This document is designed for SEP Cloud (SEPC) and SEP Small Business Edition (SEP SBE) customers who are transitioning to Symantec Endpoint Security (SES Enterprise).
Note to SEPC customers: Your SES Enterprise subscription includes mobile device support, but mobile devices are currently managed separately from other device types. The information in this document about product setup is designed to help you transition servers, desktops, and laptops to SES Enterprise. Before you transition your mobile devices, see Getting started with Endpoint Protection Mobile.
This document is designed for SEP Cloud (SEPC) and SEP Small Business Edition (SEP SBE) customers who are transitioning to Symantec Endpoint Security (SES).
Note to SEPC customers: Your SES subscription includes mobile device support, but mobile devices are currently managed separately from other device types. The information in this document about product setup is designed to help you transition servers, desktops, and laptops to SES. Before you transition your mobile devices, open the Symantec Endpoint Protection Mobile documentation and review the Getting Started topics.
Ensure you have access to SES Enterprise cloud console. Before you follow the steps you need to:
Log in to the SES Enterprise cloud console and prepare for the transition.
The Default device group already has a set of policies assigned to it. These policies are configured to provide optimal protection, but you may need to modify some settings for your environment – for example, if you use a proxy server or want to exclude certain files from security scans.
In SES Enterprise, on the Devices page, on the Device Groups tab, in the Group Hierarchy pane, select Default. Then, in the pane on the right, select Policies. You can click any policy in the list to review its settings.
The following table lists some commonly customized security settings, the SES Enterprise policy that governs them, and the search term to use to get more information in the Symantec Endpoint Security documentation:
|Configuration Type||SES Enterprise Policy Type||SES Enterprise TechDocs Search Term|
|Proxy server||System||proxy server configuration|
|Scan exclusions||Whitelist||policy scan exceptions|
|Firewall rules||Firewall||firewall management|
|File and printer sharing||Device Control||device control policy settings|
|Connected storage||Device Control||blocking or allowing an external device|
You can modify any policy, including default policies. You don’t need to create new policies unless you created child device groups to which you need to apply different policy settings.
In SES Enterprise, go to the Policies page, click the policy you want to modify, and update the settings as needed. (Most settings include help buttons with links to detailed information about the setting.) When you save your changes, a new version of the policy is saved automatically, and you are prompted to apply the new version to the device group. Press Apply Policy to confirm.
You can create a new policy from a template, or you can duplicate an existing policy.
Any child device groups that you added will automatically inherit policy settings from the parent (Default) device group. However, you can apply specific policies with different settings directly to child device groups and the child group will use the directly applied policy instead of the equivalent policy that is applied to the parent group.
See the video to help get started with SES Enterprise.
SES Enterprise provides multiple methods that you can use to enroll devices. Depending on the type of device, you can use push-enrollment or create and distribute installation packages.
You can use the SES Enterprise device discovery feature to find all devices in your network that aren’t currently managed by SES Enterprise. To perform device discovery, you first have to enroll a Windows device and make it a discovery agent.
For more information, see Adding a discovery agent to find unmanaged devices and Finding devices for enrollment.
You can easily review all devices that are discovered and sort them by operating system or other relevant criteria to help you plan enrollment.
In SES Enterprise, on the Devices page, select the Unmanaged Devices tab, which lists all discovered devices that aren’t yet managed by SES Enterprise.
Note: Discovery is a way to keep track of your overall device transition process because the Unmanaged Devices tab lists only those devices that haven’t yet been enrolled in SES Enterprise. You can rerun discovery as often as you need to until all devices have been enrolled, after which they appear in the Managed Devices tab.
SES Enterprise provides several methods to enroll devices. You can push enroll most Windows devices and you can create and distribute installation packages for Windows, Mac, and Linux.
For an overview of all enrollment options, see Installation methods for the Symantec Agent.
For details about push enrollment, see Enrolling unmanaged devices, Viewing push enrollment status, or the video How to deploy the endpoint agent from the cloud console.
You can un-enroll all devices from SEPC or SEP SBE before you enroll them in SES Enterprise, but in many cases, this isn’t necessary. If you want to “over-enroll” devices - that is, enroll devices in SES Enterprise that are currently enrolled in SEPC or SEP SBE - we recommend that you test the process with each device type in your environment first.
Note: The exact actions performed during un-enrollment vary based on the device type: the process may revert the client on the device to unmanaged status or uninstall the client from the device. For more information, see the SEPC or SEP SBE help topics on un-enrolling devices.
Several methods are available to enroll devices in SEP Mobile, depending on your needs and environment. For an overview, see About adding users and devices. The option that is applicable to most SEPC customers is to add users to SEP Mobile, who are then automatically invited to enroll their own devices.
Before you do so, however, decide whether you want users to “over-enroll” iOS and Android devices that are already enrolled in SEPC. You should test the process with representative device types before you continue. If necessary, you can un-enroll mobile devices first, as described in the SEPC help. And if you have any issues, see the following section of this document for troubleshooting tips.
You can troubleshoot issues with any devices that don’t enroll seamlessly. For example, some devices may require different credentials to complete push enrollment, or you may need to un-enroll some devices from SEPC or SEP SBE before you enroll them in SES Enterprise.
Note: If you use the SES Enterprise push enrollment option to enroll Windows devices, the push enrollment status page will provide information about any issues. You may be able to fix a problem and try the push enrollment again.
If another option isn’t applicable, un-enroll the device completely from SEPC or SEP SBE and then perform a fresh enrollment into SES Enterprise. You can perform the following tasks, in the order listed, until the problem is resolved:
For specific options and methods not covered in the SEPC or SEP SBE help, see Failed uninstall of the Symantec Endpoint Protection Cloud (SEPC) agent.