Endpoint Protection

 View Only

  • 1.  Allow Administrators to Disable SEP 12.1 on all Clients

    Posted Jan 25, 2012 11:38 AM

    Hi!

    We don't allow Users to Disable the SEP Protection on all Clients by Policy.

    But, is it possible to allow some Administrator Accounts to disable the SEP Protection on all Clients, if he is logged on?

    If yes, how can I handle that?

     

    Thank you in Advance

    Best Regards

    Troga



  • 2.  RE: Allow Administrators to Disable SEP 12.1 on all Clients

    Trusted Advisor
    Posted Jan 25, 2012 12:13 PM

    Hello,

    Here are the Steps:

    1) Lock all the Locks within SEPM by following the steps provided in the Article:

    How to prevent SEP features from being disabled in the client GUI in SEP 12.1
     
     
    How to block a user's ability to disable Symantec Endpoint Protection 11.x on Clients
     
     
    2) Provide Policy for password protection to the SEP clients to access GUI. (which ofcourse anly Administrator would have)
     
    This could be done by:
     
    SEPM > Clients TAB > Policies> General Settings > Security Settings.
     
    Once this is done, only Administrator who have the password to check the SEP GUI would be able to Disable the SEP.
     
    Hope that helps!!


  • 3.  RE: Allow Administrators to Disable SEP 12.1 on all Clients

    Posted Jan 25, 2012 12:24 PM

    Hi Mithun!

    But we want that the Users can open the GUI to check Status and so on.

    We just want that the Users can't disable the protection, but any (defined) admin account can disable the Protection for a while.

    Any other Idea for us?

     

    Best Regards

    Troga



  • 4.  RE: Allow Administrators to Disable SEP 12.1 on all Clients

    Trusted Advisor
    Posted Jan 25, 2012 12:28 PM

    Hello,

    In that case, Provide password for stopping the client service and uninstall the client.

    Hope that helps!!



  • 5.  RE: Allow Administrators to Disable SEP 12.1 on all Clients

    Posted Jan 26, 2012 04:49 AM

    Hi Mithun!

    Are you sure?

    We want to use right mouse click on the tray icon and then Disable Endpoint Protection for (defined) Admins only

    I tested it and opened the lock from the Auto Protection and entered a Password for stopping the client service, but the user was now also able to disable the protection and no password pop up has opened.

    I had set also a Password for Export Policy and that worked.

    So I am sure, that I got the right Policy and that your Solution seems not to be right for us.

    Are I am missing something or did you understand something wrong?

    Best Regards

    Troga



  • 6.  RE: Allow Administrators to Disable SEP 12.1 on all Clients

    Trusted Advisor
    Posted Jan 26, 2012 06:35 AM

    Hello,

    You need to use the Steps below:

    1) Lock all the Locks within SEPM by following the steps provided in the Article:

    How to prevent SEP features from being disabled in the client GUI in SEP 12.1
     
     
    and 
     
    2) Provide password for stopping the client service and uninstall the client.

    Hope that helps!!



  • 7.  RE: Allow Administrators to Disable SEP 12.1 on all Clients

    Posted Jan 26, 2012 07:55 AM

    If we make Step 1 and Step 2

    then the Disable Endpont Protection is greyed out. (Like it was before)

    And how can the Admin then Disable the Protection?

    By stopping some services inside services.msc, is not what we want.

    We want to have the Disable Endpont Protection in the tray icon greyed out for Users

    and ON for our defined Admin Accounts.

    Best Regards

    Troga



  • 8.  RE: Allow Administrators to Disable SEP 12.1 on all Clients

    Broadcom Employee
    Posted Jul 12, 2012 05:27 AM

    Hi Troga,

    It's possible with user mode.

    You configure clients to be in either user mode or computer mode, based on how you want to apply policies to the clients in groups. When you add a client, it defaults to computer mode, which takes precedence over user mode.

    computer mode:  The client protects the computer with the same policies, regardless of which user is logged on to the computer. The policy follows the group that the computer is in. Computer mode is the default setting.

    user mode:  The policies change, depending on which user is logged on to the client. The policy follows the user.

    http://www.symantec.com/docs/TECH102686



  • 9.  RE: Allow Administrators to Disable SEP 12.1 on all Clients

    Trusted Advisor
    Posted Jul 12, 2012 06:13 AM

    You could simply give the admins the uninstall/stop password and then from the run cmd typing smc -stop entering the password will stop the client and smc -start to start the client back up?