Endpoint Protection

SEPM 12.1.6

SEP 12.1.6

client with SEP 12.1.6 (with firewall component installed) set as Unmanaged Detector.

another client in same subnet with self managed ( later no client alltogether).

nothing happens , no Unknown Device Failures

thanks

This is how the unmanaged detector works:

The machine assigned as the "Unmanaged Detector" collects the MAC addresses of all the computers in its subnet (by capturing the MAC addresses in the broadcasts done by other computers in the network, or when a computer directly communicates with the machine that is acting as the unanaged detector).

The list of MAC addresses collected by the above process is sent to the SEPM.

SEPM tries to match those MAC addresses one by one with the MAC addresses of the client that are already registered with SEPM (and has an entry in SEPM already). If a MAC address is already associated with a registered client in SEPM, it is ignored. If a MAC address (in the list) is not associated with any of the registered client in SEPM, the MAC address is termed as "Unknown" and the machine name of that MAC address is termed as "Unmanaged" client.

In the above process, for the Unmanaged detected to work, the assigned client need to collect the MAC addresses of the rest of the clients in the network from broadcasts sent by them. If broadcasting is blocked in hostlevel, then the unmanaged detector may not work. In such cases, assigning a local server with which all the clients will connect may help.

Thanks

i dint see anything in the above that would help me

both clients are in the same subnet and broadcasts should not be blocked between them.

(the unmanaged client is without a firewall and the unmanaged detector has SEPM 12.1.6 with firewall( default policy)

...and it is enabled and received the policy change to turn into a UD? How long has it been since it's been enabled? Did you setup alerts to receive emails when unmanaged client are detected?

enabled

recieved policy

been 20 hours

setup notifiations (also to email) and checked the dashboard >> system status >> Unknown Device Failures

Thanks

...and this unmanaged client, no trace of it showing in the SEPM within the last 'x' days?

umanaged client long deleted from SEPM

the subnet has many other devices with no SEP (some printers and so)

anyway....now i am getting notifications for the default gateway so i added exclusion

not getting any other notifications

ran wireshark on unmanaged detector, i see many arp broadcast form various clients in the subnet , including some clients with no SEP

...

It works, there just appears to be a lag with between it and SEPM. I've seen this before with the UD, some times it takes a day or two to report...

I also think you should keep it under observation. It takes time to display all the unmanaged clients information. I could not find it's documented anywhere how much time it takes to provide all the network unmanaged clients information.

Just got the first notification

Took a week!!! to find 4 unmanaged clients......i was sure there was a problem and its not working...seems just real slow.

Thanks