Upgrading SEP Clients using SEPM
Created: 10 Sep 2009 | Updated: 11 Sep 2009 | 8 comments
Here is a quick and dirty (two part) article on using the Symantec Endpoint Protection Management (SEPM) platform to deploy Symantec Endpoint Protection (SEP) client updates. In reality there are a multiple ways to deploy upgrades (and reasons for using each) I will only be covering the methods I am familiar with.
Section 1: First method
One of the first methods I have used for testing the Symantec updates is by importing the setup files into the SEPM server. This is in my opinion the fastest, easiest, and safest way to test the updated client without having to update your entire SEPM infrastructure first.
To start you will need the Symantec Endpoint Protection setup files from the latest release. Extract the SEP folder from the release to a location on your management server.
Now open your SEPM console and click the Admin navigation button.
Now under tasks click the Install Packages. You should end up at a screen like below although your number of packages might vary…. There is a reason for maintaining packages which I will explain at the end of this article.
Now click the Add Client Install Package shown in the below image.
This opens the Add Client Install Package dialog window. (Shown below) Provide a logical name for your package (I normally put in Symantec MR# MP#) or something similar. Click the browse button… navigate to your extracted SEP files from the latest build. Select the setup.exe file and click OK. Enter a short description for this install package if you desire. Click OK.
NOTE: You cannot add the same package multiple times (nor should you… you’re wasting space). Even if you name the package something different, you will encounter an error trying to import the package.
Now if you are importing a new package you will get the following screen.
Bang! You just imported a new package into your SEPM infrastructure… jump section 3 to learn about configuring your install package settings
Section 2: Second method
Probably the easiest way to get packages into the SEPM infrastructure is to upgrade your company SEPM servers. If you are like me though, (with five SEPMs) you will follow the previous approach to upgrade clients before the SEPMs. I have not had any issues with upgrading the SEPM servers, but it is easier for me to replace a client than a server in the event of a corrupt database.
Follow the prompts to install the latest package on your SEPM server. If you have multiple SEPM servers reporting to a central database you stop all of the SEPM services (on the other servers).
Now to explain why you will want to maintain your previous versions of SEP install packages in your SEPM infrastructure (at least for a little while). Keep in mind though each package is stored in the database and takes approximately 180 MB. Plan accordingly.
- From my experience updating the client software is similar to updating your definition files. When your SEPM server contains the previous versions your clients can perform delta upgrades. This can cut down the amount of bandwidth, time, and resources required to perform the upgrades. (I could be wrong here… it’s been a while since I tested this part of the installation push) Anyone from support let me know if my information is incorrect and I will gladly adjust this document.
Section 3: Configuring your install package settings.
This is an important part of your SEPM infrastructure management. You can use the default settings however it might be worthwhile to customize your installation parameters for your environment.
Let’s start by looking at what we can do with the Client Install Settings. Click on the Add Client Install Settings shown in the image below.
This will bring up the Add Client Install Settings window. You’ll find a couple of important settings in here that can allow some good control over the installation.
As you can see we will need to provide a name and description for our Client install settings. The name is important (as we will see later) so choose something that explains what you are doing.
Now, the good stuff allows you the following control over the installation process.
- Installation Type
- Interactive – users interact with the install process
- Unattended – users not allowed to interact with the process but see a windows progress dialog box (not supported on Microsoft Vista)
- Silent – Users do not interact or see the installation progress
- Restart Option
- Restart – only required for firewall installation, but still a good practice
- Do not restart
- Installation directory – default \\Program files\Symantec
- Installation logging – enabled by default
- Add the program to the Start Menu – Want your users to see the Symantec console options under the start menu?
- Update Settings
- Maintain all logs, policies, and client-server communication settings
- Remove all previous logs, and policies, and reset the client-server communication settings. – if you need to move to a new server, new group, or have other communication issues… it’s a great option to enable.
Below are my default installation settings for clients with communication issues.
If you need additional assistance with this section click on the Help button for the Symantec help files.
Section 4: Configuring your install package features.
Now let’s configure our Client Install Feature Sets. This will allow you to build a custom installation package with ONLY the components you want your environment to run. Don’t want Application and Device Control or Lotus Notes Scanner? This is where you configure what you want.
Again, provide a name and description that tells you what this package is for. After that you can select any of the options in the following image that your infrastructure requires.
In the next article we will go through the options I’ve used for deploying updates to your SEP clients.