Currently no tie with AD at all. SEP groups are defined solely within the SEPM system.
We are on "computer mode", policies and settings and rules and logging is all assigned at the computer level no matter who is logged in, even if no one is logged in.
That's pretty simple - except in cases of helpdesk needing to do something SEP would normally block on Jane Doe's computer at the reception desk. I like simple - the computer is imaged, turned on, it appears in the proper SEP group because the image had SEP install with settings for the proper group. User logs in, computer is ready to go already, all settings are in place. Even if it sits for a month with no one logged in, if it's on our network, it has our policies and keeps getting definitions from the mother server.
Two things confuse me (well, more than 2 in total, but 2 related to SEP management)
User mode and tie-in with AD.
User mode - policies apply to the computer based on who is logged in at the time. Well, with a prior v12 build, SEP was so confused with who exactly was logged in thank goodness we were not in user mode! The SEPM console said Joe was logged in or the last logged in user, and in reality Jim was logged in. Joe had logged in 2 months ago, but 5 other people had logged in since and now Jim was logged in! What a mess that could have been.
But let's say SEP is now very good at seeing who is really logged in. I assume that when Sally logs in, SEP sees it's Sally and tells the mother server - Sally just logged in, what are my instructions for her? and the SEPM system said she's a nice gal, relax the settings to this set of rules.
Cool - but what about, say, weekly scans - say Sally is on vaction and logs out and no one is logged in when we want the computer to scan?
What about updates - new defs arrive from Symantec to the management servers, the computer checks in - no one is currently logged in, what sort of process is used THEN? Windows is always running and doing things, including updates, SCCM pushes updates, the Windows OS checks in with papa Microsoft now and then or refreshes DHCP leases, checks with DNS for various things, does group policy updates in the background for the machine and so on. What rules or policies apply to that computer sitting with no logged in user - what does SEP do - sit confused unsure of what to apply or lock down?
Or Sally normally uses computer XYZ but is on vacation, a new temp person logs in, but SEP doesn't know about this new temp person, there's been no synch with AD yet, so Jane logs in and she's rather ornery and wants to take some things out of the computer on her personal USB device or wants to download some cool new screeensaver to the computer. Sally was nice and well trusted, so the SEP rules were relaxed. SEP said we trust Sally, the USB is not locked down for Sally. Jane can't be trusted, the last rules SEP knew were of Sally. But now Jane is logged in, SEP doesn't know her - she inserts her USB device and - what's going to happen? Will SEP allow it? Will SEP block it?
Our IT supervisor has full rights to use USB on his computer - it's assigned at the computer level. But what if he's gone and someone else sits as his computer and logs in - and quickly inserts some nasty stuff via USB. SEP is still checking with mama SEPM server, still getting policies but has not yet applied them because, well, things were a bit slow. WHAM, this new person not yet recognized or maybe not in the SEPM AD group because AD sync is only every 30 minutes and that just happened a few minuts ago - is that computer left naked in the wind until the policy updates or it recognizes - hey, you aren't the IT boss, stop that?!
So the user mode question is - how does SEP handle a user it doesn't yet know about, or a computer with no user logged in as far as - firewall and other policies, and scheduled scanning, updates and such? What about FUS? What happens if John is a great guy and logs in, but he leaves and tells Jack to go ahead and use his computer but don't log him off, Jack logs in with login session 2. Jack is more locked down............ but we now have two users logged in to the same computer........ what then?
What about remote connections?
Then the other thing - What if there are some computers managed in computer mode, but a person who is in SEP as a user managed in user mode logs in to that computer. Who wins? Computer or user?
VDI - I need a way to tell the system that if one of our clients uses one of the public login and VDI creates a computer with a certain name pattern that SEP locks that baby down.
On the other hand, a regular employee logs in and VDI creates for them a regular agency employee computer, SEP should have other rules applied. Thse come and go all day, create, destroy, create, destroy. When you log in a computer or desktop is built for you, log out, that desktop is destroyed and DISAPPEARS from AD. Log in, VDI gives you a desktop it created in a certain place in AD. When you log out, it removes that desktop from AD.
How does SEP keep up with that coming and going all the time if tied to AD? I've seen people login and log out 5 or 6 times a day. Computer created, computer removed, over and over. What if one is created by VDI in a specific AD group - but SEP wasn't synched with AD - it could be 15 minutes, an hour, whatever SEPM is set to synch with AD, thus no computer in SEPM as it doesn't know about the computer that was just created in that AD ou by VDI 2 minutes ago. What rules apply then?