Video Screencast Help

Installing the DLP Endpoint Agent with Altiris

Created: 13 Jul 2009 | 11 comments
Language Translations
jjesse's picture
+14 14 Votes
Login to vote

In an earlier article I talked about installing the DLP Integrated Component within the Symantec Management Console. This article will cover how to manage the endpoint agent with this component.

Contents

What can the DLP Agent Do?
Installing the DLP Agent
   Discovering Computers
   Installing the Altiris Agent
   Installing the DLP Endpoint Agent
Upgrading the DLP Agent
Endpoint Agent Tasks
   Start Agents/Stop Agents/Kill Agents/Restart
   Pull Agents Logs
   Set Log Level to Info/Set Log Level to Finest
   Get Agents Configuration

What can the DLP Agent Do?

The DLP Endpoint Agent provides control of Data Loss Prevention policies and manage the data on those machines. The DLP Endpoint Agent is made up of two agents, the endpoint agent and the watchdog agent. These two agents watch each other to make sure they are still running and will restart the service If one of those services are started.

With the endpoint agent, policies applied to the Data at Rest targets and the network via Data in Motion can be applied to laptops and desktops. All scans on endpoints are controlled through the agent and information is reported to the Enforce server.

Another important feature of the Endpoint Agent is it can control removable media and also can monitor the copy & paste buffer along with monitoring fax and print information. This controls information that is flowing on the endpoint.

Installing the DLP Agent

In order to install the DLP Agent from the Symantec Management Console, we first need to discover the computers, and then push the Altiris Agent followed by the DLP Endpoint Agent.

All work in deploying and configuring the Endpoint Agent is done through the Symantec Management Console and the Data Loss Prevention Portal. The portal looks like the following:

Discovering Computers

Before we deploy the Altiris Agent and the DLP Endpoint Agent we need to discover the computers to add them to the database. There are two types of discovery that can be done through the DLP Portal, a Domain Browse or an AD Import.

The Active Directory Import provides the best way to discover and import your machines into the Symantec Management Console. An important note is this is just a read of the Active Directory, we do not modify AD or even need to do an AD Schema modification.

To begin an Active Directory discovery, click on the link "AD Import" which will bring up the following page:

A couple of notes about this screenshot are that I have already selected the correct domain, subnet and sites to import. Also I have filled out a schedule, under "specified schedules" to automatically import and update the Management Console.

The second type of discovery is a Domain Browse import and can be run by clicking on the link in the Data Loss Prevention Portal and looks like the following:

Provide the domain information to browse and discover computers.

Installing the Altiris Agent

Once we have discovered the computers, we can install the Altiris Agent. After the Altiris Agent is installed we will push out the DLP Endpoint Agent. From the DLP Portal page under "2. Deploy Endpoint Data Loss Prevention," select "Install Altiris Agent." This will open up the following screen:

As you can see from the screenshot, the computers we have discovered show up in the list of computers. To install the Altiris Agent, highlight a computer and select "Install Altiris Agent." Multiple machines can be selected by using either the shift key or control key.

Installing the DLP Endpoint Agent

Once the Altiris Agent is installed on the managed device we will install the DLP Endpoint Agent. From the Data Loss Prevention Portal in the Symantec Management Console, select "Install Symantec DLP Agent," which will open up the following screen.

What is unique to this install is that it is a part of an ongoing policy on the Symantec Notification Server. By default any computer in the filter "Computers managed without DLP Agent" will receive the DLP Endpoint Agent the next time the computer checks in.

A brief note of explanation for those not familiar with the Notification Server. Polices are applied to groups of computers called "Filters." A computer will be added into this filter when they have the Altiris Agent installed on them (managed) and do not have the DLP agent on them. Once the DLP agent is installed, the computer will automatically move out of the Filter.

This policy is not enabled by default. To do so, click on the Red button next to "Off" and select "On." This will turn it to green. A client with the Altiris Agent will check in, receive this policy and install the DLP Agent.

