Skip to content

Base policies

Each feature has a base policy. Sophos provides this policy and initially it applies to all users (and devices) or all servers.


Admins with the Enterprise Super Admin role can manage base policies.

If you're new to policies, read this page to find out how base policies work.

What is a policy?

A policy is a set of options that Sophos Central applies to protected users, devices or servers.

There is a policy for each product, or for a feature that’s part of a product (for example, there is a policy for the application control feature).

Users, devices and servers have separate policies.

What is a global base policy?

For some features, like threat protection, Sophos configures the base policy with the best practice settings. You can leave it unchanged if you want to.

For other features, like application control or peripheral control, which are more specific to your network, you must edit the policy to set up the feature.

The base policy is always available and is used if you don't have other policies activated.


You can't disable or delete the base policy.

What is in each global base policy?

A global base policy lets you:

  • Configure base policy settings for your sub-estates. See Edit a base policy.
  • Specify which sub-estates the policy applies to. You do this using a Global Template. See Template.


Sub-estate administrators won't be able to change any of the base policies shown here.

Which base policies can I set globally?

You can set up a base policy for Email Security. See Email Security.

You can set up a base policy for Device Encryption. See Encryption: Device Encryption.

You can set up base policies for Endpoint Protection.

You can set up base policies for Server Protection.