Client Access Control
- Client access control lets you password-protect Comodo Client Security (CCS) and the communication client (CC) on managed endpoints.
- Once set, users will need to enter a password to access important areas of the client interface.
- This stops users from opening the clients locally and making changes to important tasks and settings. Without password protection, the endpoint user can access the client interface and make changes.
Implement access control
- Click 'Configuration Templates' > 'Profiles'
- Click the name of the profile to which you want to add the section.
- Click
'Add Profile Section' > 'Client Access
Control':
- Apply password protection settings for - Specify which clients you want to password protect.
- Comodo Client - Security - Password protects the settings interface and the 'Task' interfaces for antivirus, firewall, HIPS and containment.
Users can still run some limited tasks, including on-demand virus scans, open the virtual desktop, and run programs in the container.
- Communication Client - Password protects important settings, including the ability to configure a proxy for the client to connect to the EM console.
Users can still submit support tickets to Service Desk from the tray icon without requiring the password.
- Require Password - select the type of password required to access CCS and/or CC:
- Computer administrator – admins can access the local interfaces by providing their admin password. If the admin is already logged into the machine then they can open the interfaces without providing a password.
- Custom password - specify a unique key to access the CCS / CC interfaces. The password will time-out and need to be re-entered after 15 minutes.
- If you select ‘Custom password’ but not ‘Computer administrator’, then even admins will need to enter the custom password to access the clients.
Admin logged-in |
|||
---|---|---|---|
Admin password enabled |
Yes |
No |
Yes |
Custom password enabled |
Yes |
Yes |
No |
Requirements |
No password needed |
Custom password required |
No password needed |
Admin not logged-in / Standard user logged-in |
|||
---|---|---|---|
Admin password enabled |
Yes |
No |
Yes |
Custom password enabled |
Yes |
Yes |
No |
Requirements |
Either password |
Custom password required |
No password needed |
- Enable local user to override profile configuration - Endpoint Manager will not reverse local settings that are different to those in the endpoint's profile. You must enable password protection if you want to use this option.
Background - Endpoint Manager periodically checks devices to see if the local CCS settings match those in the device's profile. It will undo any local changes unless you enable this setting.
This is useful if you need to implement specific settings on a certain device.
- Click 'Save' to apply your changes to the profile.
While you’re here
The following is a list of other settings you should consider if you want to lock-down CCS on endpoints:
- User Interface settings - Configuration Templates’ > ‘Profiles’ > Add profile section > ‘UI Settings’
- Hide the CCC and CCS tray icons
- Manage the visibility of other UI items
- Antivirus settings - Configuration Templates’ > ‘Profiles’ > Add profile section > ‘Antivirus’
- Disable ‘Show Antivirus alerts' *
- Enable 'Do not show auto-scan alerts' *
- Enable 'Automatically clean threats' (when you create a scheduled scan) *
- Disable 'Show scan results' (when you create a scheduled scan) *
- Firewall settings - ‘Configuration Templates’ > ‘Profiles’ > Add profile section > ‘Firewall’
- Disable 'Show popup alerts' *
- HIPS
settings - ‘Configuration Templates’ > ‘Profiles’ > Add profile section > ‘HIPS’
- Enable ‘Do not show popup alerts’ *
- Containment
settings - ‘Profiles’ > Add profile section > ‘Containment’
- Enable 'Do not show privilege elevations alerts' *
- VirusScope
settings - Configuration Templates’ > ‘Profiles’ > Add profile section > ‘VirusScope’
- Disable 'Show popup alerts' *
- File
rating Settings - Configuration Templates’ > ‘Profiles’ > Add profile section > ‘File Rating’
- Disable 'Show cloud alert' *
- External
devices control settings - Configuration Templates’ > ‘Profiles’ > Add profile section > ‘External Device Control’
* This setting is already enforced in the ‘Default’ Windows profile that ships with Endpoint Manager.
- Disable 'Show notifications when devices disabled or enabled' *