Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SEP with VDI question - SEPM groups

Created: 12 Sep 2013 | 1 comment

SEP and SEPM 12.1.3001.165
Windows 7
For the most part, 2 groups in SEP management used to handle and manage settings, configuration, security, policies and rules within SEP.
One group of computers is used by clients - is more public, very restrictred.
The other is for most of the rest of the employees, daily work sort of stuff. Still plenty of security (2.5 years virus-free sort of proves that)

We are working on a VDI project - VMWare products, virtual desktops, one standard "gold image" from which all desktops will spawn.
I am looking for a way to keep SEP on the gold image and yet "direct SEP" on the virtual computer or desktop to "be a member of" one of the two groups depending on who is logged in.

For the one group, the user ID or name will always start with the same characters and they will pull a desktop from one pool just because of who they are. That's the clients - they all share a group of login IDs. I want those computers to end up in their group so they get the proper set of SEP policies and rules and settings.
For the other group I want them to end up in our standard desktop group in SEPM so they will have their own set of rules or policies and settings.

Is there an easy way to do this while keeping a single base image in our VMWare VDI setup - with SEP pre-installed on it?

How about this - SEP is installed in that gold image to default to our normal desktop group in SEPM, but if a user with a user name following a certain pattern logs in, that computer runs a script that moves SEP into that group?
Perhaps a script that changes the registry - or a script that puts the sylink.xml file on that "computer" during the login process and SEP then just "moves" into that SEPM group?

How do others running VDI handle putting different computers into different groups in SEP?

Each time the user logs in keep in mind that the computer is recreated from scratch and it will be as if SEP was new again - if I read things right. It not like it's set one time and then every time that user logs in it's the exact same computer and holds all software settings. For their profile, yeah, if we do persistant.

Ideas???

Operating Systems:

Comments 1 CommentJump to latest comment

ShadowsPapa's picture

I've been reading all the results of some searches of the Symantec site here- forums, tech atricles, etc. and have come to the conslusion that Symantec has no solution to this, and it appears that users haven't really figured it out either.
Why do I say that? This is but one example of a dozen I've read so far:

https://www-secure.symantec.com/connect/forums/sylinkxml-updated-client-not-changing-groups

Everyone keeps saying "use the console" or "Symantec designed it that way" so clients/computers need to be moved using the console. Let's get real here. Symantec also I HOPE knows and understands that with hundreds or thousands of computers some of us deal with daily, and the fact that VDI is here to stay and growing in wild numbers - I would hope they have a solution somewhere.
We can't create an install package and then a VDI gold image for each and every group in SEP - that's totally unrealistic.
You have hundreds (or more!) of VDI clients - those clients, or computers, come and go. Log in, new computer created and added to AD and shows up in SEPM in the group the install package was built for. Need some of them moved? Then use the console. Oops, user logged out, computer destroyed by vdi host - different user logs in, computer created for them, now you have to go move that one too - and 10 other users have returned from vacation and log in, so you go move those. Now the first one logged out, went to lunch and logs in again - virtual computer was recreated as a result and shows up in SEPM, go back and move that one again for the 3rd time today...... several other employs now coming in and loggin into a desktop, vdi builds them a desktop and they all end up in the standard group but most of those computers should be in an alternate group because they are used by sales people - go to the SEPM console and move those........... oops, while I was doing that the first person logged out and has logged in, move that computer AGAIN. 4th time today for moving the computer used by that person.

I'd like to ask that when people come here asking about some automation to move computers in SEPM "on the fly" or programmatically, I'd respectfully ask you PLEASE don't keep telling them they have to go use the console. They already know about the simple answers like use the console, they've thought it out, no other solution is working so they come here.
I don't know about you - but I don't just sit all day looking at the SEPM console waiting to move computers that show up as people log in and the hosts create them.  I wear a lot of other hats, we all have things to do. Some of us manage SEP in large volumes. And that is why we aren't here answering 100 questions a day - we have work to do at work - we get paid for it and the boss doesn't like me doing work for others while he pays me for work he wants done.
How about another angle or approach to get across what my "complaint" is - are you going to tell a Principal Financial Group employee managing SEP on 15,000 computers they need to move them manually with the console?
Please read the numbers given - if it's a constant thing, happening either daily or hourly or more, and it's more than 1 or 2 computers at a time day after day, can we not suggest use the console, please?

In our case, I'm so far beyond the "use the console" thought it's crazy. It would keep a full-time employee busy enough they'd never be able to take lunch.

If you have experience with using VDI and SEP, that's great, please respond - you will know what I"m talking about and understand why all the basic answers found using the search just can't possibly work.