What is an Unmanaged Detector?
search cancel

What is an Unmanaged Detector?


Article ID: 151601


Updated On:


Endpoint Protection


What does it mean to set a client as an Unmanaged Detector?


Unauthorized devices can connect to the network in many ways, such as physical access in a conference room or rogue wireless access points. To enforce policies on every endpoint, you must be able to quickly detect the presence of new devices. Unknown devices are the devices that are unmanaged and that do not run the client software. You must determine whether the devices are secure. You can enable any client as an unmanaged detector to detect the unknown devices.

When a client is set as an Unmanaged Detector, it locates unmanaged clients on its own local network segment and reports them to Symantec Endpoint Protection Manager. An Unmanaged Detector cannot detect unmanaged clients on network segments other than its own.

Symantec Endpoint Protection Manager uses several methods to locate unmanaged clients. It can still locate unmanaged clients if no Unmanaged Detectors are defined, but the results are more accurate if there is an Unmanaged Detector on each local network segment.

There are three ways to view unmanaged computers/devices discovered using the Unmanaged Detector feature.

  • Configure a notification
    1. Open and login to the Symantec Endpoint Protection Manager
    2. Click on Monitors Tab
    3. Click on Notifications
    4. Click on Notification Conditions
    5. Click on Add
    6. Select Unmanaged computers
  • Check Unknown Device Failures in Security Status Details :
    1. Select the Home tab to view the Dashboard page of the Symantec Endpoint Protection Manager
    2. Click on View Details link on the Security Status alert and check for Unknown Device Failures. Any detections of unmanaged devices are listed, with IP and MAC address details.

Technical Information
When a device starts up, its operating system sends ARP traffic to the network to let other computers know of the device's presence. A client that is enabled as an unmanaged detector collects and sends the ARP packet information to the SEPM. This management server searches the ARP packet for the device's MAC and IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new. You can then decide whether the device is secure. Because the client only transmits information, it does not use additional resources.

You can configure the unmanaged detector to ignore certain devices, such as a printer. You can also set up email notifications to notify you when the unmanaged detector detects an unknown device.

NOTE: In order to act as an unmanaged detector, SEP clients must have both features of Network Threat Protection (NTP) enabled and be in Computer Mode. That is, the Firewall and Intrusion Prevention features must be enabled on the computer which will act as an Unmnaged Detector. User Mode clients or clients without both features of NTP cannot act as unmanaged detectors.