Do not remove devices of disabled users
Have a way to leave the devices assigned when a user is disabled. There are times when a user will be disabled in active directory, but is not leaving the company permanently. When you disable a user in AD, their associated devices in Sophos Central disappear and you have to provision them all over again. There are times when a user goes out on FMLA and is not allowed to access the network, but still has their phone in use. There are times when we disable a user that is terminating, but their device has not been turned in yet (might need to protect access to network but once we get the phone in we may need to push a password reset to the phone and cannot since it has been removed). There should be an option to leave a user in as long as they are apart of the OU that is being sync'd with sophos
Agree. We are using disabled accounts just for email access and routing email traffic through Sophos. Disabled users not being synced to Sophos does not make sense in this configuration.