Symantec Endpoint Security Agent (ESA) installed on Windows 11 (logged in user is user1) with SAML authentication enabled ('Identify Traffic' option within 'Cloud SWG settings' under the assigned Agent management policy).

After installing the ESA, user is prompted to login to the SAML Identity Provider (IdP) and once completed, the user can browse successfully via Cloud SWG to any Web site.

If user1 then initiates a logoff and a new user then logs into the workstation as user2, the ESA Agent does not restart and all the users browsing via Cloud SWG is done as user1.

When the WSS Agent is installed on Windows 11, a logoff operation restarts the Agent and the newly logged in user is challenged to authenticate to the SAML IdP.

Symantec Endpoint Security Agent.

Windows.

Working as designed. As ESA uses shared services with other products, it does not restart when users log off (the system services are running globally for all users).

If SAML authentication is required and admin cannot 'Identify Traffic' based on console user, a Windows task can be created (and assigned to a GPO applicable to domains/groups/users/computers) that manually runs a RECONNECT operation on each login.

Using the Windows the Task Scheduler, create a Windows Task to run the command "agentcli swg -p samlLogoutOnNextReconnect=true --reconnect" in admin mode when a user logs in using the following step-by-step instructions:

1. Open Task Scheduler: Search for Task Scheduler in the Windows Start menu and open it.

2. Create a New Task : In the Actions pane on the right, click Create Task...

3. General Tab Configuration: Add the following information here.

• Name: Give the task a descriptive name, e.g., "Run AgentCLI on Login".
• Description: (Optional) Add a description.
• Security options:
  • Select Run whether user is logged on or not. This is often required for elevated privileges.
  • Check the box for Run with highest privileges. This ensures the task runs in admin mode.
  • From the Configure for: dropdown, select your current Windows version.

4. Triggers Tab Configuration: Click the Triggers tab, then click New and

• Begin the task: Select At log on.
• Settings: Choose Any user (or a specific user if preferred).
• Ensure Enabled is checked, and click OK.

5. Actions Tab Configuration: This is where you specify the command and its arguments. The command needs to be executed by the Command Prompt (cmd.exe) using the /C switch to run the command and then close.

• Click the Actions tab, then click New...
• Action: Select Start a program.
• Program/script: Type cmd.exe
• Add arguments (optional): Enter the full command prefixed with /C:
  

  /C "C:\Program Files\Broadcom\Endpoint Security Agent\CurrentVersion\bin64\agentcli" swg -p samlLogoutOnNextReconnect=true --reconnect

• Click OK.

6. Settings and Final Review: Click the Settings tab and ensure following options are checked (default settings are usually fine).

• Allow task to be run on demand and
• Stop the task if it runs longer than: 3 days
• Click OK to save the task. You may be prompted to enter your user account password to complete the security configuration.

The task is now configured to run your specified command with administrative privileges every time a user logs into Windows.

WIndows task scheduler options.