Skip to content

About Policies

You use policies to apply protection to users, devices or servers.

If you're new to policies, read this page to find out how policies work.

What is a policy?

A policy is a set of options that Sophos Central applies to protected users, devices or servers.

There is a policy for each product, or for a feature that’s part of a product (for example, there is a policy for the application control feature).

Users, devices and servers have separate policies.

What is a Base policy?

Each feature has a Base policy. Sophos provides this policy and initially it applies to all users (and devices) or all servers.

For some features, like threat protection, Sophos configures the Base policy with the best practice settings. You can leave it unchanged if you want to.

For other features, like application control or peripheral control, which are more specific to your network, you must edit the policy to set up the feature.

The Base policy is always available and is used if you don't have other policies activated.


You can't turn off or delete the Base policy.

Do I need to add new policies?

You can choose whether to set up your own policies or not.

If you want to apply the same policy to all users or devices or servers, you can simply use the Base policy or adapt it for your needs.

If you want to use different settings for different groups, you can create additional policies.

What can I do with additional policies?

You can set up additional policies to override some or all of the settings in the Base policy.

You can use additional policies to apply different settings to different users, devices or servers. You can also use them to make it easier to switch the settings that are applied quickly.

The order in which you put the policies in the list matters. The policies at the top of the list override the policies at the bottom. See How are policies prioritized?.

What’s the difference between user policies and computer policies?

A user policy applies to all the devices that a user has.

A “device” or computer policy applies to specific computers or groups of computers, regardless of which user logs on.

Some features let you create either kind of policy. Other features only let you create one kind. For example you can set an updating policy for computers, but not for users.

If you set up a user policy and a computer policy for the same feature, and both could apply to the same computer, the policy that’s higher in your policy list takes priority. See How are policies prioritized?.

You can check which policy is applied to a computer by looking at the Policies tab on that computer’s details page.

What is in each policy?

A policy lets you:

  • Configure one of the features that you have licensed.
  • Specify which users, devices or servers the policy applies to.
  • Specify whether the policy is enforced and whether it expires.

A policy contains all the settings for a product or feature. For example, you cannot split up the threat protection settings across several different polices in such a way that a user gets one setting from one policy and another setting from a different policy.

How are policies prioritized?

The order in which you arrange the policies determines which is applied to specific users, devices or servers.

Sophos Central looks through the policies from the top down and applies the first policy it finds that applies to those users or devices.

The Base Policy is always at the bottom, and is applied to any users, devices or servers that aren’t covered by policies higher in the list.


Place the most specific policies at the top and general policies further down. Otherwise, a general policy might apply to a device for which you wanted an individual policy.

To sort policies, grab a policy and drag it to the position where you want to insert it.