While we like to think of our co-workers as individuals who will abide by company policy, IT professionals know that sometimes policies need a little enforcement. Asking users not to run certain applications is no guarantee that some people won't install them on the sly—and saying you'd prefer they plug their laptops in using Ethernet cables instead of using the office wireless connection doesn't mean that won't be "too much work" for a few employees.
Application and device control policies are simple to create, and can be especially useful in enabling your team to control how applications and peripheral devices, for example, are used in your organization.
Let's take a look at how to write a location-based restriction on wireless network access by using the device control capability in Symantec Endpoint Protection.
The coffee shop across the street
In a modern corporate environment, it is common for employees to be issued computers with both wired and wireless networking capabilities, which can allow those computers to be on two networks at once. If, for example, there is a coffee shop across the street with wireless access, the computer can be on its network as well as your corporate network. The wireless coffee shop connection may not have the same security standards as the corporate network, and may open the secure network to exposure.
An effective device-control policy would make it possible to disable the wireless network interface card, making it impossible for the computer to be on a second unsecured network.
Of course, this would be problematic for your laptop users, who are on the corporate network while in the office, but need to access other networks when out of the office, including wireless networks. This is where the location awareness functionality of Symantec Endpoint Protection can be used to allow the wireless network interface card to function when the computer is outside the corporate network. Once it is inside the secure network, it can then be turned off. .
Establishing the parameters for network detection is a simple matter of building a policy using predefined "if-then-else" statements within Symantec Endpoint Protection. If the IP address received is not on the corporate network, then the agent on the managed laptop will enable the wireless NIC; otherwise, the wireless hardware will be disabled.
Look before you leap
Before you deploy an application or device control policy, however, be sure to thoroughly test the policy in a controlled environment to make sure it has only the desired effect. You don't want too much of a good thing—if you're not careful, an attempt to disable wireless NICs on laptops inside the corporate firewall could result in all wireless access being disabled, wherever the user is, which could adversely affect traveling employees.
For more detailed information about implementing application and device control policies, click here. This information is also available in the documentation delivered with Symantec Endpoint Protection 11.x under the Documentation directory/folder: Chapter 38 – "Managing Application and Device Control Policies" on page 539 of the administration_guide.pdf document.