How a hybrid-managed
Symantec Endpoint Protection Manager
interacts with the Symantec Endpoint Security cloud console

Communication and enrollment between the cloud console and
Symantec Endpoint Protection Manager

This section lists some expected behaviors that may occur when you enroll a
Symantec Endpoint Protection Manager
domain in the cloud console.
  • If the
    Symantec Endpoint Protection Manager
    connector cannot obtain the access token to the cloud console, it retries every hour.
  • Clients that connect through
    Symantec Endpoint Protection Manager
    may not immediately display the correct online status in the cloud console. Allow for 5-10 minutes after the online status changes to see an accurate reflection of the current status. See:
  • The system time for the management server and the Google Cloud Platform (GCP) server must be within 10 minutes of each other. Otherwise, enrollment fails, and you see the following error message:
    Enrollment in the cloud console cannot complete because the Symantec Endpoint Protection Manger computer date and time does not match the current date and time. Change the setting in the Control Panel, and then retry the enrollment.
    To resolve the time mismatch, synchronize the
    Symantec Endpoint Protection Manager
    server with Network Time Protocol (NTP). See the following for more information:
  • You can use the following logs to troubleshoot a failed enrollment:
    BRIDGE_INSTALL.log
    ,
    catalinaWs.out
    ,
    Cloud-0.log
    ,
    scm-server-0.log
    , and
    semapisrv_access_log.
    date
    .log
    . All of these files are in \tomcat\logs, within the
    Symantec Endpoint Protection Manager
    installation folder.
For more information, see:

Licensing, installation, upgrading, database

  • You must purchase a Symantec Endpoint Security license to use or enroll in the cloud console.
  • You cannot upgrade a management server from the cloud console.
  • You cannot back up or restore the database or
    Symantec Endpoint Protection Manager
    settings from the cloud.
  • To free up licenses, the
    Symantec Endpoint Protection Manager
    database deletes the clients that have not connected to the domain, based on the number of days that you specify. In the cloud console, these clients are automatically deleted after 30 days, and you cannot configure this interval. The clients are deleted first in the
    Symantec Endpoint Protection Manager
    database and then in the cloud console. See:

Domain enrollment and unenrollment

When the domain is enrolled:
  • Events, policies, clients, and client groups are synchronized.
  • Cloud-supported policy features are not available for configuration in
    Symantec Endpoint Protection Manager
    .
  • Cloud policy settings take precedence.
You can unenroll the default domain if necessary. For example, you might have connectivity issues, or you might decide that you do not want the cloud console to manage your policies. You can unenroll on the enrollment page in
Symantec Endpoint Protection Manager
or in
Endpoint > Integration > Enrollment
in the cloud console.
The unenrollment process removes the client groups and clients of the unenrolled domain in the cloud. Any associated policies remain in the cloud console as well as related events. See:

Sites, replication

  • For each site, you enroll one
    Symantec Endpoint Protection Manager
    domain per site in the cloud console. You cannot enroll multiple domains even if the domains are in separate sites. You also cannot enroll separate
    Symantec Endpoint Protection Manager
    domains if you use the same cloud console account.
  • For sites with two
    Symantec Endpoint Protection Manager
    s that share a SQL Server database and that are configured for failover, you enroll one domain from one of the management servers. The bridge service that communicates between each management server and the cloud console runs on one management server at a time. The service runs on the management server with the higher server priority first. If the first bridge service goes down, the service to the second management server runs instead. You can only manage one domain at a time from the cloud console. The sync between the cloud console and each management server does occur simultaneously.
For more information, see:
The following table displays which site configurations the cloud console supports when you enroll a
Symantec Endpoint Protection Manager
domain.
Site configurations that the cloud console supports
Site configuration
Supported on the cloud console
One site, one
Symantec Endpoint Protection Manager
on one computer with a database on the same computer only
Yes
One site, one
Symantec Endpoint Protection Manager
on one computer with a Microsoft SQL Server database on the second computer
Yes
One site, multiple
Symantec Endpoint Protection Manager
s
Yes
Multiple sites, one
Symantec Endpoint Protection Manager
on each site, with replication*
Yes (14.2 and later)
Multiple sites, multiple
Symantec Endpoint Protection Manager
s on each site, with replication*
Yes (14.2 and later)
* Only one
Symantec Endpoint Protection Manager
on one of the sites in a replication partnership is supported to enroll with the cloud.
For more information, see:

