I’m quite curious about one particular topic, and that is whether you prefer to lock antivirus for end users by password or do you let them freely interact with antivirus?
Which of these options do you personally use and most importantly, why?
Absolutely use password protected. I do not want my end-users to have any control over the anti-virus and turn it off or make exceptions or make any changes.
I do both. I protect both company-owned and personal machines via the same console. I usually keep password-protection on when the device is company-owned and off when it’s their own device.
The way I see it, if it’s company-owned, I’m there to create and enforce policies and putting a password on the settings is a quick and easy way of making sure that endpoint is compliant. However, when they own the device, I want them to have a little more control while still having the benefit of being centrally managed. The settings that you use for their machines in the cloud console will usually (in time) supersede any changes that they make locally (as long as you’ve defined it) anyway, so their changes are usually temporary - this gives me (in my opinion) the right balance of security/convenience.
Thank you Manley and Shane25. One additional question do you see some difference between having password protected AV and having AV GUI not accessible at all from end machine? Are these two options achieving the same goal for you (to keep endpoint complient) or not?
Yes, I do want the AV client accessible from the end-user client device, as it is now. There are times when I like to access the AV client (by typing in the password) and review settings or virus chest or whatever. I have the options selected so all my end-user AV clients are silent and don’t show any messages. I like that. There will be times when an end-user device does not have internet access, so it is important to have the client AV GUI accessible. I do not want to rely on a completely admin console-only setup. Please keep the password protection on AV client and please keep it accessible by admins on client device.
I don’t disable the GUI for the end user. My reasoning for this was that it limits their ability to see what’s happening or deal with it. My users are very keen on reporting suspicious activity to me and keeping this on will notify them if a shield or service isn’t running correctly - or if Avast detected something. I also want the users to have access to their own quarantine on their machines. As a side-note, I would like to see the quarantine option put outside of the password-protected area so all users can interact with it if they wish. This option is available with the Endpoint Protection Suite, and I use it often.