1. Enable write protection

  • Login to SafeConsole with an Admin account.
  • Go to the Policies tab.
  • Choose the Domain/OU for the users you want to manage.
  • Scroll to the Write Protection policy.
  • Check Enable Write Protection on devices.
  • On the drop-down, select "Activated when outside your Trusted Zone"

2. Configure ZoneBuilder Policy in SafeConsole.

This now restricts devices outside the Trusted Zone, which in this case is any clients without the client certificate installed, to be read-only.