Endpoint Protection

I have SEPM 12.1.5. Need information on :

How to apply Host Integrity to install and Update SEP client if not present on client systems.

Also, I have not found any article to ADD SNAC component for SEPM neither it is available for download. How to add SNAC for SEPM 12.1.5?

I have this setting under HI. There is no SEP client on one client system. What am I doing wrong as this is not working? Please suggest.

Have you apply Host Integrity policy ?

Yes, this is applied on the 'clients' group folder, from where this client has been exported from.

Have you purchased NAC license ?

See Chetan Articles

Host Integrity, Peer-to-peer enforcement, and Quarantine policies, formerly part of Symantec Network Access Control, are now available for all users, regardless of whether or not they had purchased a SNAC license. This change does not grant users access to the NAC portion of the product, which still requires a Network Enforcer and a SNAC license that has been purchased separately. It should also be noted that this change does not apply to the Small Business Edition version of the SEP product. There is no actual change in Host Integrity or SNAC functionality related to this enhancement

https://www-secure.symantec.com/connect/articles/whats-new-sepm-121-ru5-user-interface-differences

There is no option to download SNAC from the list of downloads available. How can I download SNAC seperately? Licenses are present, no issues there.

I suggest you can contact symantec support same issue related NAC.

https://www-secure.symantec.com/connect/forums/nac-feature-missing-client

SNAC is now part of 12.1.5. Do you see the policy from within 12.1.5 SEPM?

You just need to apply a policy to the group to make it active. SNAC service is installed with SEP client be default.

The Host Integrity Policy - runs portions of SNAC but is not the full SNAC implementation. The Host Integrity Policies in the new 12.1 RU 5 client need that client to function it is not retroactive.

The SNAC components are being disassembled and absorbed into thier prosepective - Symantec offerings - SEP, SEE/WDE, DLP, e-mail, and CSP. The Network enforcer appliance would have been what you would need to scan and apply policy on a system that did not already have SEP on it.

The Host Integrity policy in SEP 12.1 RU5 can monitor the SEP client and report if it is working or not, it can force remediations to restart services, and reboot the system to remediate out of scope findings.

However, it does not actively scan for or install the client itself, as it needs pieces of 12.1 RU 5 to be on the system to run.

If you are looking for older clients or abandoned clients from previous versions you can run a SEP UNMANAGED DETECTOR for the subnets in your environment - I would think if it is for a large scale or multiple subnet building a NIC with a network SPAN or R_SPAN would do nicely.

The new Host Integrity policy can remeidate things like Windows Patches, VPN clients, Service Packs for the OS, install Adobe products. All of this is by utilizing scripts and, network shares, proper credentials to force the remediations.

This resolutions can be forced (no user interaction required), suggested (re-directed to a sandbox or URL), reported only (notification sent via email), or refused and the client terminates the process until fixed.

Also one thing of note if you are trying to install the client or a patch from any Network based share - pay attention to the length of the name used for the share, as Windows based OS's do not take kindly to share names past 255 characters including spaces and slashes or too deep in a folder path.

using the default name for the SEP client can be problematic --

I use \\<server>\INSTALLERS\CLIENT\32 & \64 - setup.exe only

\\<server>\INSTALLERS\SRVR\32 & \64 - setup.exe only

ever since I have not had an issue installing remotely to devices.

Also if you want your clients to pull the upgrade you could just use the client installer groups and skip the whole Intergity policy.

Clearly @InfoSecHealthCare provided the solution. Your HI policy as written will fail - because look clearly it says "Antivirus application that must be installed and running." You even admit: "There is no SEP client on one client system." You are using HI in a way that it is not designed. Use Unmanaged Detector to collect your targeted endpoints and although not mentioned by @InfoSecHealthCare use your SEPM to deploy the SEP client software. @InfoSecHealthCare gets credit for this solution.