Endpoint Protection

 View Only
Expand all | Collapse all

SEP 11 RU6a and Mac clients management

Migration User

Migration UserJun 24, 2010 04:14 PM

Migration User

Migration UserAug 02, 2010 01:02 PM

  • 1.  SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 11:47 AM
    Hello,

    Are there specific documents related to the Mac clients management once we upgrade to SEP11RU6a, covering following points in details...

    1.  Should there be separate group for Mac clients,  I would prefer to have separate so that it easier to manage and avoid any conflict while applying policies and using Auto-upgrade for windows.
    2.  How to differentiate policies for Mac or Windows...  Concern is since when we create a policy both windows and Mac sections appear under one policy..how do we make sure that windows settings do not affect mac side and vise-versa.  I am thinking to create separate policy for mac clients and disable windows porting..
    3.  LiveUpdate setting and Content policies - how to make sure SEPM download definitions for mac clients, etc...

    I would appreciate any experience and directives...

    Sincerely


  • 2.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 11:53 AM

    Policies are applied for groups, put your mac clients in new group whatever policies you configure it will apply only to those clients

    Installing Symantec Endpoint Protection 11 for Macintosh

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041316121048


  • 3.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 12:03 PM

    Thank you for a good link that covers exporting and installing of SEP on mac.

    Is there similar doc that covers creating policies, more specifically how to block windows section of policy for mac so that it does not cause any conflict.

    Recently I found out that SEPM will not provide definitions updates for mac clients.  So I am thinking to create one policy with both option checked  - 1. USE DEFAULT MANAGEMENT SERVER, and 2. USE A LIVEUPDATE SERVER.  Instead of creating two separate policies.

    Sincerely!



  • 4.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 12:04 PM
    yes; manager will not download defs for your MAC clients
    for your MAC clients , you can set liveudpate server external and put a schedule
    or else you can use a internal liveudpate server, which can download defs for your manager and all the MAC clients
    i think the first option is lot easier.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101913262648


  • 5.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 12:14 PM
    I don't know that there is a specific document for FAQ on SEP for Mac.  I'll dig into our KB.  In the meanwhile:

    1. The only reason you might want to have a separate group for the Macs is to give them a distinct LiveUpdate policy that deselects the "use the default management server", selects the "use a LiveUpdate server", and assigns them a LiveUpdate schedule.

    2. Policies noted as Windows-specific will not apply to Macs.  The two policies that have a special Mac section are Antivirus and Antispyware, and Centralized Exeptions.  Since Macs only have AV/AS, other policies such as Firewall, Intrusion Prevention, Application and Device Control, etc. cannot apply to them.

    3. The SEPM cannot provide definitions to Macs.  They must retrieve definitions via LiveUpdate, either Symantec's servers, or an internal LiveUpdate server.

    Edit to say:  It is NOT recommended to put LUA on the same server as the SEPM. 

    Title: 'LiveUpdate Administrator 2.x and Symantec Endpoint Protection Manager on the Same Physical Server'
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008060510124848

    That said:

    Title: 'Using the LiveUpdate Administrator on a PC to download updates for Symantec Endpoint Protection/Symantec AntiVirus 10 for Macintosh clients'
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007152728050998

    sandra


  • 6.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 02:23 PM
    Is their any specific reason as to why the SEPM can't manage and distribute content to Mac based machines? It's been like this for a while (had the same issue in SAV 10.2) and it's mildly frustrating from a management standpoint. I should only have to punch a single hole in the firewall to allow for updates, but because of this poor management practice, I am forced to make exceptions for all Mac clients thus making my front door protection look like swiss cheese. Can someone from Symantec provide me a reasonably logical explanation as to why the SEPM cannot hit the LU servers and grab the necessary files and simply host them itself?

    Thanks.


  • 7.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 03:05 PM
    To be fair, SAV for Mac and SAV for Windows were in no way connected from a management standpoint, and SAV for Windows was not able to even host 64-bit definitions for Windows computers.  As for why the SEPM isn't able to download or host Mac content, I don't have an explanation to offer, since I am not involved with the development of SEP.  I won't even speculate.

    I do know that it is something we hear about a lot.  I suggest voting this up as an Idea.

    https://www-secure.symantec.com/connect/idea/allow-macintosh-sep-client-liveupdate-sepm

    ETA: Actually, allow me to speculate a little.  It probably has more to do with how the Mac client receives content than the SEPM's inability to serve it.  Mac clients use Java LiveUpdate, and Windows clients utilize LiveUpdate in the retrieval process for SEPM-provided content.

    Thanks,
    sandra


  • 8.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 03:42 PM
    That's the most reasonable theory I've heard so far. Thank you Sandra for applying a theory rather then "because thats the way it works." I appreciate it. 


