I think a logical solution is to create distribution groups without those computers and use that groups to deploy applications, and not All devices or any generic group.
Hi and thanks a lot for the answer.
However, the think is that the department manager of these specific computers want to be sure that no one will ever send any software on these computers. If the IT department is technically able to send software packages on these computers, then he will refuses the agent installation as a whole. But on the other side, wee need to inventory these computers...
If it's not possible to have a specific configuration agent for these computers, is it possible to remove/reconfigure a file on the computers after the agent has been installed, thus preventing the software distribution module to run while not impairing the other inventory features (and not displaying any error visible to the end users of course).
I think a simpler solution is to configure properly this group in the security profile of the technicians. You can have a security profile to deploy applications and don't give access to this group.
IMHO you should avoid unloading the Operational Rules module from these computers, if you are considering or someone suggests it.
This is closer to what we would need, yes (How to set up administrator security profile in BCM Console). But since the software distribution module would still be installed and active on these specific computers, the IT administrators, by changing their security profile, would still be able to send software assignments on these computers.
What were are looking for is a way to disable the feature on the client side, not on the server side. Is there no way to do so ?
Using Operational Rules, you can do whatever you want in the client. So if you disable Operational Rules you can't do Software Distribution, but you disable the most important CM's feature.
I think you installed the default security profiles and I recognize it's the most boring aspect of CM, BUT, its the most important to manage a controlled environment.
So first the IT administrators don't have by default the rights to change their security profile, second no administrator can give more rights to other then they have. So the solution is to keep secure the admin (full system rights) and use it only for emergencies. All other administrators are manage in groups with functions, and you can remove them from accessing the administrators node.
One more thing - No security profile replaces responsibility, and you can only assure the worried person, that you have a well planned process and security implemented. You can't never assure that a malicious administrator don't do something wrong. Using the database direct access, you can even change passwords... Make it simpler to implement and maintain and the best secure you can. This leaves you to communicate the risks.
You are right, thank you so much Joao