Video Screencast Help

Allow Administrators to Disable SEP 12.1 on all Clients

Created: 25 Jan 2012 | 8 comments
Troga's picture

Hi!

We don't allow Users to Disable the SEP Protection on all Clients by Policy.

But, is it possible to allow some Administrator Accounts to disable the SEP Protection on all Clients, if he is logged on?

If yes, how can I handle that?

 

Thank you in Advance

Best Regards

Troga

Comments 8 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Here are the Steps:

1) Lock all the Locks within SEPM by following the steps provided in the Article:

How to prevent SEP features from being disabled in the client GUI in SEP 12.1
 
 
How to block a user's ability to disable Symantec Endpoint Protection 11.x on Clients
 
 
2) Provide Policy for password protection to the SEP clients to access GUI. (which ofcourse anly Administrator would have)
 
This could be done by:
 
SEPM > Clients TAB > Policies> General Settings > Security Settings.
 
Once this is done, only Administrator who have the password to check the SEP GUI would be able to Disable the SEP.
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Troga's picture

Hi Mithun!

But we want that the Users can open the GUI to check Status and so on.

We just want that the Users can't disable the protection, but any (defined) admin account can disable the Protection for a while.

Any other Idea for us?

 

Best Regards

Troga

Mithun Sanghavi's picture

Hello,

In that case, Provide password for stopping the client service and uninstall the client.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Troga's picture

Hi Mithun!

Are you sure?

We want to use right mouse click on the tray icon and then Disable Endpoint Protection for (defined) Admins only

I tested it and opened the lock from the Auto Protection and entered a Password for stopping the client service, but the user was now also able to disable the protection and no password pop up has opened.

I had set also a Password for Export Policy and that worked.

So I am sure, that I got the right Policy and that your Solution seems not to be right for us.

Are I am missing something or did you understand something wrong?

Best Regards

Troga

Mithun Sanghavi's picture

Hello,

You need to use the Steps below:

1) Lock all the Locks within SEPM by following the steps provided in the Article:

How to prevent SEP features from being disabled in the client GUI in SEP 12.1
 
 
and 
 
2) Provide password for stopping the client service and uninstall the client.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Troga's picture

If we make Step 1 and Step 2

then the Disable Endpont Protection is greyed out. (Like it was before)

And how can the Admin then Disable the Protection?

By stopping some services inside services.msc, is not what we want.

We want to have the Disable Endpont Protection in the tray icon greyed out for Users

and ON for our defined Admin Accounts.

Best Regards

Troga

Chetan Savade's picture

Hi Troga,

It's possible with user mode.

You configure clients to be in either user mode or computer mode, based on how you want to apply policies to the clients in groups. When you add a client, it defaults to computer mode, which takes precedence over user mode.

computer mode:  The client protects the computer with the same policies, regardless of which user is logged on to the computer. The policy follows the group that the computer is in. Computer mode is the default setting.

user mode:  The policies change, depending on which user is logged on to the client. The policy follows the user.

http://www.symantec.com/docs/TECH102686

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

GeoGeo's picture

You could simply give the admins the uninstall/stop password and then from the run cmd typing smc -stop entering the password will stop the client and smc -start to start the client back up?

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas