Sort rules for moving SEP clients into groups
We're finding that using the existing sort features within SEP (location based policies or sorting clients via active directory) has it's limitations.
Today a group has a single file containing policy information on all locations. That file is distributed to each SEP client within that group. The file can get very large very quickly as new locations are added or unique av/ips/adc policies are assigned to each location. One of our groups has a 2MB policy file. That makes for some decent WAN utilization for each policy change. The risk of policy corruption or administrative error spreading to a large number of clients also increase because all clients share that single file.
Locations work well primarily for clients roaming between networks that may or may not have the ability to communicate with a SEPM to get updated policy. But for static clients groups are more appropriate because of the reasons I mentioned above. Unfortunately, having a unique SEP build for each group becomes an large administrative chore. Importing active directory OU's doesn't work for us either because of our several domains and trust levels between them. Not to mention a large number of machine OU's within each.
Essentially, what I'd like to see sort of already exists outside of the SEP console with the MoveClient.vbs "unsupported" script available on the RU6 DVD. It has the ability to move clients based on host name, ip, OS, or user. Adding this feature to the SEPM with the ability to have multiple move rules and the option to adjust the frequency in which the rules are enforced would allow it to run in a secure manner (no clear text DB credentials).