Managing Symantec Endpoint Protection with Symantec Software Management Solution, Part 1: Software Resource

Having trouble managing your install of base for Symantec Endpoint Protection (SEP)? When viruses threaten the environment is the IT staff hard pressed to validate that all systems are in compliance, to ensure all systems have the correct version of Symantec Endpoint Protection and that the definition files are up to date? Software Management Solution has a way to actively manage the install base of SEP, allowing the Altiris platform to detect and ensure that the environment is up to date, including automated tasks to bring computers

back into compliance when they fall out of compliance.

Introduction

This is part one of an article series covering the use of Symantec Software Management Solution 7.0 in deploying and managing Symantec Endpoint Protection. In this part I'll cover how Symantec Endpoint Protection is configured as a Software Resource in the Software Management Framework. The basics of a Software Resource will be illustrated in this process. This also includes how to configure the package, command lines, and other standard options within the Software Resource.

Software Resource

A Software Resource is a collection of data and metadata for a particular software product. It contains all data pertaining to installing, repairing, uninstalling, and detecting the product, including command lines and location of the install files. The following list details the main items within a Software Resource:

• Product Details - This includes metadata such as Software Resource version, type, Company (using a Notification Server Company Resource Type), and overarching Software Product.
• Packages - This is a repository of where the files associated with the Software Resources are stored. All files can be put into a single repository, or separate packages may need to be used to house different versions of the Software.
• Command Lines - This represents all commands available to interact with the Software Resource. While normally only install, uninstall, and repair command lines are used here, utilities and other commands available from a command-line interface can be used.
• Detection Rules - These are used to detect what state software is in, including not present, installed, configured, or anything else using the detection rule list.
• File Inventory - This can be used to determine if software is present based on file inventory configured through the Software Management Framework or Inventory Solution.
• Software Publishing - This dictates whether the Software Resource is available via the Software Portal, and if so, who has rights to install on demand or request approval for install.

Determining Software Resource Methodology

To begin managing Symantec Endpoint Protection through Software Management Solution, you first need to determine what type of methodology to use. To illustrate, here are two scenarios:

1. Symantec Endpoint Protection as a Whole - You create a single Resource to contain all data relating to Symantec Endpoint Protection. While this may allow a smaller subset of Resources, the collaboration between each component will grow more complex the more versions are released.
2. SEP by Version - You create a Software Resource per major release (for example 10 versus 11). This allows each version to be configured singly, providing a less complex interface when working out interdependencies and other configuration items.
3. SEP by Dot Version - You create a Software Resource per dot release (for example 11.0 versus 11.5). This makes management of each Software Resource easier. Conversely it also creates more entries to manage within the Software Management Framework.

This raises the question on which methodology is recommended? This depends on the situation, although I tend to lean towards option 2.

Creating a Software Resource for SEP

The creation of a Software Resource incorporates several processes. The processes below cover the basic configurations that most Software Resources will need to be deliverable to computer targets. However the first thing to determine is what install package to use. This will be specific per application, and with Symantec Endpoint Protection there are a number of options. The following links provide access to several options:

• This article covers how to use Symantec Endpoint Protection Manager to create Client Installation packages - http://service1.symantec.com/support/ent-security....
• This article isn't as detailed, but covers the basic for creating client installation packages - http://seer.entsupport.symantec.com/docs/305173.htm
• Manuals are located at this link including user guides - http://www.symantec.com/business/support/documenta...
• This is an upgrade package should you be initiating an Upgrade to SEP 11 -http://www.symantec.com/business/support/downloads.jsp?pid=54619
• This was also pulled from Symantec's Support site: For full details on the supported method of installing SEP 11 by Active Directory GPO, see the topic "About installing clients with Active Directory Group Policy Object" in the Installation Guide for Symantec™ Endpoint Protection and Symantec Network Access Control. This guide, installation_guide.pdf, can be found on the SEP 11 product CD.

For this example the package was created and then extracted into the package directly so no decompression or extraction is required during the process. All predetermined configuration items have been included so no user-interaction is required. Use the Symantec Endpoint Protection Manager to create the right package for you. Once created, to mirror what I'm doing below extract the contents of the package into the folder you'll define as the SEP 11 Package.

