Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEPM SBE Inactive clients return to default group

Created: 31 Jan 2013 • Updated: 31 Jan 2013 | 10 comments

Some of our machines can easily be offline for more than 30 days. As a result when they come back online they have been deleted/forgotten by SEPM and land in the default group. We're running the Small Business Edition of SEPM which lacks the GUI bits to turn this 'feature' off. I've been digging in the database to see if there is something there that can be manually edited with no luck yet. I really don't see the point of having the expiry feature in SBE edition of SEPM if it removes the usefulness of machine groups. Any ideas? Cheers

Comments 10 CommentsJump to latest comment

.Brian's picture

if you had AD sync setup than even after they're deleted, they would go into the correct group once they connect back to the SEPM.

This is normal behaviour for non AD sync setup.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

SEP SBE does not have AD integration.
open a support ticket.

SebastianZ's picture

If the SEP clients is no longer registered on SEPM (=was deleted before due to those 30 days expiry) - after coming back online it will register back to SEPM according to the preffered group as set in sylink.xml. Apparently your clients have this setting for the default group. Have a look at somewhat similar issue:

http://www.symantec.com/business/support/index?pag...

...check on one of your clients in the sylink.xml if the preferred group is set as I suppose to the "default" - if it is you can try importing new sylink to this client that would point them to a different preffered group.

Aquaman's picture

Thanks for your thoughts guys! Sorry for the late follow up. I'm on UK time.

I exported a SyLink.xml file from one of the groups (Workstations) to have a look at it. It has this in it:

But that won't be what's in the install package. Further up the file I found:

Which might be relevant.

Anyway, I had a look for the SyLink.xml file on two clients and found it on a Windows 7 client but not on a Windows XP client. The Windows 7 client file didn't have the RegisterClient tag.

I like the idea that the reconnecting clients can request to be put back in the group they were last in.

Can this be achieved through a policy update?

Is there a database entry controlling the client expiry in SBE that just lacks a GUI to set/clear it? As Pete says, I should probably submit a support ticket for that.

(BTW, we don't have AD)

Cheers!

AQ

SebastianZ's picture

"I like the idea that the reconnecting clients can request to be put back in the group they were last in.

Can this be achieved through a policy update?"

...well SEP SBE definitely lacks the GUI here for that - EE Edition has settings called as "Reconnection Preferences" where you can define if the client should use tha last-used group settings - have a look:

http://www.symantec.com/docs/TECH132001

..this configuration is obviously missing in SBE.

Aquaman's picture

Thanks for the info. I was hoping that even although SBE lacks the GUI there was a database edit that would somehow get the same effect. I've managed some back-door edits on exported XML policy files to get around features lacking in the SBE GUI.

It just seems to me that the forgetting of client workstations while still allowing the creation of groups are opposing features.

Aquaman's picture

Argh! The forum pulled rather than wrapped my XML stuff. Here are the missing bits without the tagging:

RegisterClient PreferredGroup="My Company\Workstations" PreferredMode="1"

AgentCommunicationSetting ... RememberCurrentGroup="0" RememberCurrentPolicyMode="0"...

pete_4u2002's picture

is this group "My Company\Workstations" exist on SEPM?
can you run dbvalidator?

Aquaman's picture

The group "Workstations" is one we made. The default landing group for new/forgotten machines is "Laptops and Desktops". We also created "Workstations-NotFullyScanned".

The idea was to manually move all new machines to "Workstations-NotFullyScanned" with a policy of a full scan to be done. Once that happened we'd move them to "Workstations". There are some other groups too like "Power Users" for those who need to disable SEP on occasion. The result of machines being forgotten is that these groups are meaningless to the forgotten machines. :-(

Aquaman's picture

"... can you run dbvalidator?"

Yup. Looks fine.

Cheers
---

dbvalidator.bat
04-Feb-2013 11:32:22 com.sygate.scm.server.util.ServerLogger writeHeader
SEVERE: ================== Server Environment ===================
04-Feb-2013 11:32:22 com.sygate.scm.server.util.ServerLogger writeHeader
SEVERE: os.name = Windows 7
...
INFO: *********************************************
04-Feb-2013 11:32:28 com.sygate.scm.tools.ludbfix.XmlValidator
INFO: Database validation passed.
04-Feb-2013 11:32:28 com.sygate.scm.tools.ludbfix.XmlValidator
INFO: Finished.

Database validation passed.