Endpoint Protection

Having some issues with getting Location Awareness to automatically switch, and hoping someone can offer a suggestion of where else to look.  I have a client that I'm testing which i want to have an offsite policy applied when not connected to my company's internal IP scope (10.x.x.x).   My issue is that the client does not automatically change to the Windows 7 Offsite location when connecting to the 192.168.x.x network, though I can manually change to the location through the client options.  However, when I connect it back up to the company network, it does automatically change back to the Windows 7 location.  

As you can see from the screenshot below, I've configured the following conditions

• Condition 1: Check for Windows 7
• Condition 2: Check for IP scope (in this case I'm testing with a WAP not connected to the company network, with a 192.168.x.x IP)
• Condition 3: Can client connect to SEPM?

The Default location has no conditions and is used for our XP clients which don't use NTP.  The Windows 7 location contains only the first condition that you see above, checking for Win7.  The client I'm testing is Win7, running SEP 11.0.6300 and I've verified the policy serial # is up to date.  The setting "Enable Location Awareness" is enabled, and I've tested with "Remember the last location" both enabled and disabled. 

I'd appreciate any suggestions you can come up with.  Thanks in advance!
Mike

what if you take out the last option when not connected to the manager option?

I think it takes sometime to switch coz it needs to realize that its not able to connect, whats the heartbeat set on this client? pull mode or push mode?

Hi Rafeeq,

I did test without the condition to connect to the manager, as well as testing with the connection, but no IP scope. 

The heartbeat was set to 10 minutes.  I reduced that down to 1 minute but that didn't help.  It is set to Pull Mode. 

edit: I'll also add that the location check setting is set for 4 seconds, which i believe is the default.

Thanks!
Mike

Carnesm,

You mentioned that the "Windows 7" location also uses the same registry criteria that checks to see if the system is Win7 - which means this location will always match regardless if the Win7 system is connected offsite/internally, thus causing it not to switch when it's offsite.

Can you try putting an additional criteria to the "Windows 7" location to check for IP scope that matches your company's internal IP (e.g.. 10.x.x.x) and see if it helps.

Hi philip_lee, and thanks for the response.  I had just been testing this myself and came to the same conclusion.  I added a DNS server to the internal location and it's switching locations correctly now. 

I had (wrongly) assumed that SEP would look at all location criteria and use the one that was the closest match.  Instead, it appears to go to the first criteria match and not look any further...this doesn't make a lot of sense to me, but I've never been accused of being logical .  In my mind, if I have a Win7 machine that has an IP of 192.168.3.25, and I have two critera; one that just checks OS and another that checks both OS and IP, it should choose the latter of the two. 

Regardless, I will mark this issue as resolved.  Thanks for the help!

Mike

Yip, using the connection to the SEPM server as criteria does slow down the switching of the location. This is related to the heartbeat.

https://www-secure.symantec.com/connect/forums/location-change-slow-or-not-react has the answer.