I'm busy implementing a CSA 6.x roll out, what I need to do is hide the CSA UI fom all users except the ICT Support Group. I've managed to get it half working using the user state so high level functions are limted to that group but I cant seem to hide the flag to all others. I would also like to remove the ability to un-install the software.
Anyone any advice or can point me in the right direction
If haven't tried it but if you use an Agent UI Control rule, you should be able to prevent the user from interacting with the agent UI. There are times, however, where Polling from the agent UI is very helpful especially if a rule change needs to be effective immediately.
Using an Agent Service Control rule, you will be able to prevent the uninstallation of the agent by disallowing all applications from disabling agent security. But a user may simply boot Windows into safe mode to get around this. There is no way that I am aware of to prevent the uninstallation of the agent in safe mode and I don't know if you would actually want to prevent it anyway.
Create a user state with the ad groupname you would like to filter on, and use that state in a agent ui control rule, this way csa will differentiate between the broad ui rule and the more specific one you create, after this you will need to modify the built-in agent ui rule to generally deny access to the agent service/config. Just remember that with no gui, you don't get popup messages either.
No i have done plenty of named groups and not SIDs, you can see the input that CSA wants by doing a host diagnostic from the csamc on the host where you have a logged in user who is member of those groups, this shows up in the diagnose output.