Preventing users from disabling protection on client computers

As the
Symantec Endpoint Protection Manager
administrator, you prevent users from disabling protection on the client computer by setting the user control level or by locking the policy options. For example, the firewall policy uses a control level, whereas Virus and Spyware Protection policy uses a lock.
Symantec recommends that you prevent users from disabling protection at all times.
See the following topics:
What are the user control levels?
You use the user control levels to give the client user control of specific features. The user control level also determines whether the client user interface can be completely invisible, display a partial set of features, or display in full.
User control levels
User control level
Description
Server control
Gives the users the least control over the client. With server control, the user can make changes to unlocked settings, but they are overwritten at the next heartbeat.
Client control
Gives the users the most control over the client. Client control allows users to configure the settings. Client-modified settings take precedence over server settings. They are not overwritten when the new policy is applied, unless the setting has been locked in the new policy.
Client control is useful for employees who work in a remote location or a home location.
The user must be in a Windows administrators group to change any of the settings in
Client control
mode or
Mixed control
mode.
Mixed control
Gives the user a mixture of control over the client. You determine which options you let users configure by setting the option to
Server control
or to
Client control
. For those items that are under client control, the user retains control over the setting. For those items that are under server control, you retain control over the setting.
For the Windows client, you can configure all the options. For the Mac client, only the notification area icon and some IPS options are available in server control and client control.
Clients that run in
Client control
or
Mixed control
switch to
Server control
when the server applies a Quarantine policy.
For more information, see:
Changing the user control level
Some managed settings have dependencies. For example, users may have permission to configure firewall rules, but cannot access the client user interface. Because users do not have access to the
Configure Firewall Rules
dialog box, they cannot create rules.
To change the user control level
  1. In the console, click
    Clients
    .
  2. Under
    View Clients
    , select the group, and click the
    Policies
    tab.
  3. Under
    Location-specific Policies and Settings
    , under the location you want to modify, expand
    Location-specific Settings
    .
  4. Next to
    Client User Interface Control Settings
    , click
    Tasks > Edit Settings
    .
  5. In the
    Client User Interface Control Settings
    dialog box, do one of the following options:
    • Click
      Server control
      , and then click
      Customize
      .
      Configure any of the settings, and then click
      OK
      .
    • Click
      Client control
      .
    • Click
      Mixed control
      , and then click
      Customize
      .
      Configure any of the settings, and then click
      OK
      .
  6. Click
    OK
    .
For more information, see:
Locking and unlocking policy settings
You can lock and unlock some policy settings. Users cannot change locked settings. A padlock icon appears next to a lockable setting. You can lock and unlock Virus and Spyware Protection settings, Tamper Protection settings, Submissions settings, and intrusion prevention settings.
Preventing users from disabling specific protection technologies
If you set the client to
Mixed control
or
Server control
but do not lock the options, then the user can change the settings. These changes remain in place until the next heartbeat with
Symantec Endpoint Protection Manager
. Locking the policy options in the various policies ensures that the user cannot make any changes to the settings, even in
Client control
.
Windows users who are not the Administrators group cannot change settings in the
Symantec Endpoint Protection
client user interface, regardless of the
Location-specific Settings
configuration. Windows 10 Administrators can still disable the product through the notification area icon even after you set these options. However, they cannot disable the individual protection technologies through the client user interface.
If you do not want to change policies for all groups, disable policy inheritance on the group on which you want to make changes. If you edit a shared policy, the edited policy applies to every group to which the shared policy applies, even with policy inheritance disabled.
To prevent users from disabling the firewall or Application and Device Control
  1. In the console, click
    Clients
    .
  2. Click the client group that you want to restrict, and then click the
    Policies
    tab.
  3. Expand
    Location-specific Settings
    .
  4. Next to
    Client User Interface Control Settings,
    click
    Tasks > Edit Settings
    .
  5. Click
    Server control
    or
    Mixed control
    , and then click
    Customize
    .
  6. On the
    Client User Interface Settings
    dialog box (server control) or pane (mixed control), uncheck
    Allow the following users to enable and disable the firewall
    and
    Allow user to enable and disable the application device control
    .
  7. Click
    OK
    , and then click
    OK
    again.
To prevent users from disabling intrusion prevention
  1. In the console, click
    Clients
    .
  2. Click the client group that you want to restrict, and then click the policy
    Policies
    tab.
  3. Expand
    Location-specific Policies
    .
  4. Next to
    Intrusion Prevention policy
    , click
    Tasks > Edit Policy
    .
  5. Click
    Intrusion Prevention
    , and then click the locks next to
    Enable Network Intrusion Prevention
    and
    Enable Browser Intrusion Prevention
    to lock these features.
  6. Click
    OK
    .
To prevent users from disabling Virus and Spyware Protection
  1. In the console, click
    Clients
    .
  2. Click the client group that you want to restrict, and then click the
    Policies
    tab.
  3. Expand
    Location-specific Policies
    .
  4. Next to
    Virus and Spyware Protection policy
    , click
    Tasks > Edit Policy
    .
  5. Under
    Windows Settings
    , lock the following features:
    • Click
      Auto-Protect
      , and then click the lock next to
      Enable Auto-Protect
      .
    • Click
      Download Protection
      , and then click the lock next to
      Enable Download Insight to detect potential risks downloaded files based on file reputation
      .
    • Click
      SONAR
      , and then click the lock next to
      Enable SONAR
      .
    • Click
      Early Launch Anti-Malware Driver
      , and then click the lock next to
      Enable Symantec early launch anti-malware
      .
    • Click
      Microsoft Outlook Auto-Protect
      , and then click the lock next to
      Enable Microsoft Outlook Auto-Protect
      .
    • For versions earlier than 14.2 RU1, click
      Internet Email Auto-Protect
      , and then click the lock next to
      Enable Internet Email Auto-Protect
      .
    • For versions earlier than 14.2 RU1, click
      Lotus Notes Auto-Protect
      , and then click the lock next to
      Enable Lotus Notes Auto-Protect
      .
    • Click
      Global Scan Options
      , and then click the locks next to
      Enable Insight for
      and
      Enable Bloodhound heuristic virus detection
      .
  6. Click
    OK
    .
To prevent users from disabling Memory Exploit Mitigation (14.1 or later)
In version 14,
Memory Exploit Mitigation
appeared in the Intrusion Prevention policy and was called
Generic Exploit Mitigation
.
  1. In the console, click
    Clients
    .
  2. Click the client group that you want to restrict, and then click the policy
    Policies
    tab.
  3. Expand
    Location-specific Settings
    .
  4. Next to
    Memory Exploit Mitigation
    , click
    Tasks > Edit Policy
    .
  5. Click
    Memory Exploit Mitigation
    , and then click the lock next to
    Enable Memory Exploit Mitigation
    .
  6. Click
    OK
    .
Updating the client policy from
Symantec Endpoint Protection Manager
After you make these changes, the clients in the group receive the updated policies depending on the group's communication settings. If the group is in push mode,
Symantec Endpoint Protection Manager
prompts the client to check in with a few seconds. If the group is in pull mode, the client checks in on the next scheduled heartbeat.
If you want them to have it sooner than the next heartbeat, you can prompt the client to check in and update its policy. You can also update the policy from the
Symantec Endpoint Protection
client. See:
Once the client updates the policy,
Disable
Symantec Endpoint Protection
is grayed out when you right-click the
Symantec Endpoint Protection
notification area icon.