Endpoint Protection

Hello Guys,

I need some help for regarding USB blocking through SEPM 12.1.6 server.

MY Demands..

* I need completed usb blocking Exclude :Phone charging,company usb.

* i need a policy like,if any new computer is coming and computer name is created in AD,SEPM is automatically detected and install to the system(AD integration is done,is that is enough) is it possible??

*If one of new system is not install the sepm,that system can't get internet.is it possible do it in sepm?

* I need completed usb blocking Exclude :Phone charging,company usb.

you can allow or block USB using ADC policy. the information is available from the link

https://support.symantec.com/en_US/article.TECH175220.html

* i need a policy like,if any new computer is coming and computer name is created in AD,SEPM is automatically detected and install to the system(AD integration is done,is that is enough) is it possible??

Do you mean to say to install SEP client on the newly introduced system into your network? You can use unmanaged detector, which will let know if the SEP is installed. If not use you can use the NAC 9not SEP) to install SEP client.

*If one of new system is not install the sepm,that system can't get internet.is it possible do it in sepm?

If SEP is not installed on client, no SEP policy can be set to allow/block internet access. It has to be done something on NAC side.

we have NAC agent.How i get the http link to all clients need to update?

but how to exclude phone charge USB???

See here;

Installing clients with Web Link and Email

SEP has always blocked USB devices entirely. There hasn't been a way to exclude (allow) charging but block the device from performing other functions.

Charging of USB devices depend on the OS.

On Windows 2000, XP and 2003 if a USB device is disabled with SEP's Device Control then the operating system will power down that device. Devices such as Androids, iPods, cameras and other types of portable devices will not be able to get charged. 

On newer operating systems such as Windows Vista, Windows 7 and 2008 the operating system will allow the devices to receive power even if they are disabled using SEP.

Refrence: http://www.symantec.com/docs/TECH175220

Hi,

Thank you for posting your query in Symantec community.

Q. * I need completed usb blocking Exclude :Phone charging,company usb.

--> As Syed said newer operating systems will allow the devices to receive power even if they are disabled using SEP.

To block USB access in the Symantec Endpoint Protection Manager, open Policies, then click Application and Device Control.

1. Open an existing policy or click Add an Application and Device Control Policy.
2. Click on the Device Control tab.
3. Under the Blocked Devices section click the ADD button and select the USB option.
4. Assign policy to the groups.

Q. * i need a policy like,if any new computer is coming and computer name is created in AD,SEPM is automatically detected and install to the system(AD integration is done,is that is enough) is it possible??

-->  SEPM will not install SEP clients automatically if any system found without SEP client. But SEPM will list down all those machine, can use AD GPO to deploy SEP clients or any other recommended method.

Reference guide: Installing Windows clients with an Active Directory Group Policy Object (GPO)

http://www.symantec.com/docs/HOWTO81177

Other methos are listed here: http://www.symantec.com/docs/HOWTO80807

Q. *If one of new system is not install the sepm,that system can't get internet.is it possible do it in sepm?

--> Possible, but need to implement custom HI policy, By default HI policy is not assign to any group.

Use custom requirements, refer this screenshot.

Adding a custom requirement from a template

http://www.symantec.com/docs/HOWTO101735