Disable Containment without Warning

We have many specialty applications that frequently get contained and cause all sorts of issues. While we’ve been working through the whitelist process, I would actually like to disable containment for a bit until this can be planned out and focused on better. When I disable containment using Configuration Templates and Profiles, all users tray icon go from the normal icon to the Red X warning icon. Since this is a deployed policy, I do not want users warned about this feature being disabled administratively. How do I disable containment using the profiles without having each endpoint warn the user about a setting they cannot change?

@zemlicka ,

We understand your need to get this achieved. However, we strongly suggest not to disable Containment for the security of your endpoints. We can recommend enabling baseline settings for awhile. We still suggest creating an ignore rule for those applications.

I agree that it should not be permanently disabled. But it seems atypical to warn users to change an administrative setting that they cannot change, especially when the setting is by design, intentional, and deployed by the policy. Is this possible, or was that your way of saying it cannot be done?

FYI, the reason we need to disable it now is that we often have laptops in the field without an internet connection. They often need to install a specific version of the software for that site. It’s obviously impossible for us to put in all the software for all our clients all at once. Likewise, it’s impossible for us to whitelist applications on an endpoint when it does not have an internet connection. Finally, I don’t want bad things running right now to sneak through via a baseline while we leave that open for a year to catch all the software the engineers need to install at their various sites. We have several ideas for getting around this and are working to put a long-term plan in place so we can leverage containment…but for now I’d just like to disable the containment without freaking out everyone while we roll this individual feature out in a more controlled manner. Every other part of CCS has been great for us but this just seems like a basic feature…like a car without a radio. Sure, you don’t “need” a radio…but c’mon, everyone has this and they’ve had it for a long time.

@zemlicka ,

We understand the reason behind your request. We will communicate with you via support ticket for some additional recommendations privately. Please check your forum registered email at your convenience.

Thank you for your understanding. I respect the challenges faced offering a solution to fit so many scenarios and unique needs. Thanks for your help and I look forward to continuing to work with you.

I would disable the CCS client being displayed in the systray and on desktops and servers.

Interesting idea…

The correct display of status is needed being honest.

If the policy you apply says no FW and no Containment then the status displayed should respect that and show green if all enabled features are working.

We have lots of clients with specialist needs meaning we have containment disabled or special profiles with hundreds of additional rules to get them working. The biggest thing we have issues with is Peer to peer clients as FW does not work correctly a lot of the time meaning you disable this.

We need correct security status on endpoints and in the web UI.