Video Screencast Help

Install packages created in SEPM do not have the correct policies of the group it was created in

Created: 19 Nov 2013 • Updated: 19 Nov 2013 | 14 comments

Hi,

       I have a standard group I put end-user's machines into which is locked down.  Tamper protection is enabled and password in place, etc.  I also have a group that is NOT locked down designated for IT.  Tamper protection is not enabled w/ no password being required when you run the client clone prep tool.

I'm trying to export an installation package from the IT group to give to administrators at different sites to use when making an image of a machine.  For whatever reason when they install this package on a machine they're building to make an image, the machine then points to the standard group, and of course the standard group is locked down so then the administrators cannot run the client side prep tool.

I have found a workaround, by simply moving the machine into the IT group and then forcing it to update.  I can then run the clone prep tool and am successful in removing the UID.  I'm trying to figure out though why this happens keeps happening when I create the install packages for the IT group.

 

Any help would be appreciated.

Operating Systems:

Comments 14 CommentsJump to latest comment

_Brian's picture

SEPM version?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

_Brian's picture

So, when you go to export the package and check the box for the IT group to use its policies, it still goes to the standard group?

Sounds like something is broke, although I don't see anything in the fix notes for RU4.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

does the sylink.xml file matches from the agent outbox folder for the group and the exported package?

Rafeeq's picture

Did you do this first?  This is because they are ending up in wrong group

How to prepare a Symantec Endpoint Protection 12.1 client for cloning

 

http://www.symantec.com/business/support/index?page=content&id=HOWTO54706

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

Should follow the best practices to clone Symantec Endpoint Protection 12.1 client in either a physical or virtual environment.  If this document is not followed then cloned Endpoint Protection clients will have duplicate identifiers, which will result in problems with management and reporting

Refer the article linked by Rafeeq.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Skiextreme2013's picture

OK just to add, I always run the client side prep tool to remove the identifier.  The problem is that even though I check the IT group when exporting the package, the computer winds up going into the the locked down group when I install SEP on the client. 

 

To get by what I've been doing, is just moving the machine into the IT group.  I then force an update from the server so that the machine gets all the policies from the IT group.  At that point I can successfully run the client side prep tool and remove the UID.

Rafeeq's picture

right click on the lockdown group and select block new clients....

Chetan Savade's picture

Hi,

In SEP 12.RU4 there is one known issue, see if it's related to your case.

Clients move to the wrong group if group name has a space in it
Fix ID: 3147159
Symptom: If you copy a group name containing a space from the details tab of one Symantec Endpoint Protection Manager and paste that group name into a new group on another Symantec Endpoint Protection Manager, then the clients end up in an incorrect group. If you copy the same group name containing a space from Windows Notepad, then the clients end up in the correct group.
Solution: Fixed so that it now converts the space correctly during the copy.
 
& If you enabled block new clients, the client gets added to the default group
 
 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Skiextreme2013's picture

Hi Chetan, I only have one SEPM in my organization so I do not think this is applicable.  @Rafeeq, I do not see the option when I right-click on the group to block new clients.

_Brian's picture

Right click the group and select Properties

At the bottom you will see a box for "Block New Clients"

Blocking client computers from being added to groups

Article:HOWTO80730  |  Created: 2012-10-24  |  Updated: 2013-10-07  |  Article URL http://www.symantec.com/docs/HOWTO80730

 

The new clients will instead go to the Default Group.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

Even though you moved client manually to another group then does it come back to the same group i.e. standard group? why it's necessary to run clone prep tool every time?

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Skiextreme2013's picture

So this is being done only when we are creating a Master Image to use to deploy future machines w/ our standard corporate applications/configuration.  So say for example Dell comes out w/ a new line of Latitudes w/ completely different hardware, drivers, etc., we will make a master image.  At the end before we push this image to the server, we run the SEP client clone tool to remove the UID.

The install package I create from the IT group (which is not locked down) does not put the new computer into that group.  The computer goes to the group standard employees are in, which I have locked down to prevent tampering, un-installing SEP, etc.

The workaround I came up with so that I could run the client-side clone tool, is to move the machine into the IT group and then force it to update it's policy from the SEPM.  After this is done, I can then successfully run the clone tool.

I need to resolve this,  We have offices world-wide and I need designated staff to be able to make images and not have to go through this process with me. 

 

Is there a setting or something that needs to be enabled so that this install package points the machine back to the group it was created from??

Chetan Savade's picture

Hi,

Apologize for the late reply.

As per this statement "The install package I create from the IT group (which is not locked down) does not put the new computer into that group." Can you create new image by following symantec recommendation?

Actually you are not following recommended process, after deploying image no need to run clone tool to remove the UID & because of this next problem is occuring.

Have you tried by creating new custom package?

Creating custom client installation packages in the Symantec Endpoint Protection Manager consol

http://www.symantec.com/business/support/index?page=content&id=TECH102817

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<