Upgrading the DLP Agent

The first policy we talked about was the DLP Agent Install policy. This is the second policy in the DLP Portal page. To enable this policy, click on "Upgrade Symantec DLP link within the Symantec Management Platform. This will open up a window that looks like the following:

This policy is not enabled by default. To do so, click on the Red button next to "Off" and select "On." The policy will then become active and will upgrade automatically any endpoint whose agent is older then the current policy.

Endpoint Agent Tasks

Within the DLP Portal Home page there are 8 default tasks created. The Symantec Management Console allows us to create and manage tasks to control the Altiris Agent and a managed (computer wit Altiris Agent on it) computer.

Start Agents/Stop Agents/Kill Agents/Restart

The first three agents are all about agent control and look and act the same way. This task allows us to control the status of the Endpoint Agent through the Altiris Agent. In case someone stops the Watchdog Agent or the Endpoint Agent, this task can reset the agent. The screenshot shows the Start Agent task:

There are two ways we can execute this task, either via a quick run task or via a schedule. A quick run tasks executes immediately and through the drop down you can select the computer to run the task on. If you want to schedule one of these tasks over a time, you can do so through the scheduler.

Pull Agents Logs

The Pull Agent Logs task will copy the DLP Agent Logs from the managed computer to the Symantec Management Console server allowing you to review what is happening on the endpoints.

This task functions similar to the other tasks where you could schedule the task or run it immediately.

Set Log Level to Info/Set Log Level to Finest

This task allows you to change the logging level of the Endpoint Agent without having to interact with the agent locally or change things manually.

Get Agents Configuration

The final pre-built task allows you to get the configuration of the Endpoint Agent without visiting the machine.

Article Filed Under:

Comments 11 CommentsJump to latest comment

fireeyes's picture

this is repeated article?

0
Login to vote
Abawa's picture

When copying sensitive files to a USB device from an Endpoint, the data transfer rate is slower than the normal copying of files from computers with no Endpoint DLP agent installed. What possible reasons ould be? How can it be solved (speed up)?

patriot3w's picture

thanks for sharing. The interface of Altirs really bad, hope they can improve in the future.

-1
Login to vote
UFO's picture

Nice article. Still helpful after this long period of time.

I have a question: after installing Altiris Agent and creating policy I cannot install DLP agent. Altiris agent installed successfully, policy for DLP agent recieved by this agent and then it doesn't install DLP agent. What could cause the problem and how to solve it?

STS: DLP

-1
Login to vote
jjesse's picture

Do you get a return code or error code at all on the Altiris Agent or within the Task or Managed Software Delivery item?  Do you see the DLP agent in the software delivery folder or not at all?

 

Any other issues delivering sotware?

Jonathan Jesse Practice Principal ITS Partners

+1
Login to vote
UFO's picture

Jonathan, thank you. At the moment of problem DLP agent was in the software delivery folder. Then, on the other day it did install without problems. I think that installation initialization was scheduled somehow by default. Could you please advice on that? You have wrote in the article that when endpoint computer (Altiris agent) will check in then it will get the policy and start installation. How does this check-in happen? What is interesting, is it possible to install DLP agent this way that no restart required for endpoint computer? lots of questions :)

 

Should we move this discussion to separate forum thread?

STS: DLP

-1
Login to vote
N Manoj's picture

Nice Artical, with detail Steps

Manoj N

+1
Login to vote
PrinceAshish's picture

Very needful & helpful article.yes

0
Login to vote
haroldvm89's picture

DLP Integration Component not working anymore with Altiris 7.5. frown

0
Login to vote
jjesse's picture

Hello haroldvm89,

If you look at the 12.0 release notes the Altiris Integrated Component is no longer due to changes within Symantec.  This doesn't mean you can't deploy the DLP Endpoint agent from Altiris it just means you would have to build your standard MSI software delivery task instead of using the pre-defined tasks and jobs. 

Make sense?

Jonathan Jesse Practice Principal ITS Partners

0
Login to vote