Groups, clients, locations

  • If you rename
    My Company
    in the cloud console, the group name does not change in
    Symantec Endpoint Protection Manager
    .
  • Cloud-managed features require a managed client. You cannot manage an unmanaged client or apply a policy that uses cloud features to an unmanaged client. If you apply policies that use cloud features to an unmanaged client, the policy defaults to the equivalent legacy
    Symantec Endpoint Protection
    options.
  • Version 14 MP2 and earlier client computers appear in the cloud console, but do not support any of the new cloud-based features.
  • If the
    Manage Devices from the Cloud
    option is turned on in the cloud console, the cloud console manages the devices. If it is off, then
    Symantec Endpoint Protection Manager
    manages the devices.
    If you use Active Directory with
    Symantec Endpoint Protection Manager
    to manage groups and clients, then
    Symantec Endpoint Protection Manager
    automatically manages devices. In this case, you cannot switch
    Manage Devices from the Cloud
    to the cloud console. This setting returns control of the device organization only to
    Symantec Endpoint Protection Manager
    . It does not affect policy protection on any group. You continue to manage advanced policy features from the cloud console.
  • Whenever you make a change to the device group structure, there is a 10-minute delay before the change appears in
    Symantec Endpoint Protection Manager
    . The reverse is also true. The behavior is similar to how
    Symantec Endpoint Protection Manager
    replication functions. During the delay, you should not try to make additional topology changes.
  • If you add a group or policy in the cloud console that contains any of the following special characters:
    / \ * ? < > | : "
    , these characters are converted to a dash in the
    Symantec Endpoint Protection Manager
    . For example, if you name a group
    Europe***
    , on
    Symantec Endpoint Protection Manager
    , this group is labeled as
    Europe---
    .
  • The cloud console supports location awareness for 14.3 and later agents. For earlier agent versions, if a
    Symantec Endpoint Protection Manager
    group has multiple locations and each location uses a different policy (shared or non-shared), then only the default location's policy gets synched up and applied to the equivalent group on the cloud console. After the cloud console syncs back with
    Symantec Endpoint Protection Manager
    , that group's policy in the cloud console is applied as a shared policy to all the locations in the equivalent group on the
    Symantec Endpoint Protection Manager
    . This process applies to both the Memory Exploit Mitigation policy and the Exceptions policy in the
    Symantec Endpoint Protection Manager
    .
  • The cloud console does not support a connection over IPv6. Enrollment of
    Symantec Endpoint Protection Manager
    over an IPv6 network results in the following error:
    An error has occurred requesting the status for this enrollment token.
    Symantec Endpoint Protection Manager cannot connect to the cloud console. Check the network connection and try again.

Policies

  • You can manage policy settings for 14.0.1 and later clients from the cloud.
    You must still manage policy settings for clients earlier than 14.0.1 directly from
    Symantec Endpoint Protection Manager
    . However, there are exceptions. If you apply an Exceptions policy from the cloud, and the client supports the exception type, then the exception applies to the client regardless of version. Memory Exploit Mitigation policies apply to all version 14 clients and later.
  • Policies that come from the cloud do not follow the policy inheritance configuration for
    Symantec Endpoint Protection Manager
    . Instead, they follow the inheritance rules that are defined in the cloud.
  • In the Virus and Spyware Protection policy, a cloud icon appears next to some options when the domain is enrolled in the cloud console. If an Intensive Protection policy is in effect, the policy overrides these options for 14.0.1 and later clients.
  • The first default cloud policies that you create and assign in the cloud console is appended with a
    v
    and a number (
    #
    ) in
    Symantec Endpoint Protection Manager
    , as follows:
    Default MEM Policy v1
    . If you then unenroll and then reenroll the
    Symantec Endpoint Protection Manager
    domain, an additional
    v#
    is appended to the policy name. For example,
    Default MEM Policy v1
    may become
    Default MEM Policy v1 v1
    or
    Default MEM Policy v1 v3
    . For differences between the
    Symantec Endpoint Protection Manager
    Exceptions policy and the cloud console Allow List and Deny List policies:
  • In
    Symantec Endpoint Protection Manager
    , some cloud policies appear in the list on the
    Clients > Policies
    tab. A cloud icon indicates that the policy originates from the cloud.
    Cloud icons
    Icon
    Description
    The group does not inherit the policy from its parent in the cloud console. The policy applies directly to the group.
    The group inherits the policy from its parent in the cloud console.
    Some cloud console policies are new policies and some are cloud versions of existing policies. The client version determines which policies the client supports. If you apply a policy to a client that does not support the policy, the client ignores the policy. This behavior is true whether the policy originates in the cloud console or in
    Symantec Endpoint Protection Manager
    . The user interface in
    Symantec Endpoint Protection Manager
    indicates which options or entire policies the cloud console controls.
  • The hybrid-managed cloud console currently supports
    Symantec Endpoint Protection Manager
    policies for Windows clients but not for Mac or Linux clients. You must still manage Mac and Linux clients entirely from the cloud or entirely from
    Symantec Endpoint Protection Manager
    . See:
Policy inheritance
In the cloud console, child device groups inherit policies from their parent device group. However, you can apply policies directly to child groups or child devices. You do not have to turn off inheritance. See: