About macOS policies

For Macs there are two types of policies:

  • Device policy: When you assign a device policy to a Mac, the settings apply to all users that sign in to the Mac.
  • User policy: When you assign a user policy to a Mac, the settings apply to all managed users that sign in to the Mac.
Managed users are:
  • The local user that has enrolled the Mac with Sophos Mobile.
  • All network users that are known to Sophos Mobile, i.e. users from the external LDAP directory you have configured for the Self Service Portal.

About device and user policies

  • In addition to the enrollment policy (which is a device policy) you can assign one device policy and one user policy to a Mac.
  • If there are conflicting configurations in a device policy and a user policy assigned to the same Mac, the more restrictive configuration is applied.
  • On the Mac, the assigned policies are listed under System Preferences > Profiles.
  • When you update a device policy, the changes take effect the next time the device syncs.
  • When you update a user policy, the changes take effect the next time a user logs in to the Mac.
  • Users may remove the user policy from the Mac but it is automatically re-assigned the next time the user logs in.
  • Users can’t remove the device policy.
  • When a user removes the enrollment policy, the Mac is unenrolled from Sophos Mobile. This requires administrator privileges.