Choosing between the on-premises management, hybrid management, or cloud-only management options

The
Symantec Endpoint Protection
14.0.1 (14.1) agent or later are the agent versions that
Symantec Endpoint Security
(
Endpoint Security
) manages. These agents are cloud-enabled and you can manage them from either
Symantec Endpoint Protection Manager
(SEPM) or the
Integrated Cyber Defense Manager
cloud console.
You can manage the agents from the cloud only, on-premises only, or a combination of both (hybrid management):
  • For cloud management only, you use the
    Symantec Integrated Cyber Defense Manager
    (ICDm), a unified cloud console. You must purchase either Symantec Endpoint Security Enterprise or Symantec Endpoint Security Complete.
  • For on-premises management, you install the
    Symantec Endpoint Protection Manager
    , which is the management console for
    Symantec Endpoint Protection
    . You can purchase
    Symantec Endpoint Protection
    , Symantec Endpoint Security Enterprise, or Symantec Endpoint Security Complete.
  • For hybrid management, you use the
    Symantec Endpoint Protection Manager
    for on-premises managed devices and the ICDm console to manage cloud-managed devices. You enroll each
    Symantec Endpoint Protection Manager
    domain in the ICDm cloud console. Enrollment gives you a single view of all devices and alerts in ICDm. In addition, you can manage your devices and some policies from ICDm for your entire hybrid deployment. However, you can manage the rest of the protection for your on-premises devices from the Symantec Endpoint Protection Manager. You must purchase Symantec Endpoint Security Enterprise or Symantec Endpoint Security Complete.
Deciding whether to use the on-premises
Symantec Endpoint Protection
or the cloud-managed
Symantec Endpoint Security
If you want to...
Use this product
Manage clients entirely using the cloud console
Symantec Endpoint Security
(Enterprise
or
Complete)
The cloud only management console is the Integrated Cyber Defense Manager (ICDm) and the devices use Symantec Agents version 14.2 RU1 or later. You create and deploy the agent installation package from
Symantec Endpoint Security
. You install the on-premises client software on the devices, as before.
You manage the agents completely from the cloud, which bypasses communication with the on-premises management console,
Symantec Endpoint Protection Manager
.
Use this approach in the following situations:
  • You do not want the cost or overhead of installing and managing a management server and database.
  • You have multiple Symantec enterprise products and want to share management capabilities across a single management console.
  • You want unified visibility into threats, policies and incidents from multiple Symantec products, which reduces incident response times from days to minutes.
  • Symantec Endpoint Security
    has additional features that
    Symantec Endpoint Protection
    on-premises does not have.
To manage your agents from the cloud, you log on to your Symantec Security cloud account directly. If you installed
Symantec Endpoint Protection Manager
, you do not enroll the domain in the cloud.
When you upgrade to
Symantec Endpoint Security
, the equivalent setting in the cloud takes precedence over the
Symantec Endpoint Protection Manager
setting. If there is no equivalent setting, the previous
Symantec Endpoint Protection Manager
setting takes precedence.
If you upgrade from
Symantec Endpoint Protection Manager
to the cloud, you can later revert back to managing with
Symantec Endpoint Protection Manager
. However, you must reinstall the management server if you uninstalled it. Make sure you make a backup of the database before you upgrade in case you need to perform disaster recovery later. You can use the smc command to convert Windows devices back to management by the
Symantec Endpoint Protection Manager
.
Manage clients entirely using the on-premises
Symantec Endpoint Protection Manager
Symantec Endpoint Protection
or
Symantec Endpoint Security
(Enterprise or Complete)
You do not enroll a SEPM domain in the cloud. You create and deploy the client installation package from the
Symantec Endpoint Protection Manager
.
Use this approach in the following situations:
  • Your network includes remote locations, such as an oil rig or an offshore environment
  • You work in a government environment where the network is very restricted.
  • You have a lot of clients in a dark network.
  • You want the same features as an on-premises management server. However,
    Symantec Endpoint Protection
    continues to add features.
Manage both legacy clients and cloud-only managed agents (hybrid)
Symantec Endpoint Protection
or
Symantec Endpoint Security
(Enterprise or Complete)
For a successful hybrid deployment, SEPM and the agents must be version 14.1 or later. You manage the agents and some policies from
Symantec Endpoint Security
. You manage clients earlier than 14.1 from the
Symantec Endpoint Protection Manager
.
Note: The Symantec Endpoint Protection client is the same as the Symantec Agent.
Use this approach in the following situations:
  • You want to upgrade from 14.1 or later to
    Symantec Endpoint Security
    but you want to move slowly to a completely cloud-managed console.
  • You have clients on devices that use operating systems that the
    Symantec Endpoint Security
    does not support.
  • You want to use Application Control, which replaces the Application Control policy in
    Symantec Endpoint Protection Manager
    . Application Control requires a 14.2 MP1 or later client. Application Isolation (new) requires the 14.2 RU1 (cloud only) or 14.2 RU1 client or later and uses the
    Symantec Endpoint Security
    cloud console.
    You must buy the Symantec Endpoint Security Complete subscription for Application Control and Application Isolation.
If you upgrade to the hybrid model, and later want to revert back to
Symantec Endpoint Protection Manager
only, you simply unenroll the
Symantec Endpoint Protection Manager
domain. This option provides more flexibility; you can move fully to the cloud at a later point.
The 14.0.1 or later client functions slightly differently if the
Symantec Endpoint Protection Manager
manages it rather than Symantec Endpoint Security manages it. The
Symantec Endpoint Protection Manager
controls more options on the client, while
Symantec Endpoint Security
controls fewer options. The
Symantec Endpoint Protection Manager
provides more options for the user to configure; the cloud-managed client provides fewer options. However, Symantec adds new features in
Symantec Endpoint Security
in monthly refreshes.