search cancel

A managed Endpoint Protection client will not change group or domain membership after some operations

book

Article ID: 161934

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

A managed Symantec Endpoint Protection (SEP) client will not change group or domain membership in SEP Manager (SEPM )after some operations, such as importing new communications settings (SyLink.xml) or re-installing or upgrading the client with a new package exported from the SEPM.

NOTE: "domain" in this article refers to a SEPM domain, not Active Directory.

Cause

If the SEP client is already registered with the SEPM then this behavior is by design and is meant to prevent unauthorized changes. Uninstalling a SEP client will also leave behind a Hardware ID that will be re-used in a new managed installation to re-establish any existing registration with the SEPM.

Resolution

The client will move and join the appropriate group and domain, if the imported SyLink.xml points to a different SEPM (with which the client  is not already registered).

To otherwise change the group or domain membership of an existing managed SEP client, use one of the following methods:

  • Use the move operation in the SEPM clients list (only available for changing groups, not domains). Simplest.
     
  • Delete the client's entry in the SEPM clients list, then deploy new communication settings to client *
     
  • Delete Hardware ID files from client, then deploy new communications settings to client **
     
  • Use the MoveClient tool in the Tools/NoSupport directory of the SEP product media.

* Deploying new communications settings to a client must be done before the next heartbeat with SEPM, otherwise the client will re-register with the SEPM using its current group/domain settings. This heartbeat can be prevented by running smc -stop at the client.

** How to prepare a SEP client for cloning describes how the Hardware ID files may be deleted from the client so that it will re-generate a new unique ID. Given a new SyLink.xml file, the client should then register with the correct group and domain. NOTE: SEP Linux and Macintosh clients use a simple hash of the MAC address and system disk identifier; the Hardware ID for these clients will not change given the same hardware. Macintosh and Linux clients will require deletion of any corresponding client entries from the SEPM before a new SyLink.xml will change group or domain settings.