Symantec Endpoint Protection Manager 12.1 - LiveUpdate - Policies explained

Article:TECH178257  |  Created: 2012-01-04  |  Updated: 2012-04-23  |  Article URL http://www.symantec.com/docs/TECH178257
Article Type
Technical Solution


Issue



You need more details about the options in the Policies of the Symantec Endpoint Protection Manager (SEPM).  Additional options have been added in Symantec Endpoint Protection 12.1 that were not present in SEP 11.


Solution



 

LiveUpdate Server Settings for Windows clients

You use the Windows Server Settings pane in the LiveUpdate Settings policy to specify how Windows clients get content updates.


Table: LiveUpdate Server Settings for Windows clients

 

Setting

Description

Internal or External LiveUpdate Server

Select one of the following options:

• Use the default management server

Downloads the content updates from the Symantec Endpoint Protection Manager. This option is recommended for most organizations. The option is the simplest and requires no configuration other than applying the policy to a group. Select this option if you use a Group Update Provider.

• Use a LiveUpdate server

Downloads the content updates from either the default Symantec LiveUpdate server over the Internet, or from an internal LiveUpdate server. You can specify multiple internal LiveUpdate servers for failover support.

If you enable both options, clients try to retrieve updates from both sources. You typically do not enable both options unless you have a specific reason. If the server provides named update versions to clients, and the clients have previously downloaded the latest updates from a LiveUpdate server, the clients do not download and install the named (previous) versions.
 

Group Update Provider (GUP)

Use one or more Group Update Providers

Specifies one or more computers to act as a LiveUpdate server for the group. For example, you might want to create a Group Update Provider to conserve bandwidth to clients in a remote location over a slow link. In this scenario, the Group Update Provider downloads the latest updates from the server. The Group Update Provider then updates the clients in the group. If the Group Update Provider is offline, the clients contact the server for the updates.

The Group Update Provider can reside in any group.

Note: The Group Update Provider is available only for Windows clients.

Third Party Management (TPM)

Enable third-party content management

Enables third-party tools such as Microsoft SMS to provide updates to client computers securely.

To use this feature, you must set up the Symantec Endpoint Protection Manager to use as a staging server for content. This staging server does not require that the clients be connected to it. Configure the server to download updates on a periodic schedule. If you use continuous, the server downloads the latest updates when they are posted.

By default, the updates appear in the Default group's clients' content outbox folders. These folders are organized by content type. You can then pick up one or more content packages from the content outbox folder and deliver it to the client's inbox folder.

To ensure that only third-party management tools update client computers, disable the other LiveUpdate server options on this page.

Note: Third-party content management settings are applied to Windows clients only.

LiveUpdate Proxy Configuration

Configure a proxy server to use for LiveUpdate from the default Symantec LiveUpdate server or from a specified internal LiveUpdate server.

This proxy server is used only for LiveUpdate and not for any other external communications.

 

LiveUpdate Settings policy Schedule

Use this panel to specify how often to push updates from LiveUpdate servers to clients in the groups to which this policy is applied. The Use a LiveUpdate Server check box must be selected on the Server Settings pane for you to enable this feature.


Table: LiveUpdate policy schedule options


Option

Description

Enable LiveUpdate Scheduling

Enables or disables clients to use the Symantec LiveUpdate server in addition to the Symantec Endpoint Protection Manager server. When this option is enabled, you can set the scheduling options that the clients use when they communicate with the Symantec LiveUpdate server.

This option is enabled by default. 

Frequency

Specifies how often to schedule clients to run LiveUpdate to download the latest updates. The default is Every four hours. The specific time option is available for both Daily and Weekly options. The specific day option is available for the Weekly setting only.

The Continuously option allows the client computers that infrequently communicate with the Symantec Endpoint Protection Manager server to get the latest updates. They get the latest updates when they connect to the network and authenticate to the server.

Note: On Mac clients, the Continuously option specifies that the client communicate with a LiveUpdate server once an hour.

Retry Window

Specifies the number of hours or days to keep trying to run LiveUpdate if the scheduled run of LiveUpdate failed for some reason. This option is enabled when the Every, Daily or Weekly option is selected. The default is Every four hours with a two-hour retry window.

Note: Only Windows clients keep trying to run LiveUpdate. Retrying is not available for Mac clients.

Download Randomization Options

Specifies a randomization option. You can stagger the updates, plus or minus the value that is specified, to minimize the effect on network traffic. By default, Symantec Endpoint Protection randomizes the LiveUpdate sessions to minimize bandwidth spikes.
              

Idle Detection Specifies that a scheduled LiveUpdate should not run until the computer is idle. If the computer is never idle, then after the final threshold is reached, the LiveUpdate runs even if the computer is not idle.

If unchecked, the scheduled LiveUpdate always runs at the scheduled time, regardless of how busy the computer is.

Options for Skipping LiveUpdate

Specifies that LiveUpdate should run automatically at the next scheduled time if the checked criterion is met. If you check both options, the client computer must meet both criteria for the scheduled LiveUpdate to run on schedule. If the client does not meet one condition, then the scheduled LiveUpdate is skipped and an entry is made in the client system log.

