Deploying the product is very simple: you use the server console to create an MSI package that you can then deliver to each desktop to be protected, and once this is installed (you'll need administrative privileges) there is nothing further for a user to do, unless they run into something that you inadvertently blocked. If you need to uninstall or upgrade the agent, you first have to login with admin rights and remove the agent manually in the Windows Uninstall control panel.
The management console is organized into five broad thematic sections, each accessible from a tab at the top of the screen:
An overview dashboard showing summaries of alerts, machines in compliance and policies in use
Policies for the various protective features
A special section on software deployment
Monitoring and reporting section
And a section to create policies for particular users and groups.
Each section is further broken down into the particular protective features, so there is a malware policy sub-section and a malware monitoring sub-section for example. This makes sense, but as you dive into the product you have to remember where everything goes. The user and group structures can be directly imported from Active Directory, and provided you have the proper domain credentials, this shouldn't be difficult to populate this section and keep it synchronized with changes to your directory store.
As you might imagine, the firewall section of R80 is the most solid, given Check Point's history. Rules are easy to edit and apply to particular endpoint groups and use traditional specifications such as inbound or outbound traffic, deny or allow traffic, and specify ports and protocols.
The full scope of E80 includes the following features:
Web URL content filtering and anti-phishing
Whole disk encryption
Removable media encryption for USB drives and DVDs
Application white and black-listing (The product comes with more than 500 pre-set application signatures as part of their Program Advisor service.)
Additional endpoint compliance rules
This last category bears some explanation. You can set up each endpoint to require particular OS service packs, prohibit or require particular applications or files, and install a particular anti-virus engine. For each of these actions, you can set the rule to observe and log the activity, to restrict and remediate, or to just issue a warning message.