Endpoint Protection

Hi,

A little background, we are trying to roll out SEP MR4 to our servers. I have created folders in SEPM with policy inheritence excluded. Each folder is designed to hold servers with the same application installed and this gives me the ability to configure seperate policies based on exclusion and also location.

We are trying to roll out a SEP package to our servers via SCCM that will be an upgrade to SAV 10. There are two stages to the SCCM package. Stage 1 is the install of the SEP package exported from SEPM. Stage 2 is running Sylinkdrop exe and the associated xml to drop the server into the correct SEPM folder.

The problem we have is random after the completion of SEP install in stage 1. Sometimes after stage 1 completes the client appears on the SEPM server in the default group folder before stage 2 starts. Other times stage 2 runs and connects the server in the right folder group.

When exporting the package from SEPM I do not select any communication settings for the package so no idea where this is coming from. The problem is, if the server is already connected to SEPM in the default group running stage 2 will not move the server into the correct folder group. The servers have to be manually moved to the correct group. This can be tollerated for a server deployment but will cause major issues with our deployment to workstations.

Are there any tips to avoid this or a way of preventing the server from connecting to SEPM after stage 1. If i extract the package created by SEPM and remove any files that may work but how do i repackaging it again.

Regards,

Jason

I've found through experience that simply replacing the sylink.xml file will not move the computer to the correct group all the time.  I could be wrong, but I've done this many times without the correct results.

I'm not sure what you mean by exporting the package without any communication settings.  For my servers, I created a package installing AV/AS only and check "export a managed client", check the box for "export packages with policies from the following group", check my server group then check off "add clients automatically to the selected group".

This not only installs the client, but all the policies from my server group is automatically applied and the client become members of my server group.

PreferredGroup tag within the sylink.xml tells the client which group to join when it first contacts the SEPM.To test, When you are exporting the package, Export it as non - single executable and look for it in the sylink.xml

On the client side this tag will taken out when the client connects to the SEPM as it's no longer needed.

Select the group that you would like the client to be in and you should see something like PreferredGroup="Global /Administration"

For us the client always registers with the correct group this way.

I have a group folder for Citrix, BackupExec, SMS, IIS etc. and each folder has custom exclusions for those applications. I want SCCM to control adding the SEP client into these folders without me having to manually move them from the defaul group in the SEPM console. So I have exported a sylink xml (which SEPM refers to as communication settings) for each of these folders. The SCCM package copies out the SEP package along with the sylink drop and sylink xml files for each folder.

What i need is for the SEP package to install as unmanaged and then have SCCM detect what application is installed be it Citrix, BackupExec etc and then execute the sylinkdrop with the correct communications settings xml which will connect the server to the SEPM server in the correct folder. The client will then get the correct policies with the exclusions.

Would like to know why it intermittenly adds to the server. It is possible the sylink.xml in the package still has some SEPM settings....perhaps i should remove it?

Only problem is how do i then repackage the extracted files using SEPM without exporting it again? When we have tried to repackage via SCCM the package size is dramatically larger.