Endpoint Protection

I am wondering about what an effective way for IT staff to troubleshoot workstations would be when a restrictive SEP client firewall is in place.

Right now all SEP settings are locked and managed at the server, except the NTP component, which they can disable for a period of 3 minutes before it re-enables.  This is the way workstations are set now without the SEP client firewall policy in place.

Once I complete testing and put the firewall policy in place, I would like to disable the ability to turn off NTP because users will use this to get around the rule sets. 

How can I lock it down, yet provide IT support staff the ability to troubleshoot when an application isn't working properly?  Having the log of traffic will be very helpful (much better than the XP firewall which doesn't even give us a log) but I fear that IT support staff will simply uninstall the SEP client to troubleshoot if I don't provide them an easy way to troubleshoot application issues out in the field.

Is there a way to make the temporary disabling of the NTP component only from certain user accounts or groups in AD?  How do you maintain central management while allowing support staff the ability to troubleshoot? 

You can set a password to disable the SEP client and then provide this password to IT.

If you open SEPM, select Clients on the left, then select Policies at the top in the middle, there will be a section near the top in blue letters. One of these options will provide the option to set a password to open, disable, and uninstall the client.

Yes, right now I have a password set and the option to require password to uninstall selected.  If I also select the option of requiring this password to stop the client service, what effect will that have?  Will it let them turn off only NTP or all SEP components?  Will they be able to turn it off indefinitely or will it be susceptible to the 3 minute rule?  Do all these options use the same password or can a different password be set for each? 

1. If I also select the option of requiring this password to stop the client service, what effect will it have?

-This will require a password to run the "smc -stop" command as well as right clicking the icon and selecting disable.

2.Will it let them turn off only NTP or all SEP components?

-This will allow disabling of all SEP components. You are currently unable to set an option to only turn off certain features with a password.

3. Will they be able to turn it off indefinitely or will it be susceptible to the 3 minute rule?

-It will disable it until they run "smc -start", right click the shield and enable, or reboot the machine.

4. Do all these options use the same password or can a different password be set for each?

-They all use the same password.

Thank you for the response.  I wish we could enable separate passwords for each password protected function options, and I wish the same same technology that re-enables File System Auto-Protect after X number of minutes could be applied to the "require password to stop the client service" Security Setting.  Perhaps it can be implemented in a future release.