Endpoint Protection

In SAV, we could copy a GRC.DAT file and change a computer's Group. We leveraged that in Startup Scripts to put clients in the correct SAV Groups automatically depending on the computer's OU. When a computer changed OUs, it would get the correct SAV config on its next boot.

In SEP (11.0 MR4 MP1A), we have the ability to import OUs from AD into SEPM. Which mostly works...but I have been unable to get it to work reliably under several specific circumstances despite a trouble ticket that's been open now for 2 months. I want to fall back to doing it the way we did with SAV...it was simple enough, and it worked without fail.

Problem is, SylinkDrop can't override the Console the way copying a GRC.DAT file could. Once the console lists a client, all Sylink can do is refresh the communication settings.

I've tried SylinkDrop-ing an unmanaged Sylink.xml, followed by the desired Group's Sylink.xml. That works briefly, but since the client is already registered in SEPM, and doesn't "unregister" until the 30 day timeout expires, SEPM puts it back in the original group.

Is there a way to change a client's Group from a Startup Script?

Right click your group wherein you don't need your client to get manage again,go to proerties and check the checkbox for "Block new clients".

This will not allow your moved clients to get back into the old groups.

SylinkDrop tool will help you in replacing sylink.xml file on  the clients.

Check for 4-5 machines and then roll out to rest of your machines

Rgrds,
SAM

Thanks, Sam, but I might as well just move it in the console as go to all that trouble!<g>

The objective here is to not touch the console at all. Just move the computer to another OU in AD, and have the client move itself to the correct Group in SEPM without human intervention. It worked beautifully in SAV simply by copying the right GRC.DAT in the Startup Script.

HI Jeff,

Here in SEP, you have to touch the console anyways as without that you cannot.

For more details, call Symantec Technical Support and logg a case with them.

If they says its not possible, ask them for an email. Forward symantec's email to your concerned Department and ask them for SEPM permissions.

I hope this will work for you.

Rgrds,
SAM

Yes I agree with sam

Did you try including the "PreferredGroup" entry in the Sylink.Xml file?

Once a client is in a group, it can't be moved by changing the Sylink at this point in time without deleting it in the console first.

This is a security feature - its there to prevent users from moving their clients to groups with lesser security.

Its something we are looking at refining with the next version of SEP.

Agree with SAM

Paul, in a locked-down system where users are not admins, like this one, there's no risk of users moving their SEP clients. I agree that it was a weakness in SAV where users are admins. Presumably SEP admins will be able to enable or disable this functionality from the console (unlike SAV).

I'll look forward to the "next version"...meaning 12.0, or the next MR/MP?

I was wondering if it is possible to script the moving a workstation into another client group which doesn't require a password to uninstall SEP, because the current group the workstation has that restriction. Any ideas? Thanks.

Haven't tried it with a password-protected client, to be honest, but I think this should work:

Use SylinkDrop (including the -p <SEPpassword> parameter) to import an unmanaged Sylink.xml. Then run it again (without -p <SEPpassword>) to import a Sylink.xml exported from the target group.

Hello, I have installed SEP 11.0.5002.333, can it move the client by changing the Sylink?

How I can to do it from a script?

Thanks a lot.

Hi,

This way you can create a new machine account, but cannot really move the client. By default the old machine accound is removed from SEPM after 30 days. I haven't tried this yet with Application and Device control or Tamper Protection protecting SEP. This only works with RU5.

Export configuration from a client with the new preferred group (config.xml) and copy sylink.xml from SEP installation folder anywhere you prefer. Check that sylink.xml has the preferredgroup information.

Then copy the xml files into a network share or on the client machine and,

smc.exe -p <password> -importconfig <configfile>
smc.exe -p <password> -stop
del HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink - HardwareID
del HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink - PreferredGroup
del C:\Program Files\Common Files\Symantec Shared\HWID\sephwid.xml
replace <SEP_Install_Folder>\sylink.xml with one having new preferred group
smc.exe -start

- Jukka