Endpoint Protection

I added a Mac about a month ago.  Machine is offsite.

I don't see it on my list anymore.  It's in its own folder.

I tried searching for the computer name.  I can find others, but not that one.

Nothing in email notifications about a machine being added or removed like I normally would get.  I get those when I add/remove from the domain though... This mac is not on the domain.

Nothing in the weekly Symantec reports.

Mac was on Yosemite.

Where did this go?  How come I've got no trace of it in SEPM now?  If SEP was removed from the remote machine or if it were renamed, wouldn't it notify me?  I was clearing out some old entries from when computer names changed and realized this one Mac entry had disappeared.

View settings appear correct in SEPM.... I'm seeing all the others.

That would have been 12.1.5 for Mac.  Nothing with 12.1.6 was out at that time.

If it lost connectivity to the SEPM, it would be removed from the SEPM after 30 days (default).

Thanks.  That's making sense.  It was set up a little over a month ago.  Probably never used since then. 

The Windows entries stick around though?  I find those occasionally.  "Oops, I forgot to remove this old entry when we renamed computers."  That scenario.  I would swear those are >30 days old.

I don't even find anything about this mac in my weekely SEP updates though.  I wouldn't be aware it was off the SEPM list unless I remembered it myself.  The old Windows entries seem to stick there, so I can see when the machine was last used or just that it's the ancient entry and it's ok to delete it since there's a new entry for that same machine.

It's potential sticky office politics situation.

If SEP was uninstalled from a machine, I should get some kind of notification right?  I'm testing it out on another Mac.

And when the Mac in question for this thread reconnects to the internet, it should reappear in my SEPM list, right?  Will it send a notifcation like the Windows machines do?  (SEPM will send a notification email that x-computer is back online.  It can be laughable when we're alerted a user hasn't used their laptop in that long.)

Or is there setting in SEPM to get a notification of machines that will disappear like this?

If we get the usual, "x-machine is back on SEP" email alert, that might be enough.  The problem is that SEP may have been uninstalled on this machine and we're not aware of it.

You can modify the setting to allow computers to stay around longer if they don't connect for awhile

The option to Delete clients that have not connected for X days is here:

1. Admin
2. Domains
3. Choose the Domain you wish to configure the setting for
4. Under Tasks, click Edit Domain Properties
5. On the General tab you should now find the option

There are no reports or alerts that can be generated if SEP is uninstalled.

How do I create a notification that alerts me when computer will fall off the list like this....?  I tried one for unmanaged computers....

The log files only go back less than 30 days.  Today's 5/29.  Log results show me back to 4/30 at the earliest.  I was looking in the notification logs for any sign of this Mac.

Dang... So I can't tell if the user hasn't used their Mac in over 30 days, or if they may have uninstalled SEP?

It's just that after 30 days, SEPM removes it from the list automatically.

Correct. No alerts for this at this time.

Try these:

How to create a SEPM Custom Scheduled Report for Offline SEP Clients.

Finding offline computers

There would be a notification though if the machine is back online though, right?

So if the machine is used, it would appear in SEPM.

If it's not in SEPM, it's either not being used, or the user has uninstalled SEPM.

Is that right?

There would be no notification if a client shows up in SEPM. It's already in SEPM so shouldn't be an issue.

If it's not in SEPM, the machine is either off, client uninstalled, or cannot connect for some reason.

Dang.  My logs only go back 30 days I think.  Back to 4/30 for one entry.  Everything else it May.

I was trying this.

https://support.symantec.com/en_US/article.HOWTO80835.html

Hm.... It looks like "Symantec Endpoint Proection Computer List Changed" are the email notifications I get when an old machine goes back online.

I need to get my logs longer....

And I can probably test this a bit.  Manually remove a Mac entry for SEPM.  Then restart that Mac and see what notification comes in....

You can configure your logs to go out longer as well. 60..90 days, whichever you need.

That may be a good one.

Logs were something like 10000 entries or 60 days.  Entries must have filled up.  I switched them to 100000 and 365 days.

Deleted a test Mac SEPM entry.  It kept reappearing in SEPM without notifications.  I did get a notificaiton eventually that I had deleted entries.  So that tells me I didn't accidentally delete this other Mac.

It must be when we delete the SEPM entry and later an ancient machine is powered back on, we get alerts that virus definitions are out of date.  That's sounding familiar.

Even if I check logs for offline computers, I could see this remote Mac as offline because the user isn't using it.  Second, third, and fourth week, same thing.  And then the user could uninstall SEP.  The fifth week I wouldn't know.  There's just no way to tell then for sure. 

Most likely, the user isn't using the machine.  At some point the user will power it back on, connect, and we'll get an alert about old virus definitions.

Interesting.  I discovered another machine that disappeared on SEPM....  Similar scenario.  Offsite, user never uses it.  In this case they wouldn't be able uninstall SEP though.

Did a quick test.

Removed a SEPM object a for a computer.  Let the machine off over the weekend.  Just turned the machine.

This is the email notification I get.

Informational: Symantec Endpoint Protection Computer List Changed

Number of clients changed: 1. Changes could be that a client was added, renamed, or deleted, Unmanaged Detector status changed, client mode changed, or the hardware changed.

That's how I'd know if a user machine disappeared in SEPM, and then the user connected to the internet later.  There's still no way to tell if a user with admin rights uninstalls SEP though.