Endpoint Protection

 View Only
  • 1.  Migration Plan from MR4MP1A to RU5 with changes in program options installation

    Posted Nov 05, 2009 07:04 AM
    The situation is this:
    We have One site - Two Management servers (one in each city we operate - two cities) - SQL Server 2005 for DB in city1.

    I have divided the computers to three groups per city group (city1-group1,group2,group3  -  city2-group1,group2,group3) with each city having a different Managed Server prefer list and each group having diferent installation options and policys (for example group1 that is used for clients has av+zero day threat protection installed but not group2 which is intended for servers that does not have zero day threat protection and group 3 has the firewall and application-device control-network threat protection installed and in use)

    What I am planning:
    • Upgrade the servers to RU5 ( i know the procedure)
    • Upgrade all clients to RU5 (still looking how to do it)
    • Change the installation options (of the upgrade) for the clients in order to include apllication-device control-network threat protection BUT with these options not used yet in the clients until I do a complete test of their policies and aplly them.
    The question regards bullet 3.
    Can I do an upgrade on the clients changing the installation options  to  include application-device control-network threat protection but in a way that these will be not in use in order to check usability in test groups.
    If YES how and which is the best way to do it.

    Thanks

     


  • 2.  RE: Migration Plan from MR4MP1A to RU5 with changes in program options installation

    Posted Nov 05, 2009 09:32 AM
    Absolutely--

       Assuming for a moment that your SEPM groups are mapped to Active Directory OU's, follow these steps:

    Create "do-nothing" policies for Application & Device Control  and the Firewall (call them something like "Production Client Firewall Policy")
      [Note - in the case of the firewall policy "Do Nothing" would mean using the default rule set-- don't put in a blank rule set or you may have problems]

    Apply the "Do Nothings" to all SEPM Groups

    Create a new "Test" group

    Identify machines that you want to pilot App & Device Control settings and put them into the Test group

      The machines in the Test group will still appear in the AD linked group, but from a policy standpoint their appearance in Test will take priority.  Now create an App & Device/Firewall policies you want to test and apply it to only that test group.  Similarly, you can upgrade the clients in your production (AD-linked) groups with the other components and know that they will inherit the "do nothing" production policies.  After you're satified with the results on test policies just duplicate the change on production.


    That's the 500 foot view anyway.  I hope it's helpful!





  • 3.  RE: Migration Plan from MR4MP1A to RU5 with changes in program options installation

    Posted Nov 06, 2009 08:42 AM
    First of all I dont have mapped AD OU's to SEPM groups.
    I have thought of what you are suggesting what I dont know is.

    I have a group (lets say the clients group. This group has installation settings that dont include firewall or application and device control when installing the client and policies in which firewall and app device control are disabled.

    I want to upgrade to RU5 client OVER the previous client installation but WITH NEW INSTALLATION SETTINGS that will include the previous missing firewall,app device control features but with these features disabled.

    What I was thinking is. Upgrade the servers.
    Then create a new install feature set e.g. client 2 install feature set in which I will have all the options installed.
    Create a new group named "Clients 2" in which I will move 10 computers from the original Clients group. Keep the same policies as in the previous group (av enabled-firewall app dev control disabled) and the perform an upgrade with the new package on this test group but with the new Client 2 Install feature set and see how this goes


  • 4.  RE: Migration Plan from MR4MP1A to RU5 with changes in program options installation

    Posted Nov 06, 2009 09:29 AM
    Sorry for editing
    It is possible
    First upgrade your SEPM
     you move some clients to new group
    Assign  a package for that group
      While assigning a package don't forget to remove the option main existing client features while upgrading
    Before doing this you have to go to Admin--->Install packages and here you may have to create a custom features list
    After getting it upgraded you can assign the policies to this group and test
      Do necessary modifications for the policies.
    Then you can do the same thing in other groups also