Option per device to not run harmful/ user-defined scripts.
A
Ailan
I would like to have an option where you can have an option that no scripts can be executed for a specific device.
Like for servers. I don't want a culprit have launched scripts that can damage servers or crucial devices like 'Format'.
I do want to monitor the device so the default, harmless procedures, from the platform itself, are fine to be executed.
R
Robin
Ailan we provide a very good RBAC inside Endpoint Manager for items like this, and one of the first things I would suggest is looking at the "approve" permission for procedures. Remove this from your normal users meaning no new dangerous scripts could be created and run because no un-approved scripts can be executed on devices.
I'll put some more security based items on the forum post as this topic is as you say serious and needs more focus.
With that in mind, do we then need a per device approach as you can assign roles to do as needed across companies and groups?
A
Ailan
Robin: Hi Robin,
I don't know where to reply, on the forum or here in the feature request.
But here a copy of my answer in the forum.
I'm glad you see that this can be a very serious issue.
Using user roles is not an option in this case. See my answer.
Thanks.
----
Thank you for your reply.
I only have one user: me. As MPS-Admin.
So no technicians or other users.
And for daily routines and checks, I have to login every day in the system.
I do change my password every week and use strong passwords.
Disable permissions by using roles is not enough because:
I don’t have use any other users.
Even if I do have more users or use another login for daily routines, if the admin account will be compromised, the most valuable devices like servers are exposed to bad scripts. You can start any script and inject bad codes.
So an option to disable scripting on a device would greatly help in this case.
To give you a bit a more insight:
On servers I only want to see if its on or offline and to use the remote control feature.
Therefore, I have to install the Communication client.
But with the Communication client you get a lot of more options which are not needed only to use remote control and see the status.
Even the scripting ability to corrupt or damage the whole server.
So to protect important devices it would be great if you can set an option to disable scripting.
Hope you see my point.
Regards.
R
Robin
Ailan: Let me bring this up with the dev team to see what is possible or not with hiding / turning off parts like this.
From there I will know more about what we can do, how long this could possibly take etc.
A
Ailan
Robin: PLease do and thanks