Endpoint Protection

Can someone give me a quick break down on why I would install SEP clients in User Mode over Computer Mode.  What we are seeing in the console is a SEP client, not actually a user or a computer, correct?  Maybe I am just having trouble wrapping my brain around the way it works.

We are looking at implementing Device Control to limit or ban the use of USB devices (except of course HID's).  We are running EPM ver:  11.0.4204.75.  We have a Management server and a Load Balancing server.

 

We currently have a pretty flat structure, the majority of clients are in the 'Default Group' and we have three of four other groups for clients that require specialized policies.  All our SEP clients are installed as Computer Mode.

Ideally we would like to block USB devices from everyone, except for our technicians.  I'm sure that User Mode is the way to go to accomplish this, I'm just having a hard time understanding how it will work.

Thanks in advance for any assistance.

Computer mode: SEP is installed on computer no matter who logs in

User mode: Installed to users the currently logged in user.

this is from page number 56 from installation guide

You can set up clients as users or computers, depending on how you want the policies to work. Clients that are set up as users are in user mode. Clients that are set up as computers are in computer mode. Clients that are set up as users are based on the name of the user who logs on to the network. Clients that are set up as computers are based on the computer that logs on to the network. You set up clients as users or computers by adding the users and computers to an existing group. After a user or a computer is added to a group, it assumes the policies that were assigned to the group.

The policies that are in force depend on the mode in which the client software runs:

Mode

 Description
 
Computer mode
 The client protects the computer with the same policies, regardless of which user is logged on to the computer. The policy follows the group that the computer is in. Computer mode is the default setting.
 
User mode
 The policies change, depending on which user is logged on to the client. The policy follows the user.
 

If the client software runs in user mode, the client computer software gets the policies from the group of which the user is a member. If the client software runs in computer mode, the client gets the policies from the group of which the computer is a member.

After you add a computer, it defaults to computer mode. Computer mode always takes precedence over user mode. Users who log on to the computer are restricted to the policy that is applied to the group to which the computer belongs.

Hope this answers your question

You need to put all clients(which are currently in Computer mode) in the Default Group. Switch them all to User Mode. Now in Active Directory, Create dedicated OUs for the set of users on which you wanted to assign the dedicated policy(May be Application and Device Control Policy). And then, intergrate the structure in SEPM with Active Directory Users OUs.

Now, you will have SEPM with the structure of AD Users OUs as Groups. Where you can assign policies on OU groups. E.g. 'Technicians' OU/Group will have access to use USB divices and other Users OUs/Groups will not have this access.

That means, If a user in 'Technicians' OU logs in to any PC in the domain, will have the policy which is assigned on 'Technicians' OU only.

Thanks Rafeeq & jmadiwale, I read and re-read that portion that tries to describe the difference.  I get that they are different  but haven't seen it.  I'm guessing because I rolled the clients out via SMS and had the install default to computer mode.  It looks to me like the console only sees 'SEP clients' because despite the mode I run them in it appears a clients is still 'assigned' to a particular PC.

Do I need to perhaps switch some test clients to user mode, delete the current entry from the data base then import the users from AD?

Yes that would be good for Testing .

First do a AD sync and then try the steps

I agree with Prachand. You can pick a few clients from Default Group. And may be you can create a Test OU in AD for a few users and import that OU only in the SEPM structure.
That will be a good test.

So I have an ID, we'll call it 'X123', that logs into 4 PC's.  These PC's reside in a group called 'Test'.  I have moved them into User Mode and now in the 'Test' group I see 4 entries that start as 'X123' and have the individual PC names listed.  The 'Test' group has basic policies, including a blank application & Device control policy.  For all 4 PC's I see the flesh colored face profile w/ the green dot that denotes the client is 'active'.

I then imported the 'X123' ID into the 'Users' group via LDAP.  The icon in this group for ID 'X123' is the blue shirt/flesh head that denotes it is not communicating with SEPM.  This group has an Application & Device Control policy that does not allow USB drives.

If PC 3 (in user mode) is in the 'Test' group and logged into by ID 'X123' I can put a USB drive in and use it normally.  However, if I move the 'X123' ID (assigned to PC3) into the 'Users' group, the App & Device Control policy works perfectly and does not allow the USB drive to be used.

I guess my question is how do I import a user ID to a group that can assign a policy to a client in user mode that resides in a different group.

It will not work in this way(I may not have understood the question correctly). It should be configured in this way. Create different User OUs in AD. Switch all entries in SEPM to Users mode. And integrate only Users OUs in the SEPM. So there will be only Users listed in the SEPM. And the exact structure of Users OUs. Now you can assign Application and Device control Policies on the OU level in the SEPM.

Two things to consider

1) POlicies are always applied to groups not to individuals

2) At any time , one computer can be in one Group, But one user can log in to many computers , which are in different group.

When you synch your AD, you just need to add a user ( under clients tab ) under user mode.

He can log in to any machine and he will take the policy of the group he was created...

its same like your AD group policy, comptuer mode and user mode, NO difference in the concept :) 


still confusing?

:)

Thanks again jmadiwale & Rafeeq, I was hoping that I would not need to import the AD structure.  We have many sites and it is very fragmented (I wasn't here when they designed it, that's for sure) .  For ease of administration I was hoping to keep the group counts down.  I believe I have a handle on it now.  Guess I will play around with it until I figure it out completely.

Thanks again...

Is it by default the computer mode is automatically change to user mode? what is ideal set up?

This document may help you to know more about Computer and User mode-

 

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101809192448

For what it's worth, it doesn't seem to difficult to switch between user and computer mode.  If you're not happy with one option, you might be able to try the other one.