Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0

Article:TECH104340  |  Created: 2008-01-05  |  Updated: 2009-01-11  |  Article URL
Article Type
Technical Solution


How do the two features in Symantec Endpoint Protection 11.0 that allow Administrators to find computers compare to one another, and when would each be used?


Unmanaged Detector Basics
Upon booting, a computer sends out Address Resolution Protocol (ARP) traffic to identify itself on a network. Once enabled, the Unmanaged Detector listens for gratuitous ARP traffic and collects Internet Protocol (IP) and Machine Address (MAC) data from traffic passing it on the local network. This data is then forwarded to the Unmanaged Detector’s SEPM which compares the IP address and MAC address of detected systems against its known list of managed endpoint clients and reports on the unmanaged endpoint clients.

An unmanaged detector is configured by right-clicking a managed SEP client in the Clients page of the SEPM console, and selecting "Make unmanaged detector".

Use Unmanaged Detector when you want to:
  • Be proactively notified (by setting a notification for "unmanaged computers". Also under the Security Status details from Home page in Symantec Endpoint Protection Manager).
  • Coverage over time and not a "snapshot" of systems currently connected to the network.

See the following document for information on how to find out if a computer has been discovered using the Unmanaged Detector feature:

Title: 'Setting notifications when using the "Unmanaged Detector" feature in the SEPM'
Document ID: 2008050813205048
> Web URL:

Find Unmanaged Computer Basics
A network range is scanned based on the range that is configured for computers that are not running Symantec Endpoint Protection.

To use this feature, click "Find Unmanaged Computers" in the Clients page of the SEPM console.

Use the Find Unmanaged Computer feature when you want to:
  • Check a network segment at a particular point in time.
  • Get a snapshot of systems connected to the network when run.
  • Deploy a client package to unmanaged systems by deploying Symantec Endpoint Protection client (with login credentials).

Both tools offer some help to administrators . . . However, a better overall solution may be Symantec Network Access Control.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices