Endpoint Protection Small Business Edition

Some of our machines can easily be offline for more than 30 days. As a result when they come back online they have been deleted/forgotten by SEPM and land in the default group. We're running the Small Business Edition of SEPM which lacks the GUI bits to turn this 'feature' off. I've been digging in the database to see if there is something there that can be manually edited with no luck yet. I really don't see the point of having the expiry feature in SBE edition of SEPM if it removes the usefulness of machine groups. Any ideas? Cheers

if you had AD sync setup than even after they're deleted, they would go into the correct group once they connect back to the SEPM.

This is normal behaviour for non AD sync setup.

SEP SBE does not have AD integration. open a support ticket.

If the SEP clients is no longer registered on SEPM (=was deleted before due to those 30 days expiry) - after coming back online it will register back to SEPM according to the preffered group as set in sylink.xml. Apparently your clients have this setting for the default group. Have a look at somewhat similar issue:

http://www.symantec.com/business/support/index?page=content&id=TECH104840

...check on one of your clients in the sylink.xml if the preferred group is set as I suppose to the "default" - if it is you can try importing new sylink to this client that would point them to a different preffered group.

 

Thanks for your thoughts guys! Sorry for the late follow up. I'm on UK time. I exported a SyLink.xml file from one of the groups (Workstations) to have a look at it. It has this in it: <RegisterClient PreferredGroup="My Company\Workstations" PreferredMode="1"/> But that won't be what's in the install package. Further up the file I found: <AgentCommunicationSetting ... RememberCurrentGroup="0" RememberCurrentPolicyMode="0" .../> Which might be relevant. Anyway, I had a look for the SyLink.xml file on two clients and found it on a Windows 7 client but not on a Windows XP client. The Windows 7 client file didn't have the RegisterClient tag. I like the idea that the reconnecting clients can request to be put back in the group they were last in. Can this be achieved through a policy update? Is there a database entry controlling the client expiry in SBE that just lacks a GUI to set/clear it? As Pete says, I should probably submit a support ticket for that. (BTW, we don't have AD) Cheers! AQ

Argh! The forum pulled rather than wrapped my XML stuff. Here are the missing bits without the tagging: RegisterClient PreferredGroup="My Company\Workstations" PreferredMode="1" AgentCommunicationSetting ... RememberCurrentGroup="0" RememberCurrentPolicyMode="0"...

"I like the idea that the reconnecting clients can request to be put back in the group they were last in.

Can this be achieved through a policy update?"

 

...well SEP SBE definitely lacks the GUI here for that - EE Edition has settings called as "Reconnection Preferences" where you can define if the client should use tha last-used group settings - have a look:

http://www.symantec.com/docs/TECH132001

..this configuration is obviously missing in SBE.

is this group "My Company\Workstations" exist on SEPM? can you run dbvalidator?

The group "Workstations" is one we made. The default landing group for new/forgotten machines is "Laptops and Desktops". We also created "Workstations-NotFullyScanned". The idea was to manually move all new machines to "Workstations-NotFullyScanned" with a policy of a full scan to be done. Once that happened we'd move them to "Workstations". There are some other groups too like "Power Users" for those who need to disable SEP on occasion. The result of machines being forgotten is that these groups are meaningless to the forgotten machines. :-(

Thanks for the info. I was hoping that even although SBE lacks the GUI there was a database edit that would somehow get the same effect. I've managed some back-door edits on exported XML policy files to get around features lacking in the SBE GUI. It just seems to me that the forgetting of client workstations while still allowing the creation of groups are opposing features.

"... can you run dbvalidator?" Yup. Looks fine. Cheers --- dbvalidator.bat 04-Feb-2013 11:32:22 com.sygate.scm.server.util.ServerLogger writeHeader SEVERE: ================== Server Environment =================== 04-Feb-2013 11:32:22 com.sygate.scm.server.util.ServerLogger writeHeader SEVERE: os.name = Windows 7 ... INFO: ********************************************* 04-Feb-2013 11:32:28 com.sygate.scm.tools.ludbfix.XmlValidator <init> INFO: Database validation passed. 04-Feb-2013 11:32:28 com.sygate.scm.tools.ludbfix.XmlValidator <init> INFO: Finished. Database validation passed.