Preparing Windows and Mac computers for remote deployment

Before you deploy
Symantec Endpoint Protection
from
Symantec Endpoint Protection Manager
, you must take steps to prepare the computers to ensure a successful remote installation. These steps pertain only to remote installation. You can reverse these changes afterward, but you must apply them again to perform another remote installation.
Tasks to prepare all computers for remote deployment lists the tasks that you must perform on all computers to which you plan to remotely deploy the
Symantec Endpoint Protection
client.
Windows remote deployment preparation tasks lists the additional tasks that you must perform on Windows computers. See your Windows documentation for more information on any tasks you do not know how to perform.
Mac remote deployment preparation tasks lists the additional tasks that you must do on Mac computers. See your Mac documentation for more information on any tasks you do not know how to perform.
You cannot deploy the
Symantec Endpoint Protection
client to Linux computers remotely from
Symantec Endpoint Protection Manager
.
Tasks to prepare all computers for remote deployment
Task
Details
Have administrative rights to your client computers
If the client computer is part of an Active Directory domain, you should use domain administrator account credentials for a remote push installation. Otherwise, have the administrator credentials available for each computer to which you deploy.
Modify firewall settings
Modify firewall settings to allow communication between
Symantec Endpoint Protection
components.
Uninstall existing third-party security software
Uninstall any third-party security software currently in use. For Windows computers,
Symantec Endpoint Protection
version 12.1 RU1 MP1 and later includes a tool to help automatically uninstall select third-party security software. You must separately uninstall any security software that this tool does not uninstall.
Some programs may have special uninstallation routines, or may need to have a self-protection component disabled. See the documentation for the third-party software.
You configure this tool before you deploy, and the uninstallation occurs before
Symantec Endpoint Protection
installs.
Uninstall
Symantec Endpoint Protection
clients that do not uninstall normally
As of 14, you can uninstall an existing installation of the
Symantec Endpoint Protection
client for Windows. You should only use this option if the existing
Symantec Endpoint Protection
installation does not uninstall normally. You should not use this option as part of a standard deployment.
You configure this tool before you deploy, and the uninstallation occurs before
Symantec Endpoint Protection
installs.
Uninstall unsupported or consumer Symantec security software
Uninstall any unsupported Symantec security software, such as Symantec AntiVirus or Symantec Client Security. Migration directly from these products is not supported.
You must also uninstall any consumer-branded Symantec security products, such as Norton Internet Security.
See the documentation for your Symantec software for information about uninstallation.
Windows remote deployment preparation tasks
Operating system
Tasks
Prepare Windows XP computers and Windows Server 2003 servers that are installed in workgroups
(12.1.x only)
Windows XP computers and Windows Server 2003 servers that are installed in workgroups do not accept remote deployment by default. To permit remote deployment, disable Simple File Sharing.
This limitation does not apply to computers that are part of an Active Directory domain.
You may also need to ensure that the Administrator account does not have a blank password.
Prepare Windows Vista, Windows 7, or Windows Server 2008 / 2008 R2 computers
Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy.
To disable UAC remote restrictions, see:
Perform the following tasks:
  • Disable the Sharing Wizard.
    The Sharing Wizard prevents more advanced sharing options from working during Remote Push.
  • Enable network discovery by using the Network and Sharing Center.
    Network discovery lets you browse the network. You do not need it to search the network.
  • Enable the built-in administrator account and assign a password to the account.
    Remote Push fails when the local administrator account has a blank password.
    If the Windows client computer is part of an Active Directory domain, use domain administrator account credentials with local administrator privileges for Remote Push.
  • Verify that the account with which you push the installation has administrator privileges.
  • Enable and start the Remote Registry service.
  • Disable or remove Windows Defender.
Consult the operating system's documentation for guidance on how to successfully complete these tasks.
Prepare Windows 8 / 8.1 or later, or Windows Server 2012 / 2012 R2 or later computers
Before you deploy, perform the following tasks:
  • Disable the registry key LocalAccountTokenFilterPolicy.
    To disable UAC remote restrictions, see:
  • Enable and start the Remote Registry service.
  • Disable or remove Windows Defender.
Mac remote deployment preparation tasks
Operating system
Tasks
Prepare the Mac computers on any supported operating system
Before you deploy, perform the following tasks on the Mac computers:
  • Click
    System Preferences > Sharing > Remote Login
    and either allow access for all users, or only for specific users, such as Administrators.
  • If you use the Mac firewall, disable stealth mode. With stealth mode enabled, the remote push installation cannot discover the client through
    Search Network
    .
    To disable stealth mode on the Mac, see the following article and select your version of the Mac operating system.
  • Ensure that the firewall does not block the port that Secure Shell (SSH) uses. By default, this port is TCP port 22. This port allows the required communication for remote logon.
  • The Bonjour service does not support IPv6 networking. To ensure that
    Browse Network
    or
    Search Network
    displays these Macs, ensure that they also have IPv4 networking enabled.
    IPv6 networking is supported as of 14.2.