Software Library

First, in this example we will use the Software Library as the chosen source of the Package. To do this, follow these instructions:

1. In the Symantec Management Console, browse down through Settings > All Settings.
2. In the left-pane tree browse down under Settings > Software > Software Catalog and Software Library Settings, and select Software Library Location.
3. Enter in a UNC to the location of your Software Library. This can be:
   1. A dedicated File Server, or NAS.
   2. A local share on the Notification Server as shown in the subsequent screenshot.
   3. Any other UNC available to the Notification Server.
4. Each package will be subfolders within the Software Library location.
5. Click the Validate button to test whether the Notification Server can access the location. You should see the message: The specified software library path is valid, as shown in this screenshot:

   

6. Click Save Changes to complete the Software Library configuration.

Software Resource Creation

The following steps walk through creating a Software Resource for Symantec Endpoint Protection. For this example I used version 11.0.4014.26.

1. In the Symantec Management Console, browse under Manage and select Software.
2. In the left-hand tree browse under Software > Software Catalog > Select Releases.
3. In the right-hand pane click Add + > Software Release.
4. In the top field provide the Name, for example: Symantec Endpoint Protection 11. You can also add a description if required.
5. In the Version field, type in 11.0.0.
   NOTE: This field can be used to update the Software Resource so that hashed versioning information is forced to change. For example if I update the files due to problems with the way it was initial configured, changing the version to 11.0.1 will force a refresh of the Software Resource causing anyone using the Software Resource to request all the information again.
6. In the Company dropdown type Symantec and click the dropdown arrow. Choose Symantec as the Company.

Package Creation

A Package within a Software Resource is a collection of files. Specifically a folder is chosen during the process and all files and subfolders and files become a single package. Follow these steps to create a package:

1. Click on the Package tab.
2. Click the Add package button.
3. In the resulting window, enter in a Name and Description, for example Name= Symantec Endpoint Protection Installer Package.
4. Set the Package Source as the Software Library.
5. 5. Click the Define Package hyperlink.
   NOTE: you may get the message: Please verify that you have the Java 2 JRE(Standard Edition v1.6) installed. If you see this message, you need to install Java by going to www.java.com to use this control.
6. Click the Add button and browse to the location of the actual package folder.
7. Click the plus next to the new folder to expand the contents.
8. Select the installer file to be used. I selected Setup.exe as shown in this screenshot:

   

9. Click the button 'Set Installation File. The file should show up as BOLD when selected (an auto-select feature may have already set the Installation File for you).
10. Click OK to save the selection.
11. If Package Servers are used in your environment, Click on the Package Server tab.
12. Configure this section as needed. A recommended change is to change the 'Assign packages to:' section to something other than Package Servers automatically with manual prestaging.
13. Click OK to save the Package Details.
14. Click Save Changes to save the current progress on creation of the Software Resource.

Command Lines

The actionable executions against a package come in the form of command-lines. Multiple command-lines can be created. In this example we'll create 3 command-lines to Install, uninstall, and repair. The full walk-through will focus on the Install command line.

1. In the Software Resource Editor, under the Package tab, under the Command lines section click the + Add command button.
2. Provide a Name, for example: SEP 11.0.4014.26 Install. You can provide a description as well.
3. Ensure that the option 'Command line requires a package is checked and the Package in the dropdown is set to Symantec Endpoint Protection Installer Package.
4. Change the Installation file type to the appropriate type, for this example EXE Software Installation File.
5. Change the Command type to Install.
6. Within the Command line field, put in the command-line. For the install example I'll provide this simple command line:
   • Setup.exe
7. Under the Success codes add the following, also refer to the subsequent screenshot for an example of the configuration:
   • 0, 3010

   

8. Click OK to save the command line.
9. Repeat steps 1 through 8, but with the following changes:
   • Name: SEP 11.0.4014.26 Uninstall
   • Installation file type: MSI Software Installation file
   • Command type: Uninstall
   • Command line: "msiexec /x Symantec AntiVirus.msi"
10. Repeat steps 1 through 8 again, but with the following changes:
    • Name: Repair SEP 11.0.4014.26
    • Installation file type: MSI Software Installation file
    • Command line: "msiexec /fa Symantec AntiVirus.msi"
11. Once you are back to the Package tab screen, click Save changes to complete the configuration of the Command lines.

The basic package and command-lines have now been configured in the Software Resource. A Quick Delivery Task can now be used to execute any of the command-line options as they stand.

Continued in Part 2

Part 2 of this article series will discuss Quick Delivery Tasks, which is an unmanaged, single-execution delivery, Managed Delivery Tasks, which will rollout and manage SEP, and the associated Rules configured under the Rules tab in the Software Resource editor.

Conclusion

Don't forget that we've only configured half the equation. While the Software Resource is now available for general execution, we've not utilized the more powerful features of the Software Management Framework to automate and manage the install.