Location Awareness Policies: Restricted vs. Unrestricted Users

book

Article ID: 180872

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

Performing maintenance on a machine with restricted policies may be more difficult. It may be beneficial to have a way to restrict policies on a group of client machines so the users can't make changes to Symantec Endpoint Protection, but remove the restriction when an authorized person works on the machine.

Location Awareness can be leveraged to provide more functionality on a client machine, given certain conditions. Criteria can be configured to restrict policies on a day-to-day basis, but remove the restriction during maintenance.


Step 1: Creating a new location

  1. Open the Endpoint Manager and navigate to the client group where you want to restrict policies.
  2. Choose the Policies tab at the top and ensure the checkbox for Inherit policies... is cleared.
  3. Click Manage Locations in the Tasks pane at the lower left.
  4. Click the Add button at the lower left, to create a new location, and give it a name. (e.g. Admin Mode)
  5. Verify that the setting marked The location will be checked every: meets your needs. (e.g. 120 seconds)
    Note: Setting this value too high may cause significant delays in location changes and applying your Admin Mode policy.
  6. Click the Add button at the top right and choose Registry Key for the Type.
  7. Leave the Check dropdown set to Registry Key and confirm the radio button is on Exists.
  8. Type the path to your custom key following HKEY_LOCAL_MACHINE\ and click OK. (e.g. SOFTWARE\Symantec\AdminModeOn)
    Note: You will want to use a key that does not interfere with existing data.
  9. Click OK again to save the new location and criteria.
     

Step 2: Assigning policies

  1. Assign your restricted policies to the Settings for Location: Default. (See TECH102370 for more ways to restrict a client.)
    1. Click the Policies button at the left.
    2. Create or modify a policy and lock down the options using the padlock icon. (See TECH166950 for suggestions.)
    3. Assign the policy and expand the groups until you see the desired group.
    4. Expand that group and place a check mark next to the compass icon marked Default, then click OK.
      Note: Repeat steps b through d for any additional policies you wish to restrict.
  2. Create and/or assign policies under Settings for Location: Admin Mode that are less restrictive than the ones under Settings for Location: Default.
    1. From the Policies page (button at the left), create or modify a separate policy and leave the padlock open for any enabled item.
    2. Assign the policy and expand the groups until you see the desired group.
    3. Expand that group and place a check mark next to the compass icon marked Admin Mode (or the name you gave your new location), then click OK.


Once the new policies are in place, you may wish to create the key in regedit to test functionality. You may then export that key as a .reg file, useful for an easy method of adding the key in the field. Please see http://support.microsoft.com/kb/310516 for information on customizing the .reg file to delete the key. This way you can have two files such as AdminModeOn.reg and AdminModeOff.reg ready for use in the field.