Hi all,

I am looking for a solution for the following

All of my user has adminstrative previlgous on their respective PCs, recently I have created a rule to allow websites and block some web, the rule is working perfectly but some smart user can still brows the blocked website by disabling symantec(by right clicking the shield icon, disable symantec).

Is there any rule or policy that I can create in SEP Manager to avoid the user to disable the subject.

I use SEP Manager 12.1

Thanks in advance

Anver

How to block a user's ability to disable Symantec Endpoint Protection on Clients

http://www.symantec.com/business/support/index?page=content&id=TECH102822

Hello,

You can determine the level of interaction that you want users to have on the Symantec Endpoint Protection client. Choose which features are available for users to configure. For example, you can control the number of notifications that appear and limit users' ability to create firewall rules and virus and spyware scans. You can also give users full access to the user interface.

The features that users can customize for the user interface are called managed settings. The user does not have access to all the client features, such as password protection.

To password-protect the client

1. In the console, click Clients.

2. Under Clients, select the group for which you want to set up password protection.

3. On the Policies tab, under Location-independent Policies and Settings, click General Settings.

4. Click Security Settings.

5. On the Security Settings tab, choose any of the following check boxes:

   • Require a password to open the client user interface

   • Require a password to stop the client service

   •  Require a password to import or export a policy

   • Require a password to uninstall the client

6. In the Password text box, type the password.

   The password is limited to 15 characters or less.

7. In the Confirm password text box, type the password again.

8. Click OK.

Check these Articles which may assist you with all the Information you are looking for:

How do you lock down SEP client interface so that end users cannot disable components or modify settings.

http://www.symantec.com/docs/TECH136678

How to block a user's ability to disable Symantec Endpoint Protection on Clients

http://www.symantec.com/docs/TECH102822

How to restrict users from making configuration changes to the Symantec Endpoint Protection client.

http://www.symantec.com/docs/TECH102370

Hope this helps!!!

Hi,

You can do this in few steps

Check this article which talks about only SEP 12.1

How to prevent SEP features from being disabled in the client GUI in SEP 12.1

http://www.symantec.com/docs/TECH168990

Forum article also available for same :

https://www-secure.symantec.com/connect/articles/how-disable-sep-features-client-gui-sep-121

It will definitely help you !!

Does this helps

Password-protecting the client

http://www.symantec.com/business/support/index?page=content&id=HOWTO55487

Dear, 

The above password option I tried on my 11.5 server and is working when opening the client, but in 12.1 server not at all working.

The password option is working on when to open the client interface, but my object is to ask the password on while right click and disable the SEP. I can't find in the settings "ask the password while right and disable the SEP"

Thanks for your time.

Anver

the security settings are only for

Enables you to password-protect the client with the following options:

Agreed for the password options. 

http://www.symantec.com/business/support/index?page=content&id=TECH136678

As per the above artilce, it removes the ability to open the client interface and  removes the SEP icon from the system tray..

but my question is by keeping the SEP icon on system tray - can I gray out the disable symantec end point protection ?

Thanks for your time.

Anver

strange that this link has not helped

http://www.symantec.com/docs/TECH168990

1) In SEPM, under Virus and Protection policy lock all the items which are unlocked

• This action reverse all the other 3 points from the article you mentioned - correct?

or

Select Virus and Protection policy- High security, it will lock all the items as a policy default.

• When I click this, I found all are locked as mentioned - do I need to activate this policy, (I am not sure when I simply

          click on the High security - will this become active) I think by default when I make changes on virus and 

          protection policy that became an active policy rather than this. - is this the problem I am facing

2) Go to Specific group --> Policies --> Location-specific Settings --> Client User Interface Control Settings --> Tasks --> Edit settings --> Server Control --> Customize --> Uncheck the following two options

i) Allow user to enable and disable the firewall

ii) Allow user to enable and disable application and device control policy.

3) You also need to perform the following In the Policies tab of the SEPM:

1. Click  Intrusion Prevention Protection policy.

2 .Click Setting, then lock this feature by clicking the lock symbol next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention.

3. Click OK.

Check on client, as you can see tab is grayed out.

• from 2-3 settings are as it is - but still no grayed out on client.

Where I am wrong??????

Thanks for your time.

Anver

Once configured on SEPm, have the client taken the policy?

You can check by comparing the policy number on SEPM and SEP client. Both have to be same.

Yes, the client have taken the policy - it showing the same policy number as from the server - see below

Thanks,

Anver

Hello pete_4u2002,

i checked this option and when i set password protection for all 4 options i could deactivate the Client per mouse with an right click.

for the other three optionsalways prompting for password.

It is very strange but so it is.