  • 9.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 24, 2010 04:14 PM

    You're welcome! :)

    sandra


  • 10.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 25, 2010 01:41 PM
    Thank you, Sandra, for some opening thoughts

    Your response #3 is well taken, and can understand that SEPM may not be able to distribute defintions to clients at present, like SAV. But atleast  SEP RU6 would be wonderful, in a way, we don't have to maintain separate MAC server for mac sav clients management, and SEPM can manage both windows and mac clients.

    My thoughts on #1 and #2..

    LiveUpdate policy:   how about creating a single Liveupdate policy with both "use the default management server" and "use a LiveUpdate server" enable.  And create two separate group for windows and mac (for ease of management and future changes).  But apply one LiveUpdate policy to both type of groups...????

    AVAS Policy:  Similarly, like single Liveupdate policy, since it appears that only windows section settings apply to windows clients and mac portion of policy will apply to mac clients.  How about creating one AVAS policy with specific configuration in each section (windows and mac), and applying to same shared policy to two different groups (windows and macs).

    Any thought or experience if some one has tried on above guidelines....

    Sincerely,


  • 11.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 25, 2010 01:54 PM

    You can absolutely give the clients the same LiveUpdate policy.  The only potential problem with that is that all of your computers, Macs and Windows alike, will launch LiveUpdate on schedule.  Of course, if the Windows clients already have updated definitions, then they will pull nothing down from LiveUpdate.  But bandwidth issues could arise if all clients reach out over the internet to get updates.  That was my only caution.

    You can absolutely give two groups the same shared policy.  This is what already happens if policy inheritance is turned on, or, if policy inheritance is turned off, the policy shows as "[shared]".

    sandra


  • 12.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 25, 2010 02:30 PM

    Certainly in a large installation base, not a good idea to keep one LiveUpdate policy with has both definition update option are enabled.  I plan to use two separate LiveUpdate policies - one for windows and one for mac.

    Sandra, you mentioned that AVAS and CentralizedException policies have additional Mac sections.  My question is on AVAS, how to make sure mac settings apply only to mac clients and windows settings apply only to windows.  How about creating two separate policies, like you suggested for LiveUpdate, one that applies to windows clients group and one that applies to mac clients group.  But in this I am wondering how to disable windows section for the mac clients policy and similarly change/disable mac section for windows clients group.

    I am also curious since mac setting and windows settings, both, are part of any AVAS policy, so it should be supported that just create one AVAS setting and apply to clients groups, whether mac and windows clients are mixed or have their own separate groups.  Has any body tried and any experience would be appreciated..

    Sincerely,



  • 13.  RE: SEP 11 RU6a and Mac clients management
    Best Answer

    Posted Jun 25, 2010 02:39 PM
    The respective installations will only use the portion/s of the policy it is able to use.  You could certainly create and use two separate policies if you wanted to, but even the policy designated to be associated with the Windows machines will still have the default Mac policy settings in it.

    It is not necessary to disable the Mac portion of a policy if intended for a Windows machine, and vice versa.  In fact, it is not possible to do so.

    It is supported to use the same AV/AS policy for Windows and Macs, whether in the same group or in different groups. 

    sandr



  • 14.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 25, 2010 03:03 PM
    Thank you for inputs, sandra.

    Plan to try out different options sometime next week!

    Sincerely,


  • 15.  RE: SEP 11 RU6a and Mac clients management

    Posted Jun 30, 2010 04:29 PM

    Over the last week or so I've been compiling a FAQ for SEP for Mac.  I published it to the web this morning.  I hope this helps you and others. cool

    Title: 'Symantec Endpoint Protection for Macintosh Frequently Asked Questions (SEP for Mac FAQ)'
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010062409301948

    sandra


  • 16.  RE: SEP 11 RU6a and Mac clients management

    Posted Aug 02, 2010 09:15 AM
    @Rafeeq: I try to visit
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041316121048 it says "article not found"


  • 17.  RE: SEP 11 RU6a and Mac clients management

    Posted Aug 02, 2010 01:02 PM

    I just tried it--works ok.  Try again. =)

    sandra


  • 18.  RE: SEP 11 RU6a and Mac clients management

    Posted Aug 05, 2010 10:31 AM

    It is not necessary to make exceptions for all of the macs to download definitions through the firewall.  We have set up a server to pull the updates down via the LU administration utility.  We then stare the destination folder out via HTTP.  That internal location is the destination for all of our macs.  


    If you have Mac Laptops that need to get access to updates outside of the office don't forget to add those host locations into \etc\Liveupdate.conf.