Hi

Before upgrade SEP client 11.7 then option on SEP client "Disable sysmantec endpoint protection" was disbale but after upgrade to SEP 12.1.4 that option is enable and now end user can disbale this option

Thanks

There is an additional lock you need to lock , under av policy

check this

How to prevent SEP features from being disabled in the client GUI in SEP 12.1  

http://www.symantec.com/docs/TECH168990 

Securing the Symantec Endpoint Protection (SEP) client user interface and settings.

reconfigure the policy to lock the settings.

When you select that, on the SEP GUI, what component shows as disabled? Is is the firewall?

Hi

But it is possible that in SEP Client 11.7 it was enable mean user was not able to disable SEP client

But after upgrade to SEP 12.1.4 the option was disbale mean now user can disbale SEP client on his PC

Does it normal behaviour

Thanks

Do you know have the firewall component installed but did not previously? What component gets disabled when you select that option?

Hi

See I have attached screen shots and I want to disbale this option "Disbale Symantec Endpoint Protection" on all Clients PC in SEP 12.1.4

Thanks

Followed all the steps as mentioned here?

How to prevent SEP features from being disabled in the client GUI in SEP 12.1  

http://www.symantec.com/docs/TECH168990 

after doing that just update policy or restar smc service

start  -run

smc - stop

wait for a min

smc -start

Hi

Now my question was that this option as attached file "screen-1" was disble grey color in SEP 11.7 after upgrade clients to 12.1.4 it became enable active. Does upgrade of client will change disable to enable because it happen to may upgraded clients

Thanks

There are some new policies  and they added few more locks like Early launch anti-malware for windows8 in 12.1 xxx, if this lock is not closed, it wont be grayed out.

 In the SEPM, under Virus and Protection policy lock all the items which are unlocked

or

Select Virus and Protection policy- High security, it will lock all the items as a policy default.

You can create a new group, move a client and follow the above method, it will work

In the location specific settings on the Clients page, go into the options for it and uncheck the option "Allow the following users to enable and disable the firewall"

Hi,

Thank you for posting in Symantec community.

The SEPM should not enable access if it was disabled prior to upgrade. Settings should remain intact even after the SEPM upgrade.

You should verify assigned client package settings if new package is deplyed and check assigned policies & their settings as well.

However to disable it again can refer the following article, Few GUI options are different under Location specific settings ->  Client user interface settings compare to the following article.

http://www.symantec.com/business/support/index?page=content&id=TECH168990

This is a very common question in general that I get asked in the support realm:

One thing to keep in mind is that there is new technologies in SEP 12.1.x that were not present in 11.x - when policies are migrated/upgraded - the tech that is existant during the 11.x days, the policy options will be transferred into the policy sets - however there are two new techs that need to be looked at within the AV policy sets:

Download Insight and SONAR - those are both brand new to 12.1.x - and since those are new, only the default options are loaded into those policy sets - please look over those options to verify that they are not able to be manipulated

Also, look over IPS policies as well, that one is commonly overlooked (make sure the locks are engaged)

Then also under client control modes - make sure that it is set to server control mode - and customize the options there (restricting users from turning on/off firewall and app & device control) - this is under Clients>Select Desired group/parent [if inheriting]>Policies>Location-Specific Policies>Client User Interface Control Settings> Make sure that is in Server Mode - but edit those options (set options for firewall/network threat protection and application and device control)

As long as that is set and every option in AV/IPS has the lock engaged - then that should prevent end-users from shutting it off from the tray

However, to take it a step further - make sure tamper protection is in a block and log/block and do not log state with the locks engaged, if you migrated from 11.x, the defaults is log only and the option is unlocked, it does not automatically change that -- if this is set to a block mode, then this will prevent unauthorized access to our keys and client files (such as users, threats, etc. from damaging our files) then also set a password to stop the service/uninstall at the very least -- that is under Clients>Desired Group/parent>Settings (blue box)>General Settings then the security tab and tamper protection tab