I noticed that when I was an endpoint today, I was able to disable antivirus, containment, firewall, etc if I clicked on manage protection. Is there a way to lock all of this down so that the end user can’t disable the antivirus all by themselves?
When you disabled those various security features in CCS, did you notice if they automatically got enabled after a few minutes? If yes, then that is the correct behavior if those security features are enabled in the associated profile.
If you want to password-protect access to CCS (and/or CCC) on your managed endpoints, you will have to set it up in the ‘Client Access Control’ section of the associated profile.
@Rick_C is correct, the default should re-enable the services within a couple of minutes. There is an option to stop this behaviour but obviously this goes against your requirements.
My suggestion with the access control would be to not configure location admin access and use a password only as this gives your the greatest control and stops users with “Power User” or local admin rights disabling too.