 

LiveUpdate Policy Settings Advanced Settings
The Advanced Settings let you specify the amount of control to give users over using LiveUpdate on their computers. You should understand the relationship between these settings and product updates.

Table: LiveUpdate client security settings


Setting

Description

User Settings

• Allow the user to manually launch LiveUpdate

Lets the users manually perform LiveUpdate on client computers. Disable this setting as a best practice for managed clients. Conflicts can occur if a scheduled LiveUpdate session is running when a user manually starts a LiveUpdate session.

• Allow the user to modify LiveUpdate schedule

Lets the users change LiveUpdate schedule settings on client computers.

• Allow the user to modify HTTP, HTTPS, or FTP proxy settings for LiveUpdate

Lets the users change LiveUpdate proxy settings on client computers.

Note: These settings are available only for the client computers that run Windows. LiveUpdate can always be launched manually on a client computer that runs Mac.

Product Update Settings

Download Symantec Endpoint Protection product updates using a LiveUpdate server

Downloads and installs client software updates automatically when users click LiveUpdate or when a scheduled LiveUpdate session runs. When disabled, prevents downloading and installing client software updates, even if another Symantec product runs LiveUpdate on the client computer.

If the LiveUpdate Settings policy specifies that clients download updates from a Symantec Endpoint Protection Manager or Group Update Provider, the updates are in the form of microdefs. If the LiveUpdate Settings policy specifies that clients download updates from a LiveUpdate server, the updates are in the form of MSP (patch) files.

This setting lets you control client software versions. When this setting is disabled, client software can only be manually updated. When the management server downloads and processes patches, it creates a microdef, which automatically appears as a new package. The new package appears in the Client Install Packages pane. You can then select the package, and use the Upgrade Groups with Package feature for your Windows clients. You must provide manual updates for Mac clients by using a third-party tool or by making the update package available for download on your network.

HTTP Headers

At times, LiveUpdate connections may use nonstandard headers that your firewall might block. If your environment contains such a firewall, check this option to require standard HTTP headers for the LiveUpdate connection.

 

LiveUpdate Server Settings for Mac clients
You use the Mac Server Settings pane in the LiveUpdate Settings policy to specify how Mac clients get content updates.

Table: LiveUpdate Server Settings for Mac clients

Setting

Description

Use the default Symantec LiveUpdate server

Downloads content updates from the default Symantec LiveUpdate server over the Internet.

 

Use a specified internal LiveUpdate server

Downloads content updates from an internal LiveUpdate server. You can specify multiple internal LiveUpdate servers for failover support.

You can Add, Edit, and Delete LiveUpdate servers and use Move Up and Move Down to change the position of the LiveUpdate servers in the list.

 

Mac Schedule LiveUpdate settings

You use this page to specify how often to push updates from LiveUpdate servers to clients in the groups to which this policy is applied.

Table: LiveUpdate schedule settings for Mac clients

Setting

Description

Frequency

Specifies how often to schedule clients to run LiveUpdate to download the latest updates. The default is Every 4 hours. The specific time option is available for both Daily and Weekly options. The specific day option is available for the Weekly setting only.

The Continuously option allows the client computers that infrequently communicate with the Symantec Endpoint Protection Manager server to get the latest updates. They get the latest updates when they connect to the network and authenticate to the server.

Note: On Mac clients, the Continuously option specifies that the client communicate with a LiveUpdate server once an hour.

Download Randomization Options

Specifies a randomization option. You can stagger the updates, plus or minus the value that is specified, to minimize the effect on network traffic. By default, Symantec Endpoint Protection randomizes the LiveUpdate sessions to minimize bandwidth spikes.

 

LiveUpdate Policy Settings Mac Advanced Settings

You can allow clients to receive product updates from a LiveUpdate server.

Table: LiveUpdate Policy Settings Mac Advanced Settings

Setting

Description

Product Update Settings

Download Symantec Endpoint Protection product updates using a LiveUpdate server

Downloads and installs client software updates automatically when users click LiveUpdate or when a scheduled LiveUpdate session runs. When disabled, prevents downloading and installing client software updates, even if another Symantec product runs LiveUpdate on the client computer.

If the LiveUpdate Settings policy specifies that clients download updates from a Symantec Endpoint Protection Manager or Group Update Provider, the updates are in the form of microdefs. If the LiveUpdate Settings policy specifies that clients download updates from a LiveUpdate server, the updates are in the form of MSP (patch) files.

This setting lets you control client software versions. When this setting is disabled, client software can only be manually updated. When the management server downloads and processes patches, it creates a microdef, which automatically appears as a new package. The new package appears in the Client Install Packages pane. You must provide manual updates for Mac clients by using a third-party tool or by making the update package available for download on your network.

 

Technical Information
 

Overview - Policies www.symantec.com/docs/TECH104436 
Antivirus and Antispyware www.symantec.com/docs/TECH104430
Application and Device Control www.symantec.com/docs/TECH104431 
Centralized Exceptions www.symantec.com/docs/TECH104432
Firewall www.symantec.com/docs/TECH104433 
Intrusion Prevention www.symantec.com/docs/TECH104434 

 

 

 

 




Article URL http://www.symantec.com/docs/TECH178257


Terms of use for this information are found in Legal Notices