You can discover computers through Active Directory synchronization. Then, you can enable a policy to push the Altiris agent for install to computers that do not yet have the Altiris Agent installed.
Regarding agent protection, could you elaborate?