Symantec Management Platform (Notification Server)

Hello,

Our Desktop group has been using SMP 7.1 to manage our end-user workstations.  Our server group is looking to start using SMP to manage our servers.  They want to start adding the agent to low risk servers to begin testing.  One concern that has come up is the following:

• The server group wants to be absolutely certain that any Policies, Jobs, and Tasks run by our Desktop group will NOT touch any of the managed servers.  What is the best way to use Altiris in a way that keeps actions taken on workstations completely seperate from actions taken on servers (and vice versa)?

Also, we have given the Altiris Service Account local admin rights to the end user workstations.  Will the same Altiris Service account have to be given local admin rights to the servers as well?

The only real way to absolutley guarantee that desktop software will not go to servers is to use a separate NS.

I always use Exclude Computers Not In "Windows Workstations" as the first line of my Policy Targets so that a machine has to be positively identified as a Workstation (instead of just excluding servers and hoping that the server is correctly identified as such).

You do not need to give the Altiris Service local admin rights on the servers.

The other thing to do is try and stop people thinking of software as going to "everything", it almost never should.

make sure all your policies, quick deliveries, etc have appropriate targets.  don't forget patch mgmt if you use that as well - target appropriately, and control the reboot!

as for the agent itself - installing it on server08r2 and older is a piece of cake and is a non-issue.  however, we've found that the agent simply will not install on server2012, and apparently symantec knows this.  so if you have any servers running 2012 you won't be able to manage them till symantec releases a fix.  or maybe 7.5.  good luck with that though - we've had very bad luck with upgrades to symantec products lately.  

Thank you both for the responses.  Just to clarify my understanding:

1. When you refer to targets, are you refering to the use of "Filters".
2. We have told our Desktop group to ALWAYS use the "Exclude Servers" filter that we manually created.  Our Server guys always add servers to this list.  The Desktop guys are told to exclude the Machines/Servers in this list.  Is that a good approach?
3. If the Altiris Service does not have local admin rights to the machine, how can the agent be pushed through the console to the server?

Thanks for the heads up on Windows 2012.

1 - yes filters.

2 - good, but there's always a chance for human error, which is why andy said a separate NS.

3 - you can manually install the agent on each server while logged in as an admin user.  make sure the policy to upgrade the symantec mgmt agent is targeted to servers, too, or they will be flaky.

Thanks again.

Will the Altiris Service Account need local admin rights to run jobs and tasks on the server?

We have been giving the Altiris Service Account local admin rights to our end-user workstations.  Was that unecessary?

1. Policies are applied to Targets, which can be made up from Filters.

2. If you use a manually created filter you are relying on that being kept up to date at all times. If you always include in your target Exclude Computers Not In "Windows Workstations" you are much less likely to have a problem

3. You can specify credentials when you push the agent, you can ask a server admin to enter credentials when you do the agent push.

Thank you.

Will there be any problems when it comes to running jobs, tasks, and policies if the Altiris Service Account does not have local admin permission?

By default the Symantec Management Agent runs all Jobs, Tasks and Polices in the context the agent runs under, that of the local System account. It's only if you specify an account in the Policy or Job that it will use a different account, but you can use any account with admin rights on the workstations.

Thank you, Andy.  That clears up a lot of confusion.

Is it safe to assume that the only reason the Altiris Service account would need local admin rights to an end-user machine would be in the situation of pushing the agent to a machine from the console?

Yes, if you did need to run installs or other programs on the clients using a domain user account with local admin rights (instead of the default local system account the Agent will use) it's good practice to create an account for that purpose and not to use the Altiris Service Account.

Andy,

We originally thought in order to install the Symantec Management Agent on an end-users machine that the Altiris Service Account needed local admin rights.  Our steps to push the agent are as follows:

1. Actions > Agents/Plug-ins > Push Symantec Management Agent > Rollout Agent to Computers
2. Input Machine Name then click “Add”
3. Highlight Machine then click “Install" (or "Settings")

We left the check mark OUT of the line below (in italics) that is found in "Settings" because we believed that it would be proper to let the Altiris Service Account (application credentials) install the agent.  For that to work, it seemed we needed to make sure the Altiris Service account has local admin rights to any machine in order to push the agent.

Use the following admin account instead of application credentials

• Username:
• Password:

Is that not a good practice?

From an Altiris point of view it's fine. Security best practice would say use a dedicated account to push the agents and don't give the Altiris Service Account rights it doesn't need.

Thanks again for all the help with this.