ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Recommended policies and settings for unmanaged client installation packages

book

Article ID: 151580

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You need to create a Windows installation package for unmanaged Symantec Endpoint Protection (SEP) clients, with custom policies and settings. You may also want to prevent users from making changes to your configuration.

Resolution

Follow these guidelines to create an unmanaged client installation package with customized policies and settings.

Note: While this process includes the custom settings and policies you want in a client installation package, you may be unable to edit or alter those settings and policies after client installation. Unmanaged clients are not meant to be managed, which is what these guidelines do with managed policies. Please test the package you create and ensure that this is the behavior you want before you deploy in a large scale environment.


I. Create a client group, configure custom policies

Even though the clients you want to export are unmanaged and do not check in with SEPM, create a custom client group to configure a specific set of policies that apply only to unmanaged clients.

  1. Create a new top level group, or create a child to an existing group.
    See Adding a group.
  2. Disable policy inheritance for the group.
    See Disabling a group's inheritance.
  3. Open each policy and settings to make the changes you want. Be sure to change both Location-independent Policies and Settings and Location-specific Policies and Settings.
    If you encounter a shared policy, click Copy to non-shared, and then make your changes.
    See Converting a shared policy to a non-shared policy.

You also can lock or unlock options to restrict or allow the user different levels of control over the SEP UI.

II. Allow user to run LiveUpdate, and add / modify schedules

Since the client is unmanaged, it doesn’t need to check into a management server, but it does need to check Symantec’s public LiveUpdate server.

For the LiveUpdate policy for your client group, use the following settings:

  • Server Settings: Uncheck Use the default management server (Windows computers only). Check Use a LiveUpdate server.
  • Schedule: Check Enable LiveUpdate Scheduling, and then create a schedule if you do not want the default of every four hours.
  • Advanced Settings: Check Allow the user to manually launch LiveUpdate and Allow the user to modify the LiveUpdate schedule.

III. Keep the policies under management server control

If you want to keep control over your policy changes and prevent the user from making changes, set the client to Server Control.

  1. Click Location-specific Settings.
  2. Next to Client User Interface Control Settings, click Tasks > Edit Settings.
  3. Click Server Control, and then click OK.

Choosing Client Control may prevent any custom firewall policy from being applied.

IV. Create a set of custom client installation settings

These settings control how the user interacts with the installation package, how the computer restarts after installation, and so on. You may want to set the installation type to Interactive to allow user interaction during installation.

See Creating custom client installation settings.

V. Create a custom client feature set

Feature sets determine which protection technologies are installed.

See Configuring Windows client installation feature sets.

VI. Export the installation package

When you export the client installation package, you select the Client Install Settings and the Client Installation Feature Set that you created. Assign the package to your custom group by checking the box next to it, but also click Export an unmanaged client.

You should export it as a single .exe file.

See Exporting client installation packages.

VII. Deploy the installation package

You can copy the folder that contains the setup.exe file to the computers to which you want to install it, either through a shared network folder, or by copying it to a USB drive. Once setup.exe is copied to the computer, double-click it to begin the installation. If you chose Interactive mode, follow the prompts.

See Installing an unmanaged Windows client.

If the computer is on the network, you can also deploy the package through Remote Push.

See Installing clients with Remote Push.