About macOS policies
For Macs there are two types of policies:
- Device policy: When you assign a device policy to a Mac, the settings apply to all users that sign in to the Mac. See Configurations for macOS device policies.
- User policy: When you assign a user policy to a Mac, the settings apply to all managed users that sign in to the Mac. See Configurations for macOS user policies.
Managed users are:
- The local user that has enrolled the Mac with Sophos Mobile.
- All network users that are known to Sophos Mobile, that is, users from the external LDAP directory that you configured for Sophos Central Self Service Portal.
About device and user policies
- In addition to the enrollment policy (which is a device policy) you can assign one device policy and one user policy to a Mac.
- If there are conflicting configurations in a device policy and a user policy assigned to the same Mac, the more restrictive configuration is applied.
- On the Mac, the assigned policies are listed under System Preferences > Profiles.
- When you update a device policy, the changes take effect the next time the device syncs.
- When you update a user policy, the changes take effect the next time a user logs in to the Mac.
- Users may remove the user policy from the Mac but it is automatically re-assigned the next time the user logs in.
- Users can’t remove the device policy.
- When a user removes the enrollment policy, the Mac is unenrolled from Sophos Mobile. This requires administrator privileges.