Endpoint Protection

Hi,

We are using Symantec Endpoint protection (SEP), however, we face a problem on the USB control:

Questions:

1) Control specified USB Device to be used on specified Computer with specified Domain User Account Login ONLY (All are Windows Client), can it be achieved? (if specified SEP version is needed, we can upgrade) We can apply control policy on Computer Container but cannot control the login user on clients.

2) If question 1 could be achieved, how to design the Policy & Container on case would have a easlier management?

Many Thanks.

Have you looked into switching to User mode?

https://www-secure.symantec.com/connect/forums/computer-mode-vs-user-mode-1#comment-2832221

Yes. This can be acheived with the following conditions. But user management will be completly MANUAL and the time taken to finalize might take long.

• Containers (at least User containers) should not be imported from AD to SEPM.
• SEP clients should be installed in User Mode.

With the above conditions, you will see an user account created in SEPM every time a new user is logged in to a machine. For example if user "X" is logging in to machine A and B, then 2 entries will be created in SEPM for user "X". one for machine A and other for machine B.

You can then create new groups as per your policy combinations and move ther entries to different groups to acheive what you are looking for.

Note that if the user account will be created only after the user logging in to a machine. Hence, if user "X" will log in to machine C in future, it will create a new entry in future, you will need to move it to the intenden/correct group as per your policy needs for this user on this machine.

Note: When SEP clients are in User mode, definition will not be downloaded until someone is logged in to the machine.

Just to mention: It will be lot easier to manage if you just want to apply a policy for a user on every machine that applying a policy for a user on every specific machine.

Hi Seyad,

Thanks, is that mean?

1) When user mode enabled, following object type would be found and can apply policy on this kind of object?

- Object 1 - "User A with Machine A"

- Object 2 - "User A with Machine B"

2) Can I predefine the Object e.g. "User A with Machine A" before User A first time login on Machine A?

3) How to enable the user mode if the SEP agent is already installed and running?

Thanks

Answers:

1) Yes.

2) NO. SEPM does has an option of "Add a user account" which allows you to ann a new user account once but it doesn't allow you to create multiple user accounts with the same user name or to definine a user on a particular machine.

3) Just right click on the existing computer name entry (called computer mode) and select "switch to user mode"

I get it! Thanks all of you!!