Managing protection of client devices

Automatic rules for moving devices between administration groups

We recommend restricting the use of automatic rules for moving devices between administration groups.

If you use automatic rules for moving devices, this may lead to propagation of policies that provide more privileges to the moved device than the device had before relocation.

Also, moving a client device to another administration group may lead to propagation of policy settings. These policy settings may be undesirable for distribution to guest and untrusted devices.

This recommendation does not apply for one-time initial allocation of devices to administration groups.

Security requirements for distribution points and connection gateways

Devices with Network Agent installed can act as a distribution point and perform the following functions:

• Distribute updates and installation packages received from Administration Server to client devices within the group.
• Perform remote installation of third-party software and Kaspersky applications on client devices.
• Poll the network to detect new devices and update information about existing ones.
• Act as a KSN proxy server for client devices.

Taking into account the available capabilities, we recommend protecting devices that act as distribution points from any type of unauthorized access (including physical).