But with read-only, they can't trigger any scans, update content, etc. if I recall. They need to be able to do that, but not MOVE.
No access means the group isn't even there for them to see
Read only - I think is they can see it, look, get info on the device/user, but nothing else, no actions, can't run scans, can't update content, can't turn autoprotect on or off and so on. Look but don't touch - that's a bit TOO restrictive.
Otherwise they can move computers, run scans, turn autoprotect on or off, turn NTP on, etc. I need to leave all of that in place, but prevent moving a computer.
I need more granular control - as I suspect most SEP administrators would love to see.