Symantec Endpoint Protection unmanaged client is not able to save policy changes made in the client interface

book

Article ID: 162331

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You installed an unmanaged Symantec Endpoint Protection (SEP) client for Windows with a package you exported from Symantec Endpoint Protection Manager (SEPM). The package included custom policies from a group whose Location-specific settings are under Server Control.

When you make changes in the client user interface (UI), and then reboot the computer, you notice that the policy settings have reverted to the default.

Cause

This issue is due to the Server Control setting assigned to the unmanaged client.

The Symantec Endpoint Protection client stores two copies of policy settings: serdef.dat and cltdef.dat. Both of these files are copied to the client computer when the Symantec Endpoint Protection client is installed.

In Server Control mode, the Symantec Endpoint Protection client loads the file serdef.dat for its policy settings. In Client Control mode, the file cltdef.dat is used. In either mode, the client UI can be locked or unlocked by policy.

If the Symantec Endpoint Protection client is managed, it periodically downloads serdef.dat from Symantec Endpoint Protection Manager to keep its local copy up to date. If the Symantec Endpoint Protection client is unmanaged, you can edit policy settings through the client UI with Change Settings.

Any change made through the client UI only affects cltdef.dat, and not to serdef.dat, since only Symantec Endpoint Protection Manager can modify Server Control mode’s policy settings. In either mode, the UI may also be locked by policy setting, preventing any policy changes to cltdef.dat.

In this scenario, when an unmanaged client is in Server Control mode, policy changes made in the UI are written to cltdef.dat, and the Symantec Endpoint Protection client UI continues to reflect the changes you made. When you reboot the computer, Server Control mode dictates that the Symantec Endpoint Protection client loads policy settings from serdef.dat. Because the client is unmanaged, no Symantec Endpoint Protection Manager ever modifies policy settings for serdef.dat, so it is therefore unchanged since the client installation.

Since the policy changes appear to have reverted, this looks like a defect when in fact it is working as designed. This combination of Server Control with unmanaged clients is intended for environments that use third-party content management. See Technical Information for more details.

Resolution

To change the existing unmanaged client from Server Control to Client Control

  1. Log on to Symantec Endpoint Protection Manager.
  2. Click Clients, and then click the group whose policies you want to use. Alternately, create a new group.
  3. In the right pane, click Policies. Under Location-specific Policies and Settings, click to expand Location-specific Settings.
  4. Next to Client User Interface Control Settings, click Server Control to open the settings.
  5. Click Client Control, and then click OK.
  6. Click Details, and take note of the Group ID.
  7. Go to Symantec Endpoint Protection Manager Installation folder\data\outbox\agent, and find the folder whose name matches the Group ID you previously noted.
  8. Copy the file Profile.xml to a convenient location, such as a network share, so that you can copy it to the Symantec Endpoint Protection client computer.
     

On the Symantec Endpoint Protection client computer:

  1. In the Symantec Endpoint Protection client UI, click Help > Troubleshooting.
  2. Under Policy Profile, click Import.
  3. Navigate to the file Profile.xml, and then click Open to import the policy file.
     

Note: This action overwrites any existing policy settings with the settings exported from Symantec Endpoint Protection Manager. If you want to keep the existing policy settings, create a new group in Symantec Endpoint Protection Manager, change the policy as needed, export and then import the profile of this custom group on the client.

Note: If you have enabled third-party content management, you can also import the updated profile by copying Profile.xml into the following folder:

  • Vista and later: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\inbox
  • Pre-Vista: C:\Documents and Settings\All Users\Application Data\Symantec\CurrentVersion\inbox
     

To create a new unmanaged client with the default Client Control setting

  1. Log on to Symantec Endpoint Protection Manager.
  2. Click Admin > Install Packages. By default, Client Install Package is selected.
  3. In the right pane, click the Windows package that you need.
  4. Under Tasks, click Export a Client Install Package.
  5. Under Export Settings, click Export an unmanaged client. If Export packages with policies from the following groups is checked, then uncheck it.
  6. Change the other export settings to meet your requirements, and then click OK to begin the package export.
     

Technical Information

Symantec Endpoint Protection has two modes: management mode, and control mode.

Management mode can be managed or unmanaged. When managed, the Symantec Endpoint Protection client has a Symantec Endpoint Protection Manager to which it reports, and which controls the client behavior on a wide scale. When unmanaged, the Symantec Endpoint Protection client runs on its own. For more information, see About managed and unmanaged clients.

Control mode can be Client Control or Server Control, which controls policy settings. For more information, see Preventing users from disabling protection on client computers.

Since those two modes are independent of each other, the Symantec Endpoint Protection client can be in one of four combinations:

  1. Managed/Server Control: Symantec Endpoint Protection Manager has absolute control over all aspects of the Symantec Endpoint Protection client. The client reports to Symantec Endpoint Protection Manager, and policy settings are set in Symantec Endpoint Protection Manager.
  2. Managed/Client Control: Symantec Endpoint Protection Manager has control of most of the client’s functionality. The client reports to Symantec Endpoint Protection Manager, but the client has autonomy on policy settings.
  3. Unmanaged/Client Control: The Symantec Endpoint Protection client has absolute autonomy on everything, and reports to no one.
  4. Unmanaged/Server Control: The Symantec Endpoint Protection client has absolute control of everything other than policy settings, which are meant to be controlled with third-party management tools. For more information on enabling third-party content management, see: Configuring a LiveUpdate Settings policy to allow third-party content distribution to managed clients.

In providing this flexibility to administrators and users, the fourth combination can have unintentional, undesirable results when you do not use third-party content management.