How to prevent client features from being disabled by users in the SEP 12.1 client interface
|Article:TECH166950|||||Created: 2011-08-11|||||Updated: 2013-02-26|||||Article URL http://www.symantec.com/docs/TECH166950|
How to prevent users from disabling the Symantec Endpoint Protection (SEP) 12.1 client features.
Symantec Endpoint Protection 12.1
Windows Server OS
The ability to disable SEP features is selectable - enabled by default for user selection.
1) The selection item to disable all Virus and Spyware protection features is available / enabled by default.
To disable Virus and Spyware protection feature access on a SEP client, you will need to modify policies in the Symantec Endpoint Protection Manager (SEPM):
Logon to the SEPM --> Policies ---> Virus and Spyware Protection ---> Virus and Spyware Protection – Balanced --> Protection Technology --> Auto-Protect --> Check mark / lock Enable Auto-Protect
Confirm on Client, as seen below, the option "Disable all Virus and Spyware Protection features" is grayed out.
2) Disable Proactive Threat Protection is also enabled by default
Logon to the SEPM --> Policies --> Virus and Protection policy – Balanced --> Protection Technology --> SONAR --> Lock Enable SONAR
Confirm on client, as seen below, the item "Disable all Proactive Threat Protection features" is grayed out.
3) Disable Network Threat Protection access on SEP client.
Go to the Specific client group > Policies > Location specific setting > Client user interface settings > Edit settings > Uncheck Allow user to enable and disable firewall
Check on client, as seen below, the option "Disable all Network Threat Protection features" is grayed out.
4) Disable Symantec Endpoint Protection feature is also enabled by default. This option can disable the previous 3 features, if they are not locked, along with some additoinal features.
1) In the SEPM, under Virus and Protection policy lock all the "Enable" items which are unlocked
Select Virus and Protection policy- High security, it will lock all the items as a policy default.
2) Go to Specific group > Policies > Location-specific Settings > Client User Interface Control Settings > Tasks > Edit settings > Server Control > Customize > Uncheck the following two options
i) Allow user to enable and disable the firewall
ii) Allow user to enable and disable application and device control policy.
3) Also perform the following changes In the Policies tab of the SEPM:
i) Click Intrusion Prevention Protection policy.
ii) Click Setting, then lock this feature by clicking the lock symbol next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention.
iii) Click OK.
Check on client, as seen below, the option "Disable Symantec Endpoint Protection" is grayed out.
Article URL http://www.symantec.com/docs/TECH166950