User of non_registered group can not perform any activity except take policies from SEPM

Hi MiRzA,

I am not sure what exactly you would like to do. What do you want to achive and what do you mean by "we need block SEP services".

Could you please be more clear and give us more details?

Thanks!

Blocking rtvscan, updates, and other functions of SEP seems to defeat the purpose in the first place.

However, if that's what you want to do, you can do all of this by using an application control policy to block rtvscan, liveupdate, etc.

SEP client only get policy updates from sepm after installation, if user want manually update sep client , manual scan , auto scan , use can not do untill administrator move that client from Non_registered group to Registered group.

we want to restrict the user.

Apply an application control policy to block that for the Non_registered group only.

Apply normal policies for the Registered group.

To stop the user from using LiveUpdate, simply create a separate LU policy for the Non_registered group. In the policy, under Server Settings, uncheck Use a LiveUpdate server and the LiveUpdate button on the client will be greyed out stopping the user from manually updating

set a password to open the sep interface; when they are not able to open the SEP client; they wont be able to do anything

click on clients

groups

general settings - >security- > set a password

Thanks for your very helpful suggestions.......

which exe file work against live update process.

if i block rtvscan.exe with applicaiton control policy , scaning will work or not ?

but if set password to open sep client console ,in this case autoscaning and updates works, i want totally restrict user in Non_registered group.

Blocking rtvscan.exe would stop all scanning whether it's manual, scheduled, auto-protect...etc

Blocking LUALL.exe will stop the client from going out Symantec LiveUpdate servers

LUComServer.exe is Symantec Endpoint Protection's interface to LiveUpdate. Symantec Endpoint Protection runs it to enable or disable content, which happens every policy update, and to query content versions

Also block:

SescLU.exe

LuCallbackProxy.exe

LuComServer_3_3.exe

Which xxxx.exe file work for communication

smc.exe

also block smcgui.exe

Just create the appropriate policies in the "Unregistered" group that basically make sure the SEP client does not get content updates or do any scans etc.

It is very easy to lock SEP down completely from the end user and is something you should really know how to do for your production groups anyway. The difference being that your "Unregistered" groupis just locked down really hard.

Hi guys,,

if I lock down SEP then i think sep client will not get policy updates ,,

No if you Lock the SEP Clients, it will not be able to make any customosed  changes. It will take the updates and all

ok Thanksssssss for helpfull posts...........................

Is it possible automaticaly moving clients from one group to other in sepm ?

and the request for moving clients generated by other application ( billing application).

I still think this is a really bad idea all around, compromising the security of an end user's computer because they are late on the bill or no longer a customer.  I don't believe SEP was ever intended to be distributed this way.  Have you spoken to your Sales rep or to Licensing to see if what you're doing is acceptable under the terms of the licensing agreement?

sandra