Endpoint Protection

I am having a problem finding what setting I am missing.  I have created packages for every Group that I have that include specific Centralized Exceptions and Policies but whenever I push to a workstation they always end up in my default Group under My Company and I have to manually move them.


Also on a side question  I have a scheduled scan setup for Wednesday at 3am and today is the beginning of my pilot testing and every workstation I pushed too kicked off the weekly scheduled scan...please tell me this is only because I am pushing to clients on the same day that my scheduled scan is set to kick off...I do not want it to scan on install if I can help it.


Thanks!

I just want ot ask if what SEP version you are using right now?

When SEP is installed on the machine for the first time It runs a full system scan.

This is by design .

When exporting your package, there are two settings you need. One is to choose the groups the package will apply to, then another option to automatically add clients to the selected group. It sounds like maybe you missed that second part. If you aren't sure, rebuild the package again and see watch for the second part

I just got back to a computer where I could get the exact settings.  Here's what to watch for:

Export packages with policies from the following groups:  -- This option lets you select which policies to include/apply.  Select one group here.

Add clients automatically to the selected group -- This option is right below the big selection list for the first option.  You need to check this box for clients to get added to the right group.


This is all assuming you are exporting the client through the 'admin' tab under the 'install packages' section.

This issue was there on the older version of SEP and Its fixed on MR4

This is the work around
Right Click -> Default Group
Check Block New Clients
Then try to deploy the clients

Hope this works :)

Hi,

       The possible reason could be :-


The client system's GUID may have changed. As a result, when the client contacts the SEPM after the GUID has been altered, it has the appropriate information to authenticate to the SEPM, but the SEPM does not recognize the client and remediates the client to the Default Group. As a result, any previous policies active on the client are overridden by the policies that are used for the Default Group.

The GUID can be changed due to (but not limited to):

The IP address of the client changing significantly (to a range outside the normal host network that it resides on)
Significant hardware changes to the workstation
A LAN enforcer remediating the client before verifying and authenticating access to the network and its appropriate group

The Default Group is most often used in large deploy situations as a default remediation group with limited rights and policies to handle unrecognized and unknown clients that otherwise have the Symantec Endpoint Protection software installed with a sylink.xml that points back to the SEPM.


When a client appears in the Default Group as a result of the conditions above, move the client back to its appropriate group within the SEPM. For clients that are routinely moving out of the IP range of the network without VPN access, it is best to set a policy to ensure virus definitions are downloaded via LiveUpdate to the mobile client. Do not have the client try to reach back to a SEPM from a foreign IP address as this can trigger the undesired behavior. When setting the client to use LiveUpdate to retrieve definitions while mobile and not attempt to reach back to a SEPM, once the client returns to the home network it should still report back to its appropriate group in the SEPM with an appropriate local IP address.

 Bishop_21 do you use SEP with active directory enabled or not? If you enable active directory the computers always ends up in the correct group without having to manually move them or create a special package. 

However with ad enabled you cannot move SEP clients between groups in the SEPM console you have to do it in the active directory domain.

Thank you Gai-Jin...Love the name by the way!  I unchecked that box why I have no idea but it is checked now and everything is working as I need it too.

Not completely true.

I installed SEP cleint to my SEPM server (hey I want it protected too right!) and it got stuck in the default group and I am syncing with AD. So now it shows a not communication computer object in my member servers OU and a communicating computer object for that same server in the default group.

Nice huh! Now I can't delete the not communicating on since I am syncing with AD and I had to modify the dault groups settings to match my members server OU.

So might want to hold back on the ALWAYS's with symantec products!

NOT IMPRESSED!!! Getting tired of installing, uninstalling and reinstalling to make this software work.

Glad to hear it Bishop!  Sometimes we just have to go back and re-check the simple things.

And thanks for the compliment on the name.  I've been using it for years, even though it doesn't really apply anymore, It just kinda stuck.

Thanks!
Gai-jin