User-created policy can be disabled by settings, but remain enforced?
In Sophos central, for some policy categories it is possible to set a user-created policy to enforced, but "disable" it from its settings.
For example, suppose that in the Web Control section there is the base policy at the bottom and the user-created one above it. If the user-created policy is opened for editing, the very first setting is:
Web Control: Enforce/Ignore the settings in this section of the policy
This setting is different from the Enforce/Ignore policy on the far right tab. Hence, it may be the case that there is an "ignored" policy, which retains "enforced" status, thus creating misconception as to what the actual result is. The exact reason for having the enforce/ignore setting is not documented. Nevertheless, having two settings at different levels is error prone.
The policy enforced setting cannot be changed in the base policy, which is understandable (perhaps the "Web Control" setting needs to be removed from user-created policies).
Finally, the aforementioned issue seems to also occur in the following categories:
- Data Loss Prevention (Use rules for data transfers)
- Application Control (Detection Options: Detect controlled application when users access them)
- Peripheral Control (Manage Peripherals: Disable peripheral control)