Differs from policy - Device control policy

  • Article ID: 113071
  • Rating:
  • 3 customers rated this article 1.0 out of 6
  • Updated: 25 Nov 2013


One or more clients report their status to the Sophos Enterprise Console as differs from policy. This is seen under the "Device Control" tab | "Device Control policy" column.

First seen in

Enterprise Console 4.5.0


There are a variety of reasons for this.

What To Do

Confirm the client has recently reported to the console

Initially it is important to confirm that the client has sent a message to the Sophos management server recently.  If the client has not reported to the console recently then the warning message may not be accurate.

  1. In the console, right-click the computer.
  2. Select "View Computer Details".
  3. In the computer details windows locate the line "Last message received from computer".
  4. If the client is switched on and connected to the network ensure the date and time is within the last 30 minutes.  If the date and/ or time is outside of this period you should look to troubleshoot why the client is not reporting to the console.

Force the client to comply

If the server has received a recent message from the client then you must attempt to force the client to comply.  This will undo any local changes an administrator may have made to the client's configuration.

  1. Ensure that the client(s) are shown as connected in the console.   To do this: From the "View:" drop down box select "Connected computers".
  2. Right-click the client and select "Comply with" | "Group Device Control Policy".

NOTE:  Forcing a comply for disconnected clients will generate a build-up of messages in the management server's envelopes folder, as these messages cannot be sent to offline clients.

Reboot the client

Occasionally the client may have trouble complying with the current configuration until it has been rebooted.  If you have not already done so, reboot the client and wait for the client to report (see Confirm the client has recently reported to the console above).

Check the Sophos Device Control service is started

  1. On the client open Windows service (Start | Run | Type: services.msc | Press return).
  2. Locate the "Sophos Device Control Service".
  3. Ensure this service is started and can be restarted without an error.

Further logging

Run the Sophos Diagnostic Utility (SDU) on the client and forward the output file.  For more information on the SDU program please see: Sophos Diagnostic Utility (SDU): how to download and install

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent