Transition to Endpoint Security from SEP Cloud and SEP Small Business
search cancel

Transition to Endpoint Security from SEP Cloud and SEP Small Business

book

Article ID: 191487

calendar_today

Updated On:

Products

Endpoint Protection Cloud Endpoint Protection Small Business Edition (Cloud) Endpoint Security

Issue/Introduction

This document is designed for SEP Cloud (SEPC) and SEP Small Business Edition (SEP SBE) customers who are transitioning to Symantec Endpoint Security (SES Enterprise).

Note to SEPC customers: Your SES Enterprise subscription includes mobile device support, but mobile devices are currently managed separately from other device types. The information in this document about product setup is designed to help you transition servers, desktops, and laptops to SES Enterprise. Before you transition your mobile devices, see Getting started with Endpoint Protection Mobile.

Resolution

 

Top activities to complete before EOL date

SEP Cloud

  • Customers should export recovery keys to access encrypted devices after EOL.
    • Click Settings > Subscriptions > Export Recovery Keys and accept terms and responsibilities to download the keys.
    • Policies > Security Policies > Security Policy Details > Device Encryption > Export Recovery Keys and accept terms and responsibilities to download the keys.
  • Remove agent password protection. Go to Client Removal Settings and click Delete Password. If you have set password protection on client removal, then the automated cloud-managed agent uninstallation fails.
  • Customers should capture scheduled report generations settings and schedule the ones of most importance before EOL.
 

SEP SBE

  • Customers should review supported report generations and schedule the ones of most importance before EOL.
  • Customers should capture their licensing entitlements. In general, there is no export capability for this but screen captures can be taken for future reference if needed. 
  • Note: They should have emails for all their licenses from the time of purchase, renewal, and amendment generated by the subscription platform as well. 
  • Policies and Computers should be captured as well as there is also no export for policies and agents will not retain any custom Aliases if they are assigned. 

Preparing SES Enterprise for the transition

This document is designed for SEP Cloud (SEPC) and SEP Small Business Edition (SEP SBE) customers who are transitioning to Symantec Endpoint Security (SES).

Note to SEPC customers: Your SES subscription includes mobile device support, but mobile devices are currently managed separately from other device types. The information in this document about product setup is designed to help you transition servers, desktops, and laptops to SES. Before you transition your mobile devices, open the Symantec Endpoint Protection Mobile documentation and review the Getting Started topics.

Ensure you have access to SES Enterprise cloud console. Before you follow the steps you need to: 


Log in to the SES Enterprise cloud console and prepare for the transition.


Step 1: Review the policies applied to the Default device group

The Default device group already has a set of policies assigned to it. These policies are configured to provide optimal protection, but you may need to modify some settings for your environment – for example, if you use a proxy server or want to exclude certain files from security scans.

For more information, see Policies and Policy Groups or the video How to set up policies in your console.

To view the policies that are assigned to the Default device group:

In SES Enterprise, on the Devices page, on the Device Groups tab, in the Group Hierarchy pane, select Default. Then, in the pane on the right, select Policies. You can click any policy in the list to review its settings.

The following table lists some commonly customized security settings, the SES Enterprise policy that governs them, and the search term to use to get more information in the Symantec Endpoint Security documentation:

Configuration Type SES Enterprise Policy Type SES Enterprise TechDocs Search Term
Proxy server System proxy server configuration
Scan exclusions Whitelist policy scan exceptions
Firewall rules Firewall firewall management
File and printer sharing Device Control device control policy settings
Connected storage Device Control blocking or allowing an external device

Step 2: Reconfigure policy settings and create new policies if needed

You can modify any policy, including default policies. You don’t need to create new policies unless you created child device groups to which you need to apply different policy settings.

To update the policies applied to the default device group:

In SES Enterprise, go to the Policies page, click the policy you want to modify, and update the settings as needed. (Most settings include help buttons with links to detailed information about the setting.) When you save your changes, a new version of the policy is saved automatically, and you are prompted to apply the new version to the device group. Press Apply Policy to confirm.

To create new policies to apply to child device groups:

You can create a new policy from a template, or you can duplicate an existing policy.

For more information, see Creating a policy, Duplicating a policy, or the video How to set up policies in your console.

