Endpoint Protection

Hallo allerseits,

im SEPM werden seit kurzem nicht mehr alle Clients angezeigt. Der Schwellenwert "nicht verbunden seit x Tagen" wurde bei diesen nicht erreicht. Ein Teil der nicht mehr angezeigten Clients sind bereits wieder im System eingebunden.

Ich suche jetzt nach einer Möglichkeit, festzustellen, wenn soetwas pasiert. Den jetztigen Vorfall habe ich durch unser Netzwerküberwachungs-Tool festgestellt. Eine andere Möglichkeit würde ich bevorzugen:

Vielen Dank für die Unterstützung.

Hi everyone,

 in SEPM recently not all clients were shown. The threshold "not connected in x days" has not been reached. Part of the clients that were not displayed are   already reattached to the system. I am now looking for a way to determine when something like that happens (clienst disappearing). This incident, I have  found through our network monitoring tool. I would prefer another option.

Thanks for the support.

the unmanaged detector works on a local network and looks at ARP traffic on that subnet to determine whether or not a client is running SEP. If its not running SEP, we report it back to the SEPM and it will appear in the security report (you can also configure notifications for this). Two things to bear in mind:

1. This works on a per subnet basis - you need a detector in each subnet your company has to guarantee coverage
2. This won't detect clients that have SEP installed but are not managed by your SEPM (either "unmanaged" SEP clients or other companies SEP clients because we look to see if SEP is *installed* There are things we can potentially do in the future, depending on how the feature evolves and what customers request.

hth, if you need any more information please ask - I will double check the docs and if this truly isn't present I'll raise a defect for the documentation to be updated.

Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0

http://www.symantec.com/business/support/index?page=content&id=TECH104340

Thank you for your quick reply.

The problem ist, that SEP is installed on these machines and seems to be a managed client. So the unmanaged detector won't find these clients.

I will reread the docs and check the links you posted.

Maybe there is some kind of report which lists the clients that were deleted from SEPM but did not reach the deadline for non-connected clients.

If i am not wrong you are asking...

If some client are deleted "X Days"it's automatic reconnect SEPM manager

• When communication mode is set to Pull, the SEP client will check in again at the next heartbeat interval.
• When communication mode is set to Push, the SEP client does not fully disconnect, which allows any policy changes made in SEPM to occur immediately on the SEP client.

http://www.symantec.com/connect/articles/symantec-endpoint-protection-heartbeat-process

Next heartbeat interval you sep client showing in sepm console.

Thank you, again for your reply.

as far as I know it's like you said: If I delete a client in SEPM it will reconnect with the next heartbeat interval (my communication mode is Pull).

The clients that get lost in SEPM are not manually deleted, and are not removed because 'delete clients not connected for x days - policy' applies.

They also behave like they are still managed clients. But they are not managed. Instead they 'roam' through the management tree. One day they get updates from GUP in site-q the other from site-w. Corresponding to the entry in Help and Support - Troubleshooting - Management (on the client).

Your doc for resetting Hardware-ID did solve this and the clients are listed in SEPM again.

Now I want to get a report or something like that, so that I know if a client is no longer listed in SEPM. I do not care if it's due to the policy mentioned above. But I want to get a report if it is before the set number of  'days not connected'

Hope this info helps to understand my goal.

You can try Unmanaged detector 

Unmanaged detector are resolved this issue.You can run unmanaged detector and find those system which are updated but not showing sepm console

Hi,

Connected clients will not move permanently until and unless it reaches to assign threshold.

It doesn't show even as a offline, disabled ?

What changes you made to attach clients to the SEP?

Hi,

thank you for your post, please excuse my late reply.

Nope, it does not even show as offline or disabled. It simply is not present in SEPM anymore.

Before that, I made no changes to SEP

Now I will give the unmanaged detector a try, although I have my doubts that it will work. The client (from its point or view) behaves like a managed client.

If issue is resolved then please mark this thread as a solved.