If a Users disables the Clients On-Access Scanning or the Sophos Service it´s not possible to enforce the Policy to the Clients. The only choice given by the WUI is the re-deploy the Agent? I´ve been missing a "enforce policy automatically" checkbox or even a Button to manually enforce the policy.
this issue is already known. It is planned that the policies will be automatically reapplied in case the endpoints are not compliant to their assigned policies.
For now you can enable Tamper protection in Settings - Administration. Then you'll have to enter a password if you want to change any settings on the endpoints. Unfortunately Tamper protection doesn't work properly right now. It can take some time until the Tamper Protection setting is deployed (when I tested it, it didn't work at all for some clients), but this has already been fixed in development and is scheduled for the next beta update.
