Endpoint Protection

 View Only

  • 1.  Upgrading to RU6 Mp1

    Posted Aug 23, 2010 11:18 PM
    Hi All
     
    I am planning to Upgrade from Ru6a to Ru6 MP1
     
    Is this issue present in MR6 Mp1
     
    After migrating Endpoint Protection Manager to 11.0 RU6 Application and Device Control is enabled on legacy clients.
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010050612450248
     
     
    Please Confirm
     
    Do we need to disable the ADC policy,before upgrading to RU6 Mp1


  • 2.  RE: Upgrading to RU6 Mp1

    Posted Aug 24, 2010 04:22 AM
    Hi John,

    You  should  not  need to disable the policy  if you are  upgrading from ru6a to ru6 mp1. That issue  was with upgrading from ru5 ( or lower) to ru6a.


    Ru6 MP1 is just  a patch , and this is not required.

    There were  some changes made in RU6a, and  that  is why  SEPM use to assign the application and  Device  control policy to clients, even whcih do not need it. But that's no longer the  case  in RU6 MP1

    Hope this answers  your question....


  • 3.  RE: Upgrading to RU6 Mp1

    Posted Sep 29, 2010 12:10 PM

    Hi Vishal,

    Does the patch have any effect on the clients or is it only updating the applicationon the server only? I had the issue above where I upgraded from 11.5 to 11.6 and application device control was enable on the servers and it created havoc.

    I want to be confident that the MP1 patch will not have any adverse effects.

    Thanks.



  • 4.  RE: Upgrading to RU6 Mp1

    Trusted Advisor
    Posted Sep 30, 2010 04:21 AM

    Hello,

    ADC Policy should be disabled in case if you are migrating from RU6 to RU6a.

    Disabling of ADC Policy is not required when migrating from RU6a to RU6 MP1.

     

    Check the below:

    Issue (KB 2010050612450248)

     

    When SEPM is migrated to RU6 or RU6a it will publish new policy files for all managed clients.  The application control policy produced by the migrated SEPM contains a new XML element “DeviceManagerSettingGroupLink”.  Managed clients which are not yet migrated to RU6 will incorrectly enable application control based on the new XML.  The client will prompt the end user for a reboot.  If the reboot occurs sysplant will be enabled.

     

     

    Migration Planning

     

    To prevent this issue add the following steps to your migration plan.

    1. Prior to SEPM migration identify client groups containing Symantec Endpoint Protection (SEP) clients that should not enable sysplant.
    2. Disable the Application and Device Control policies associated with the client groups identified in step 1. Client groups with disabled Application and Device Control policies will not experience the issue when the SEPM is migrated.  Proceed with SEPM migration plan.
    3. When SEP clients have been migrated to RU6 or later the disabled Application and Device Control policies can be enabled if desired.

     

     

    Recovery

     

    If the customer has migrated without accounting for this issue there are two recovery options. 

    1. Upgrade clients to RU6.  When the client is upgraded it will appropriately understand the new XML from SEPM and disable the sysplant driver if application control rules are not being used.
    2. Disable the application control policy in SEPM.  By default each client group has an enabled Application Control policy without any rules.  If upgrading the clients is not practical, then the user can edit the application control policy in SEPM and uncheck the checkbox for “Enable this Policy”.  Once the policy has been disabled, the client still needs to receive the policy and reboot before the sysplant driver will stop running.