Endpoint Protection

Let me setup the background...

One of our networks has it's own SEPM with about 100 clients and we have integrated/merged with another network that has it's own SEPM with about 250 clients.
We are wondering how we can get the SEPM with 100 clients to "release" it's clients so we can pick them up on the SEPM with 250 clients so we can wipe this server
and re-use it for something else.

We don't want to have  a replication setup. We want all of our users on one SEPM on one server.

Is there anyway we can tackle this without having to go to 100 physical machines and uninstalling the SEP clients?

Thanks,
-SN

Yes that  is possible.

we just need to replace the sylink  on the client.

Using the "SylinkReplacer" Utility

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008062412271448


How to point Symantec Endpoint Protection(SEP) clients to a new Symantec Endpoint Protection Manager after you have either uninstalled, are going to decommission or replace the Existing Primary Symantec Endpoint Protection Manager (SEPM).

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009022414415348

This works for unmanaged PCs, but might work for managed PCs too.
service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007082009543848

You replace the existing Sylink.xml file on each PC with one from the new SEPM server and then reboot the PCs.  This is fairly simple enough to automate using MS SMS/SCCM or similar.

However, for my environment, I didn't have a LSProfile.xml file where the group name was "Temporary", so probably would have chosen the one with "Default Group" instead.

Good luck with this.

This worked perfect thanks for all your help!

Great catch Prachand...
This solution also helped me big time..
thanks a lot...

A startup script I used for a site of 500+ machines, worked well.

Copy your sylink.xml into the working directory of where the script is called from.

REM Symantec Endpoint Protection Client Communication Settings
REM Copies new sylink.xml file.
SET APPLICATION=Symantec Endpoint Protection Client Communication Settings
SET SEPDIR=%programfiles%\Symantec Endpoint Protection
SET FLAG=%windir%\sylink.flag
IF NOT EXIST "%FLAG%" (
"%SEPDIR%\Smc.exe" -stop
XCOPY "%~dp0sylink.xml" "%SEPDIR%\*.*" /Q /Y
"%SEPDIR%\Smc.exe" -start
EVENTCREATE /T INFORMATION /ID 302 /L APPLICATION /SO "Scripted Application Management" /D "Scripted installation of application %APPLICATION%"
ECHO >"%FLAG%"
)

Additional procedure on how to point the SEP clienst into a new SEPM server by using the sylinkremote tool, it is more applicable if your workstation in your office has a different administrator password

The method above is fine if you don't have too many computers. But there is another tweek you can do to have SEPM itself redirect all the clients to the new SEPM box.
Note: This method assumes that the two SEPM servers are not related in any way (Have never been replication partners, directly, or indirectly).
This method takes a little bit of setup, but makes it very easy to move large number of clients from one server to the next.

ServerA is the box you are trying to move clients away FROM
ServerB is the box you are trying to move clients TO.

1. On ServerA create a 2 new group. Call the first one "Prep for move" and call the second one MoveToSeverB.
2. On the "Prep for Move" group, under the policies tab, open the General Settings.
3. Click on the Security Settings tab.
4. Disable the last option, "Enable secure communications between the management server ..." and then click OK.
5. Make sure this group is set to PUSH mode (or a fast pull mode), it will save you a lot of time.
6. Move all the clients you want moved to ServerB into this group.
7.  -- Part 2 --
8. Note the first 4 digits of your "MoveToServerB" policy serial number.
9. On ServerB, open the folder that contains the policy files of the group you want the new clients to join. (see second set of steps to find the policy folder/files)
10. Copy all the policy files of the desired group from ServerB, into the "MoveToServerB" group folder on ServerA -- overwriting ServerA's  MoveToServerB policy files.
11. On ServerA, make sure the clients you have put into "Prep for Move" have the latest policy. If they have not picked up the "Enable secure communications..." setting yet the next steps won't work and you'll have to start from step 6 again.
12. On ServerA, open the SEPM console and move the clients from "Prep for Move" into the "MoveToServerB" folder.

What will happen is when clients connect to the "MoveToServerB" group, they will download the files you copied from ServerB. So the client will have all the policies etc from ServerB and they will switch to that server.
I believe the clients will always show up in the "Default Group" on the new server, ServerB.

Note: Once in a while they policy files will get updated. If you want to keep the MoveToServerB group for a long time (say, if your clients are set to a 24 hour Pull Mode heartbeat) you may want to setup a script that copies the policy files from ServerB into ServerA every few minutes.

To find the policies files.

1. Note the first 4 digits of the groups policy serial number located under the Details tab in the Client view.
2. Go to the agent outbox folder, which by default is %SEPM%\data\outbox\agents\ .
3. This folder should have a bunch of folders with hex numbers.
4. Search for the folder whos first 4 digits match the policy serial number.
5. Open that folder and you will see all the policy files for that group

  I deploy mine via a script that hits all remote systems.  I used psexec and MS batch scripts.  The link is: http://www.fishandscripts.com/?p=23