Thanks for your fast reactions. I really appreciate it.
The situation is a bit complicated, but try to explain:
We are a large, heterogeneous research institute. There is no central ActiveDirectory that manages all clients. We have Windows, MacOS and various Linux clients.
We are currently preparing to switch from ERAC 5 to ESMC 7, finally.
We have clients that only have access to our internal network;
clients that are allowed to access the Intranet and the Internet;
and clients that are operated outside our network for a long time (e.g. external research locations).
Many employees are only with us for a few months and also bring their private devices with them.
As long as they work with us, they get an institute account and are obliged to use our ESET Antivir solution.
However, if these employees leave, we want to prevent them from continuing to benefit from our ESET license. With protecting the update-server with authentication; when their account expires with their departure, they can no longer access our update mirror server.
So far with ERAC 5, we have had 2 update servers. Once the ERAC as a mirror-server itself via http without password protection in the internal network.
And in addition, precisely because many of our devices are operated outside of our network for a longer time, an https mirror with password protection. Each user has their own login data, which become invalid when the user leaves our institute.
With the switch to ESMC 7, the idea is now to provide a single update mirror server in the DMZ. All clients within our network (whether they have an internet connection or are only allowed to use local resources) can receive their updates from this update mirror without a password based on internal IP addresses.
Clients who are temporarily or a longer time outside the internal network should use a password to access their ESET updates as long as the user has an activated institute account. This password is only known by the user, so they must enter it into the ESET antivir settings on their client.
Clients, who leave our institute and therefore have no valid account anymore, should of course no longer be able to use our ESET antivir infrastructure.
So thats why almost every client setting should therefore be set by a server-side Policy, except for the update setting where user name and password are stored.
This is exactly what is currently not possible with Windows clients. But it is possible with MacOS / Linux Client Policies, so it would be nice if this were possible with Windows Client Policies also.