Endpoint Protection

 View Only

  • 1.  SEPM - prevent moving computers but allow other group stuff ?

    Posted May 16, 2014 09:29 AM

    How can I "grant rights" to a minor admin, say allow run scan, update content, etc.  - but prevent them from moving a computer from one group to another?

    They keep moving computers into a group with lesser restrictions which causes the users to be able to do things they should not be allowed to do - and then they leve the computer there even though I've said "don't do that!" . They need rights so they can trigger scans, force policy updates or content updates, turn on functionality it needed and all - but I want to prevent MOVING the computer from the normal group where computers belong and into the test group where they should not be for the END USER. It's fine if IT staff is testing, but no end user should be on a computer in that group. That's what I need to do- prevent moving of computers of end users into the group.

    Is that possible ? allow almost everything, but block computer moves between normal group to test group.



  • 2.  RE: SEPM - prevent moving computers but allow other group stuff ?

    Posted May 16, 2014 09:32 AM

    Maybe.

    Try this: When setting up the limited admin, go the Access rights tab and check the group rights  for Manage groups.

    Set it to read-only I believe for the groups.

     



  • 3.  RE: SEPM - prevent moving computers but allow other group stuff ?

    Posted May 16, 2014 09:39 AM

    But with read-only, they can't trigger any scans, update content, etc. if I recall. They need to be able to do that, but not MOVE.

    No access means the group isn't even there for them to see

    Read only - I think is they can see it, look, get info on the device/user, but nothing else, no actions, can't run scans, can't update content, can't turn autoprotect on or off and so on. Look but don't touch - that's a bit TOO restrictive.

    Otherwise they can move computers, run scans, turn autoprotect on or off, turn NTP on, etc. I need to leave all of that in place, but prevent moving a computer.

    I need more granular control - as I suspect most SEP administrators would love to see.



  • 4.  RE: SEPM - prevent moving computers but allow other group stuff ?

    Posted May 16, 2014 09:43 AM

    by the way Brian - I can always count on you for a response and your best efforts - but I have a question - do you EVER sleep?  ;-)

    If I had time and energy to test, I could create a test admin I suppose and experiment, but I'm really strapped on a short work day..   Thanks.



  • 5.  RE: SEPM - prevent moving computers but allow other group stuff ?

    Posted May 16, 2014 09:44 AM

    There is a separate configuration for "Command Rights" but if the group has read only then mayeb thjis doesn't matter.

    Problem is I can't test it at the moment so I'm not 100% on it



  • 6.  RE: SEPM - prevent moving computers but allow other group stuff ?

    Posted May 16, 2014 09:48 AM

    laugh

    I do some times but with that being said I'm always connected to the internet somehow so it's easy to check in.