Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Endpoint Protection Suite: Don't allow clients in a group

Created: 26 Jun 2012 • Updated: 02 Jul 2012 | 8 comments
This issue has been solved. See solution.

Hi,

 

We've just begin setting up our Endpoint Protection Server and I have a question regarding the management of computers and groups.

I have the default group; where all new users should end up in.

Then I have my "site" group which organises my servers and computers. 
Beneeth that I have my Computers group, and my Servers group.
I don't want them to inherit from the parent group; and also I would like to remove all policies from the parent groups.

But; if by any chance a client should end up in the parent group that would leave him without any policy !!
Is there a way to mark these groups as "only for organisational perposes" or don't allow any clients in them?

 

For example;

The group Chalons musn't contain any clients 
The group Computers musn't contain any clients
The group Mac Full USB Access can contain clients
The group Windows Full USB Access can contain clients

 

Thank you in advance,

Domien

Comments 8 CommentsJump to latest comment

Chetan Savade's picture

Hi,

If you don't want to inherit from parent group, remove inheritence.

But; if by any chance a client should end up in the parent group that would leave him without any policy !!

--> Default policies would be applied.

To endup new users in default group, create custom package.

http://www.symantec.com/docs/TECH165801

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

AravindKM's picture

thumbs up to Chetan Savade.

In SEPM we can assign policies based on the group which the client is present. It is possible to assign same policy to multiple groups

 

Have a look at this KB as well

Managing groups of clients

 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

sandra.g's picture

To block clients from joining a group, do the following:

  1. Right-click on the group that you don't want to accept any clients
  2. Click on Properties
  3. In the lower left corner, click in the box next to Block New Clients.

This setting does not appear to propagate down with policy inheritance turned on.

Hope this helps,

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

SOLUTION
Grandeco's picture

Hi,

Thank you all for your support.
I managed to setup all my groups with the correct policies.

Sandra,
I changed the setting you mentioned; but afterwards I was still able to add computers to that group.
Or does that only block users from joining the group themselfs? But doesn't block administrators from adding users to that group?

 

Thank you !
Domien

sandra.g's picture

I believe it prevents clients from joining the group via the heartbeat process.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Jason1222's picture

I believe Sandra is right, but to build upon what she is saying.

For example, if a group is deleted or renamed and a computer is offline; when the machine heartbeat reconects the machine to the server, it will default back to the "default group" because it's group it was set in no longer exists.

Constantine's picture

you have to enter in the properties of created Group and mark "Block New Clients".

after that new clients will not add to that Group.

Grandeco's picture

Thank you for the support.

I blocked clients from joining the top lvl groups with the suggested sollution.
I'll just have to be carefull not to add a client to the group myself; and just in case I screwed everything shut at those levels.

 

Domien