1. Introduction
As Symantec Endpoint Protection administrator you may want to prevent your users from changing settings set from the console, like stopping scheduled scans, disabling autoprotect, etc. This article will explain how to achieve at as well as how to customize these and similar settings to fit into your environment.
2. Preventing users from changing policy elements.
When you define the settings to be applied to your policies you will probably want most of them to stay as they are, at least for most of your users. On the other hand you may need some of the users, for example in a lab, to be able to disable autoprotect. Symantec Endpoint Protection Manager enables you to lock all important setting one by one. You decide what can be change by users and what stays as you set it.
When you edit any policy, next to policy settings you can see a padlock icon. If it is locked
it simply means that the option cannot be changed from the client side.
If you unlock it,
the same setting can be changed.
Remember that for you settings to be applied correctly on the clients, the policy on client machines must be updated.
3. Locking client user interface
You can customize your users’ experience with SEP user interface by opening Clients and going to Policies tab. Then expand Location-specific settings and click on a link next to Client User Interface Control Settings. You should see a windows similar to this:
You have three options to choose:
- Client control will give all the control to the client. Users will be able to change all settings just like on an unmanaged client although the client machine will remain in contact with SEPM.
- The second option is server control where you can choose (click on Customize…) which elements of user interface will be available for the users.
Please note two first options: Display the notification area icon (when unchecked will make Symantec try icon disappear but the client still will be able to be opened from Start menu or shortcut) and Display the client (when unchecked client GUI will not be displayed and if SEP is selected in the Start menu it will give the error message below).
- Mixed mode will allow you to select exactly which elements should be controlled by you and which by the users. Mind that if you wish to edit the settings on Client User Interface Settings tab you will need to leave the corresponding setting on the tab Client/Server Control Settings on the server’s side.
Please also note that these settings are assigned to locations and not to groups. If you have multiple locations for the groups you should change it for every one of them.
You can also install SEP client without putting SEP icon in the Start Menu. When you export the installation package use your custom Client Installation Settings with Add the program to the Start Menu option unchecked:
4. Securing the client
You can protect the user interface and some actions on SEP client by a password. Open clients window and select the group and go to Policies tab. In the part called Location-independent Policies and Settings, click on General setting, select Security Settings tab and you will see the following window:
where you can set your password and select what it should protect.
To be sure that Symantec software is protected from shutting down you can setup Tamper Protection. In the same window go to Tamper Protection Tab and select the action (block or log only) executed when Tamper Protection detects an attempt to tamper SEP process.
More information about tamper protection can be found here:
How to configure Tamper Protection in Symantec Endpoint Protection 11.0
http://www.symantec.com/business/support/index?page=content&id=TECH102529&locale=en_US