To apply policies to child device groups:

Any child device groups that you added will automatically inherit policy settings from the parent (Default) device group. However, you can apply specific policies with different settings directly to child device groups and the child group will use the directly applied policy instead of the equivalent policy that is applied to the parent group.

For more information, see Applying a policy to a device group, or the video How to set up policies in your console.

Getting started with SES Enterprise

See the video to help get started with SES Enterprise.

Enrolling your devices in SES Enterprise

SES Enterprise provides multiple methods that you can use to enroll devices. Depending on the type of device, you can use push-enrollment or create and distribute installation packages.

Step 1: Identify the devices that you want to enroll

You can use the SES Enterprise device discovery feature to find all devices in your network that aren’t currently managed by SES Enterprise. To perform device discovery, you first have to enroll a Windows device and make it a discovery agent.

For more information, see Adding a discovery agent to find unmanaged devices and Finding devices for enrollment.

You can easily review all devices that are discovered and sort them by operating system or other relevant criteria to help you plan enrollment.

To view discovered devices:

In SES Enterprise, on the Devices page, select the Unmanaged Devices tab, which lists all discovered devices that aren’t yet managed by SES Enterprise.

Note: Discovery is a way to keep track of your overall device transition process because the Unmanaged Devices tab lists only those devices that haven’t yet been enrolled in SES Enterprise. You can rerun discovery as often as you need to until all devices have been enrolled, after which they appear in the Managed Devices tab.

Step 2: Enroll your devices in SES Enterprise

SES Enterprise provides several methods to enroll devices. You can push enroll most Windows devices and you can create and distribute installation packages for Windows, Mac, and Linux.

For an overview of all enrollment options, see Installation methods for the Symantec Agent.

For details about push enrollment, see Enrolling unmanaged devicesViewing push enrollment status, or the video How to deploy the endpoint agent from the cloud console.

About un-enrolling devices from SEPC or SEP SBE

You can un-enroll all devices from SEPC or SEP SBE before you enroll them in SES Enterprise, but in many cases, this isn’t necessary. If you want to “over-enroll” devices - that is, enroll devices in SES Enterprise that are currently enrolled in SEPC or SEP SBE - we recommend that you test the process with each device type in your environment first.

Note: The exact actions performed during un-enrollment vary based on the device type: the process may revert the client on the device to unmanaged status or uninstall the client from the device. For more information, see the SEPC or SEP SBE help topics on un-enrolling devices.

Enrolling your mobile devices in SEP Mobile

Several methods are available to enroll devices in SEP Mobile, depending on your needs and environment. For an overview, see About adding users and devices. The option that is applicable to most SEPC customers is to add users to SEP Mobile, who are then automatically invited to enroll their own devices.

Before you do so, however, decide whether you want users to “over-enroll” iOS and Android devices that are already enrolled in SEPC. You should test the process with representative device types before you continue. If necessary, you can un-enroll mobile devices first, as described in the SEPC help. And if you have any issues, see the following section of this document for troubleshooting tips.

Troubleshooting any enrollment issues that occur

You can troubleshoot issues with any devices that don’t enroll seamlessly. For example, some devices may require different credentials to complete push enrollment, or you may need to un-enroll some devices from SEPC or SEP SBE before you enroll them in SES Enterprise.

Note: If you use the SES Enterprise push enrollment option to enroll Windows devices, the push enrollment status page will provide information about any issues. You may be able to fix a problem and try the push enrollment again.

If another option isn’t applicable, un-enroll the device completely from SEPC or SEP SBE and then perform a fresh enrollment into SES Enterprise. You can perform the following tasks, in the order listed, until the problem is resolved:

  • Un-enroll a device from the SEPC or SEP SBE console
  • Uninstall the client manually on a device
  • Run a removal tool on a device

For specific options and methods not covered in the SEPC or SEP SBE help, see Failed uninstall of the Symantec Endpoint Protection Cloud (SEPC) agent.

Additional Information

Videos

How to set up policies in your console

How to deploy the endpoint agent from the cloud console.

Attachments

1600472684927__【日本語版】Transitioning to Symantec Endpoint Security June 2020.pdf get_app
1590419868651__Transitioning to Symantec Endpoint Security v1 May 2020.pdf get_app