Video Screencast Help

Issues Pushing Policies

Created: 16 Apr 2013 • Updated: 08 May 2013 | 8 comments
This issue has been solved. See solution.

Good Morning All,

 

I am having some issues this AM with policies propogating to my end users.  If I am understanding correctly SEP 12.1.2 correctly, I should be able to create policy exclusions on the SEP Management Server, and then have my workstations check in on a regular basis to get policy changes.  On a handful of workstations this does not appear to be happening.  Here are some examples.

 

1. I changed Sonar from Prompting my end users to allow changes on their systems, to LOG.  After 24 hours, I still have machines getting prompted by such things as the  "SEP 12.1 RU2 MP1" client update that I just attempted to push out.

2. I added a bunch of items to my exclusions file that after 24 hours, some machine continue to get prompted on, and others don't.  Items such as the sep64.msi were denied even thought being specifically set to monitor in the exclusions file. 

 

How have others solved pushing updates to their end users and not have SEP intercept it??  According to the SEP Management Console, these end users are checking in, but it does not appear they are getting the updated policies I am setting.

 

Joe

Operating Systems:

Comments 8 CommentsJump to latest comment

_Brian's picture

What is your heartbeat set to? I assume it is less than 24 hours so this is probably not the cause.

If you compare the policy serial on the client with that of the SEPM, are they the same?

If you open the SEP client GUI and go to Help >> Troubleshooting and select Update Policy, will it update the policy manually?

How many clients are affected?

As a test you can clear out the policy file (serdef.dat) by following the steps at the bottom of this KB article:

Corrupted Policies (Serdef.dat) is preventing clients from starting the SEP service.

Article:TECH96760  |  Created: 2009-01-14  |  Updated: 2011-02-24  |  Article URL http://www.symantec.com/docs/TECH96760

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

uwwjoe's picture

- Heartbeat is set to 30 minutes.

- I don't think I know where the policy serial is.  I will have to do some digging to see if I can find this information. 

- Yes it will say that the policy was updated, but I will still get users being prompted by Sonar.

- Only a handful of clients appear to be affected at this time, about 5 total.

- I wil ltry clearing out the policy and see if a new one is downloaded.  I will let you know what happens.

 

Joe

SMLatCST's picture

If you're talking specifically about client upgrades (which is the impression I get), then you might want to take a look at the Client Install Settings, and how to adjust them for Silent install, with no Restart prompts.  

The below articles should help in this regard:

http://www.symantec.com/docs/TECH164754
http://www.symantec.com/docs/TECH177107
http://www.symantec.com/docs/TECH169818

Or if you're upgrading via the SEPM's Auto-Upgrade feature:

http://www.symantec.com/docs/TECH123485

To be honest, I'm not entirely convinced about the failure to distribute policies.  For example SONAR policy changes won't affect the client install notifications...

SOLUTION
uwwjoe's picture

I have read over the client deployment options.  I don't think there is an issue with the options set for the clients to deploy, the issue seems to be specifically that sonar is flagging it and users will receive a prompt.  The default is to deny this, users will most likely click deny and the installation will fail.  I am trying to figure out how to prevent this from happening.

 

I am hoping that adding the sep64.msi installer to Application Monitoring, then adding the SHA-2 Hash to the Applications exclusions list will prevent this pop-up.

 

Joe

SMLatCST's picture

In that case would you be able to provide screenshots and/or logs of the prompts please?

AjinBabu's picture

 

Hi, 

Could you able to post the screen capture of the error?

After the heart beat happen weather New Policy serial No is getting reflected on Console?

Regards

Ajin

SameerU's picture

Hi

Please add a new group and assinged the policies and move the affected clients to the created group and observer.

Regards

 

uwwjoe's picture

Hello All,

 

I am sorry for the delayed response to this post.  I appreciated all of the suggestions that users have sent me.  In the end I tried a couple of things to resolve these issues.

 

1. I created a new group and pushed users into that group.  That did not seem to resolve my issue.

2. Completely removing the policy from the users machine and forcing a redownload of the policy seemed to resolve my issues. 

 

Also I figured out that when I watch applications that I have to also add them to the exclusions file AFTER they have been watched and the hash is found.  Thanks for bearing with me everyone and for the suggestions.

 

Joe