Locking and unlocking settings by changing the user control level

Article:HOWTO81223  |  Created: 2012-10-24  |  Updated: 2014-09-21  |  Article URL http://www.symantec.com/docs/HOWTO81223
Article Type
How To


Subject


Locking and unlocking settings by changing the user control level

You can lock some Virus and Spyware Protection policy settings so that users cannot change them on the Windows client.

However, to lock other protection settings and the client user interface settings, you use a different method. To determine which settings are available for users to change, you specify the user control level. The user control level determines whether the client can be completely invisible, display a partial set of features, or display a full user interface.

In releases earlier than 12.1, a change from client control to server control causes all settings, regardless of their control level status, to revert to their server control default values the next time policies are distributed to clients. In 12.1 and later, locks are in effect in all control modes. Unlocked settings behave in server control and client control modes in the following ways:

  • In Server Control, changes can be made to unlocked settings, but they are overwritten when the next policy is applied.

  • In Client Control, client-modified settings take precedence over server settings. They are not overwritten when the new policy is applied, unless the setting has been locked in the new policy.

Table: User control levels

User control level

Description

Server control

Gives the users the least control over the client. Server control locks the managed settings so that users cannot configure them.

Server control has the following characteristics:

  • Users cannot configure or enable firewall rules, application-specific settings, firewall settings, intrusion prevention settings, or Network Threat Protection and Client Management logs. You configure all the firewall rules and security settings for the client in Symantec Endpoint Protection Manager.

  • Users can view logs, the client's traffic history, and the list of applications that the client runs.

  • You can configure certain user interface settings and firewall notifications to appear or not appear on the client. For example, you can hide the client user interface.

The settings that you set to server control either appear dimmed or are not visible in the client user interface.

When you create a new location, the location is automatically set to server control.

Client control

Gives the users the most control over the client. Client control unlocks the managed settings so that users can configure them.

Client control has the following characteristics:

  • Users can configure or enable firewall rules, application-specific settings, firewall notifications, firewall settings, intrusion prevention settings, and client user interface settings.

  • The client ignores the firewall rules that you configure for the client.

You can give client control to the client computers that employees use in a remote location or a home location.

Mixed control

Gives the user a mixture of control over the client. You determine which options you let users configure by setting the option to server control or to client control. In client control, only the user can enable or disable the setting. In server control, only you can enable or disable the setting.

If you assign an option to server control, you then configure the setting in the corresponding page or dialog box in the Symantec Endpoint Protection Manager console. For example, you can enable the firewall settings in the Firewall policy. You can configure the logs in the Client Log Settings dialog box on the Policies tab of the Clients page.

Mixed control has the following characteristics:

  • Users can configure some of the settings for the firewall, Intrusion Prevention, and the client user interface.

  • You can configure the firewall rules, which may or may not override the rules that users configure. The position of the server rules in the Rules list of the firewall policy determines whether server rules override client rules.

  • You can specify certain settings to be available or not available on the client for users to enable and configure. These settings include the Network Threat Protection logs, Client Management logs, firewall settings, intrusion prevention settings, and some user interface settings.

  • You can configure Virus and Spyware Protection settings to override the setting on the client, even if the setting is unlocked. For example, if you unlock the Auto-Protect feature and the user disables it, you can enable Auto-Protect.

The settings that you set to client control are available to the user. The settings that you set to server control either appear dimmed or are not visible in the client user interface.

Some managed settings have dependencies. For example, users may have permission to configure firewall rules, but cannot access the client user interface. Because users do not have access to the Configure Firewall Rules dialog box, they cannot create rules.

Note:

Clients that run in client control or mixed control switch to server control when the server applies a Quarantine policy.

To change the user control level

  1. In the console, click Clients.

  2. Under View Clients, select the group whose location you want to modify.

  3. Click the Policies tab.

  4. Under Location-specific Policies and Settings, under the location you want to modify, expand Location-specific Settings.

  5. To the right of Client User Interface Control Settings, click Tasks > Edit Settings.

  6. In the Client User Interface Control Settings dialog box, do one of the following options:

    • Click Server control, and then click Customize.

      Configure any of the settings, and then click OK.

    • Click Client control.

    • Click Mixed control, and then click Customize.

      Configure any of the settings, and then click OK.

  7. Click OK.

See Unlocking user interface settings on the client.

See Locking and unlocking Virus and Spyware Protection policy settings.


Legacy ID



v9510980_v81626096


Article URL http://www.symantec.com/docs/HOWTO81223


Terms of use for this information are found in Legal Notices