Endpoint Protection

I just have a quick question regarding a policy a client would like to have on their system.

The client runs SEP on all corporate machines, but also has users who are affiliated with the company who own their own computers.  The client wants to mandate that all these machines have SEP installed.  When the affiliated user breaks ties with the company, sometimes there is no opportunity to uninstall the SEP.

Is there any way to set a policy to have an SEP client uninstall if it does not contact the SEPM for a specified number of days?

If not, what are the licensing ramifications for the corporate customer?

Thanks for any ideas.

Kevin S. Peterson

Not to uninstall it but to delete it from the SEPM console if it doesnt contact the SEPM for a specified number of days.

It's too tough to implement with a home made utility as well to achieve that. But would they be running the same image when they leave the company?

 

The only thing I can think of is to put a startup script on the computer - like a VBScript. It could compare the current date with some file, like definitions file, that if the defs date was over so many days older than the current computer date, run an uninstall batch file. For safety, so it would not unistall if it simply was not able to update defs for some communication reason, perhaps the VBScript could check to see if the computer was a member of your domain or not?

Yes,

In this case, they are real estate agents working for a firm.  They provide their own computers, but the firm wants to mandate SEP, so the license for SEP comes out of the monthly charge they pay for networking.

Once they leave, they would like to have a way to no longer be 'liable' for any license violation (since they wouldn't pay to have updates indefinitely).  The firm is really trying to be a good corp citizen by getting rid of these 'orphaned' installs.

I think it's not possible at all to implement that. If it's their computer, They are the administrator's. They can get pass whatever you add locally and SEP doesnt have a feature like that.

Shadow's papa,

Thanks,  I think this is probably the direction I'm going, just didn't want to waste the time scripting if there was a built-in solution.

Sandeep,

Fortunately, the firm also requires their own admin account on the machine, so they do have access.  These are also mostly users who wouldn't know there was anything to get past and don't realize they are their own admins, which is the reason for the SEP in the first place.

 

Thanks for the ideas.. I'll keep an eye out for any others.  I was hoping for some policy to be able to trigger a command line script.

 

Kevin

 

Alright. In that case you can go for something like this. Make a bat file by the name app2,bat and place it in runonce for HKLM.

Probably some testing might be required before you deploy it though logic should be in place.

verify > nul
ping -n 1 -w 3000 sepm_server |find "Reply"
IF ERRORLEVEL 0 IF exist %windir%\system32\c.txt  del %windir%\system32\c.txt& goto :here

set a=1
verify > nul

if exist %windir%\system32\c.txt FOR /F "tokens=*" %%R IN ('TYPE %windir%\system32\c.txt"') DO SET count=%%R

set /a %count%=%count%+1

if %count% GTR 30 msiexec /q /x %your_product_code%
goto :eof

echo %count% > %windir%\system32\c.txt

:here
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v Data /t REG_SZ /d "%windir%\system32\app2.bat" /f