac, the settings apply to all users that sign in to the Mac. See Configurations for macOS device policies.
-
User policy: When you assign a user policy to a Mac, the settings apply to the following users:
- The local user that has enrolled the Mac with Sophos Mobile.
- All network users that are known to Sophos Mobile, that is, users from the external LDAP directory that you configured for Sophos Central Self Service Portal.
-
Imported policy: You can import Apple configuration profiles you downloaded from Sophos Central to configure Sophos Endpoint on your Macs. See Download the macOS configuration profiles.
You can also import profiles you created in Apple Configurator or obtained from trusted third-party sources.
For details on importing configuration profiles to Sophos Mobile, see Import Apple configuration profiles.
About device and user policies
- In addition to the enrollment policy (which is a device policy) you can assign one device policy and one user policy to a Mac.
- If there are conflicting configurations in a device policy and a user policy assigned to the same Mac, the more restrictive configuration is applied.
- On the Mac, the assigned policies are listed under System Preferences > Profiles.
- When you update a device policy, the changes take effect the next time the device syncs.
- When you update a user policy, the changes take effect the next time a user logs in to the Mac.
- Users may remove the user policy from the Mac but it is automatically re-assigned the next time the user logs in.
- Users can’t remove the device policy.
- When a user removes the enrollment policy, the Mac is unenrolled from Sophos Mobile. This requires administrator privileges.