Endpoint Protection

Hi All,

Looking for some advice if possible,  

I have a few MAC SEP clients rolled out from the SEP 12.1.1 install.  I can't see them on the SEPM and wondered how do I go about adding them into the manager?  Our computers are populated from Active Directory and the machines are in AD.  When I sync the manager with AD it still doesn't show the clients.

Any ideas? and advice on how to update the MAC virus definitions once they are added to the SEPM.

Thank you.

So SEP is installed on them, just not communicating?

Have you seen this?

Support for SEP for Mac and Active Directory

Hi Brian,

It does appear to be communicating as it is using the IP address of the manager in the client information.  The liveupdates show an error when you try to run an update from the client.

I wanted to check on the manager which date the virus definitions had but they don't appear on the manager.

For MAC defintion oyu can check the comment of MICK2009

https://www-secure.symantec.com/connect/forums/sep-12-supported-windows8-linux-machine

SEP for Mac clients get their updates in one of two ways but never from the SEPM

1) From the internet from Symantec's LiveUpdate servers or...

2) From an internal LUA (LiveUpdate Administrator) running on a Windows server (not the SEPM host)

SEP for Mac FAQ

http://www.symantec.com/docs/TECH134203

MJD

Hi netw0rkm0nkey,

Think I can help.  Just a few questions....

These SEP for Mac clients are "managed," correct?  (In the GUI, you can see a "Management" option right below "LiveUpdate" when you click on the icon- that expands and shows which SEPM they report to , its connected status, option to update policy, etc).  Does that show a good connection or not?

The advice above about Mac clients needing to download from the Internet or from LUA 2.x is correct. That's controlled by the LiveUpdate policy configured in the SEPM.   How are those configurd at present?

All the best,

Mick

Hi, 

On MAC clients we have to install SEP clients manually, if clients to server communication are proper the client will report to SEPM.

Regards

Ajin

Hi Everyone, thanks for all your help.

Mick2009 it does appear to be communicating. I have attached a screen shot of the virus definitions that was taken today.  It has the SEPM server IP address also.

Should this be pointed at the LUA server instead?

In the Liveupdate policy on the SEPM I have it set to poll from our internal LUA servers at 

http://servername:7070/clu-prod

I still can't see it in the SEPM list of clients.

Looks like the SEP for Mac client is getting the defs fine.  I wouldn't worry about that.

What is displayed in the management info?  Here's mine, which is working correctly / reporting in to the SEPM correctly.

Hi Mick,

Yeah it says connected but I can't see the client in SEPM, we only have two managers and the IP address it is showing is for our primary site which I've checked but nothing.  There is a Windows VMware machine on the MAC which is reporting to the SEPM fine.

Kind regards,

Louise

Cheers Louise-

Just curious- do the missing Macs appear in a report of all non-Windows machines (or of All Mac machines) run from the SEPM?

That report can be generated like this:

Thanks Mick, yeah it does appear when I search for it.  I can now see it is in a DMZ group but this isn't the group it is in within Active Directory, when I do a manual sync to AD it doesn't appear in the correct group that it is stored in within AD.  

Do you know why that would be?

Thanks for your help.

Please review Brian81's link to:

http://www.symantec.com/docs/TECH132795

Support for Macs in an AD environment is not supported

MJD

Glad to assist!

I'm not sure why the client was not put in its AD-synched client group.  (Your Macs have been added in to Active Directory, correct?) 

Is this DMZ group the default one, by any chance?  Clients that cannot get into their preferred group for whatever reason usually get placed into the SEPM's Default Group.   

See if you can move this (and any other affected SEP for Mac clients) into their desired group.  Depending on settings, it may or may not let you do this.  (Some groups are set to Block New Clients, and also AD-created groups will not let any clients join unless they are members of that corresponding OU.  "The client cannot be moved to the Active Directory group"  If either the Mac or its user are not members of that client group, it won't let them in.  That's by design.)

Another question: are all your client groups created by AD sync, or are some created in the SEPM?  Here's an example screenshot from one of my SEPMs.  The "BestOUEver" group's icon (circled in blue) is different because it was created by being imported from AD.

One other note, which may apply to some readers who find this thread: ensure that the group's display filter (circled in red) is set to display both Macs and Windows machines!  It's possible to hide computers of a particuar OS, if desired. 

Thanks Mick, I'll ensure this filter isn't on.  All our groups within SEPM are synced with AD apart from the DMZ group I created.

I'll need to log a call with Symantec as I can't get the LUA server to load the log in page, I upgraded it with the version that came from 12.1.1 but it didn't solve the issue.

Just ran a quick test: it looks like that KB article is still in effect- even with my Mac in AD and that computer in the correct OU, the SEP for Mac client cannot be moved into the AD-synched group.  I recommend manually creating a SEP for Mac group or two in your SEPM, applying the desired policies to that, and placing your missing Macs in there.

Feel free to PM me the case number, once created.  I know a thing or two about LUA.  &: )