Getting Started

Get up and running immediately on Symantec Endpoint Protection (SEP).
Assess your security requirements and decide if the default settings provide the balance of performance and security that you require. Some performance enhancements can be made immediately after you install
Symantec Endpoint Protection Manager
Perform the following tasks to install and protect the computers in your network immediately:
For more information, see:

Step 1: Plan your installation structure

Before you install the product, consider the size and geographical distribution of your network to determine the installation architecture.
To ensure good network and database performance, you need to evaluate several factors. These factors include how many computers need protection, whether any of those computers connect over a wide-area network, or how often to schedule content updates.
  • If your network is small, is located in one geographic location, and has fewer than 500 clients, you need to install only one
    Symantec Endpoint Protection Manager
  • If the network is very large, you can install additional sites with additional databases and configure them to share data with replication. To provide additional redundancy, you can install additional sites for failover or load balancing support. Failover and load balancing can only be used with Microsoft SQL Server databases.
  • If your network is geographically dispersed, you may need to install additional management servers for load balancing and bandwidth distribution purposes.
To help you plan medium to large-scale installations, see:
For more information, see:

Step 2: Prepare for and then install
Symantec Endpoint Protection Manager

  1. Make sure the computer on which you install the management server meets the minimum system requirements. See:
  2. To install
    Symantec Endpoint Protection Manager
    , you must be logged on with an account that grants local administrator access.
  3. Decide on whether to use the default Microsoft SQL Server Express database or a Microsoft SQL Server database.
    If you use a Microsoft SQL Server database, the installation requires additional steps. These include, but are not limited to, configuring or creating a database instance that is configured to use mixed mode or Windows authentication mode. You also need to provide database server administration credentials to create the database and the database user. These are specifically for use with the management server. See:
  4. You install
    Symantec Endpoint Protection Manager
    first. After you install, you immediately configure the installation with the Management Server Configuration Wizard.
    Decide on the following items when you configure the management server:
    • A password for your logon to the management console
    • An email address where you can receive important notifications and reports
    • An encryption password, which may be needed depending on the options that you select during installation
    For more information, see:

Step 3: Add groups, policies, and locations

  1. You use groups to organize the client computers, and apply a different level of security to each group. You can use the default groups, import groups if your network uses Active Directory or an LDAP server, or add new groups.
    If you add new groups, you can use the following group structure as a basis:
    • Desktops
    • Laptops
    • Servers
    For more information, see:
  2. You use locations to apply different policies and settings to computers based on specific criteria. For example, you can apply different security policies to the computers based on whether they are inside or outside the company network. In general, the computers that connect to your network from outside of your firewall need stronger security than those that are inside your firewall.
    A location can allow the mobile computers that are not in the office to update their definitions automatically from Symantec's LiveUpdate servers.
    For more information, see:
  3. Disable inheritance for the groups or locations for which you want to use different policies or settings.
    By default, groups inherit their policies and settings from the default parent group,
    My Company
    . If you want to assign a different policy to child groups, or want to add a location, you must first disable inheritance. Then you can change the policies for the child groups, or you can add a location.
    Symantec Endpoint Protection Manager
    policy inheritance does not apply to the policies that are received from the cloud. The cloud policies follow the inheritance as defined in the cloud.
    For more information, see:
  4. For each type of policy, you can accept the default policies, or create and modify new policies to apply to each new group or location. You must add requirements to the default Host Integrity policy for the Host Integrity check to have an effect on the client computer.

Step 4: Change communication settings to increase performance

You can improve network performance by modifying the following client-server communication settings in each group:
  • Use pull mode instead of push mode to control when clients use network resources to download policies and content updates.
  • Increase the heartbeat interval. For fewer than 100 clients per server, increase the heartbeat to 15-30 minutes. For 100 to 1,000 clients, increase the heartbeat to 30-60 minutes. Larger environments might need a longer heartbeat interval. Symantec recommends that you leave
    Let clients upload critical events immediately
  • Increase the download randomization to between one and three times the heartbeat interval.
For more information, see:

Step 5: Activate the product license

Purchase and activate a license within 60 days of product installation. See:

Step 6: Decide on a client deployment method

Determine which client deployment method would work best to install the client software on your computers in your environment. See:
  • For Linux clients, you can use either
    Save Package
    Web Link and Email
    , but not
    Remote Push
  • For Windows and Mac clients, if you use
    Remote Push
    , you may need to do the following tasks:
    • Make sure that administrator access to remote client computers is available. Modify any existing firewall settings (including ports and protocols) to allow remote deployment between
      Symantec Endpoint Protection Manager
      and the client computers. See:
    • You must be logged on with an account that grants local administrator access.
      If the client computers are part of an Active Directory domain, you must be logged on to the computer that hosts
      Symantec Endpoint Protection Manager
      with an account that grants local administrator access to the client computers. You should have administrator credentials available for each client computer that is not part of an Active Directory domain. See:
For more information, see:

Step 7: Prepare the client for installation

  1. Make sure that the computers on which you install the client software meet the minimum system requirements. You should also install the client on the computer that hosts
    Symantec Endpoint Protection Manager
    . See:
  2. Manually uninstall any third-party security software programs from Windows computers that the
    Symantec Endpoint Protection
    client installer cannot uninstall.
    For a list of products that this feature removes, see:
    You must uninstall any existing security software from Linux computers or from Mac computers.
    Some programs may have special uninstallation routines, or may need to have a self-protection component disabled. See the documentation for the third-party software.
  3. As of 14, you can configure the installation package to remove a Windows
    Symantec Endpoint Protection
    client that does not uninstall through standard methods. When that process completes, it then installs
    Symantec Endpoint Protection
    . See:

Step 8: Deploy and install the client software

  1. For Windows clients, do the following tasks:
    • Create a custom client install feature set that determines which components you install on the client computers. You can also use one of the default client install feature sets. See:
      For client installation packages for workstations, check the email scanner protection option that applies to the mail server in your environment. For example, if you use a Microsoft Exchange mail server, check
      Microsoft Outlook Scanner
    • Update custom client install settings to determine installation options on the client computer. These options include the target installation folder, the uninstallation of third-party security software, and the restart behavior. You can also use the default client install settings. See:
  2. With the Client Deployment Wizard, create a client installation package with selections from the available options, and then deploy it to your client computers. You can only deploy to Mac or Windows computers with the Client Deployment Wizard. See:
Symantec recommends that you do not perform third-party installations simultaneous to the installation of
Symantec Endpoint Protection
. The installation of any third-party programs that make network- or system-level changes may cause undesirable results when you install
Symantec Endpoint Protection
. If possible, restart the client computers before you install
Symantec Endpoint Protection

Step 9: Check that the computers are listed in the groups that you expected and that the clients communicate with the management server

In the management console, on the
  1. Change the view to
    Client status
    to make sure that the client computers in each group communicate with the management server.
    Look at the information in the following columns:
  2. Change to the
    Protection technology
    view and ensure that the status is set to
    in the columns between and including
    AntiVirus Status
    Tamper Protection Status
    . See:
  3. On the client, check that the client is connected to a server, and check that the policy serial number is the most current one. See:
More information