Endpoint Protection

I have a client who got his computer stolen and now the thief is using his computer and it's showing up as being infected all over SEPM.   How do I ban this system from reporting into SEPM?

You make it unmanaged which means uninstalling or you can use the Windows firewall to block port 8014. Or you can use an internal firewall (if you have one) to block tcp 8014 traffic from this client.

There are no options within SEPM to say block clients from checking in. You'll need to get a little creative with it.

Is this PC managed? If not, just remove the PC from the SEPM (righ-click and delete).

Is this connecting to a SEPM in the DMZ? I guess my question is, if stolen, how can it communicate back to the SEPM?

You should be blocking this at your perimeter.

You need to make this client not communicate with SEPM?

if the client cannot connect to sepm over a period of time , it gets deleted from DB and does not show up.

You cannot retire any client from SEPM console, as long as the client can reach SEPM server it will show up in the console.

If the laptop is stolen, I wonder how he can reach out to your SEPM server, You have SEPM published?

Ideally you should block this laptop from entering your network on the Firewall End...

But again, do you have a SEPM in your DMZ or some setup like that? If it's connecting in that means thief is on your internal network.

There is no option to disconnect or remove from the SEPM. You could probably create an ADC policy to essentially "brick" the machine by blocking all processes.

If you have visibility of this machine, don't you want to try and get it back?

I can't uninstall it since it's no longer in our possession.  Since the thief hasn't wiped it, the OS and SEP install are still reporting into our SEPM just as it should since it's still my company's property.  It won't age out from the database since it's still being used and reporting in.  One of our SEPM servers is in our DMZ for our Internet clients.  I need to prevent it from reporting in.  I was going down the path of creating an "unauthorized" policy to give it but I don't know how to get it to report into another server and am unsure what I would need to do to give it a policy which would "unplug" it from our SEPM server.

if its not reportig, then just right click on it and select delete. or 

Follow this step so that It does not report to SEPM any more

1) Create a new group in SEPM.

2) Move the client to the new group

3) Click on the new group and select  Details tab ( one on the top right next to policies)

4) Note down the Policy serial number it will alpha numberic like ( 4B55-06/26/2014 14:13:09 162)

5) Navigate to SEPM installed drive < Drive>

\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent

6) Search for the folder which begins with the policy serial number  ( from Step 4)

7) Open the folder

8) open the sylink.xml file in a wordpad,  Change the ip address or just scrap it or just put a blank Sylink.xml

9) Save it

Next time when the client talks to SEPM, it will download this blank sylink file and it wont be able to communicate.

You can block the firewall port for the communication between client and sepm

port - 80, 8014

Follow this step so that It does not report to SEPM any more

1) Create a new group in SEPM.

2) Move the client to the new group

3) Click on the new group and select  Details tab ( one on the top right next to policies)

4) Note down the Policy serial number it will alpha numberic like ( 4B55-06/26/2014 14:13:09 162)

5) Navigate to SEPM installed drive < Drive>

\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent

6) Search for the folder which begins with the policy serial number  ( from Step 4)

7) Open the folder

8) open the sylink.xml file in a wordpad,  Change the ip address or just scrap it or just put a blank Sylink.xml

9) Save it

Next time when the client talks to SEPM, it will download this blank sylink file and it wont be able to communicate.

No you cannot. SEP will not block 8014, even if you create a rule in the SEPM to do it.

Thanks Rafeeq!  I will try your steps.