How a hybrid-managed Symantec Endpoint Protection Manager interacts with the Symantec Endpoint Security cloud console
Symantec Endpoint Protection Managerinteracts with the Symantec Endpoint Security cloud console
Communication and enrollment between the cloud console and Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager
This section lists some expected behaviors that may occur when you enroll a
Symantec Endpoint Protection Managerdomain in the cloud console.
- If theSymantec Endpoint Protection Managerconnector cannot obtain the access token to the cloud console, it retries every hour.
- Clients that connect throughSymantec Endpoint Protection Managermay not immediately display the correct online status in the cloud console. Allow for 5-10 minutes after the online status changes to see an accurate reflection of the current status. See:
- The system time for the management server and the Google Cloud Platform (GCP) server must be within 10 minutes of each other. Otherwise, enrollment fails, and you see the following error message:Enrollment in the cloud console cannot complete because the Symantec Endpoint Protection Manger computer date and time does not match the current date and time. Change the setting in the Control Panel, and then retry the enrollment.To resolve the time mismatch, synchronize theSymantec Endpoint Protection Managerserver with Network Time Protocol (NTP). See the following for more information:
- You can use the following logs to troubleshoot a failed enrollment:BRIDGE_INSTALL.log,catalinaWs.out,Cloud-0.log,scm-server-0.log, andsemapisrv_access_log.. All of these files are in \tomcat\logs, within thedate.logSymantec Endpoint Protection Managerinstallation folder.
For more information, see:
Licensing, installation, upgrading, database
- You must purchase a Symantec Endpoint Security license to use or enroll in the cloud console.
- You cannot upgrade a management server from the cloud console.
- You cannot back up or restore the database orSymantec Endpoint Protection Managersettings from the cloud.
- To free up licenses, theSymantec Endpoint Protection Managerdatabase deletes the clients that have not connected to the domain, based on the number of days that you specify. In the cloud console, these clients are automatically deleted after 30 days, and you cannot configure this interval. The clients are deleted first in theSymantec Endpoint Protection Managerdatabase and then in the cloud console. See:
Domain enrollment and unenrollment
When the domain is enrolled:
- Events, policies, clients, and client groups are synchronized.
- Cloud-supported policy features are not available for configuration inSymantec Endpoint Protection Manager.
- Cloud policy settings take precedence.
You can unenroll the default domain if necessary. For example, you might have connectivity issues, or you might decide that you do not want the cloud console to manage your policies. You can unenroll on the enrollment page in
Symantec Endpoint Protection Manageror in
Endpoint > Integration > Enrollmentin the cloud console.
The unenrollment process removes the client groups and clients of the unenrolled domain in the cloud. Any associated policies remain in the cloud console as well as related events. See:
- For each site, you enroll oneSymantec Endpoint Protection Managerdomain per site in the cloud console. You cannot enroll multiple domains even if the domains are in separate sites. You also cannot enroll separateSymantec Endpoint Protection Managerdomains if you use the same cloud console account.
- For sites with twoSymantec Endpoint Protection Managers that share a SQL Server database and that are configured for failover, you enroll one domain from one of the management servers. The bridge service that communicates between each management server and the cloud console runs on one management server at a time. The service runs on the management server with the higher server priority first. If the first bridge service goes down, the service to the second management server runs instead. You can only manage one domain at a time from the cloud console. The sync between the cloud console and each management server does occur simultaneously.
For more information, see:
The following table displays which site configurations the cloud console supports when you enroll a
Symantec Endpoint Protection Managerdomain.
Supported on the cloud console
One site, one
Symantec Endpoint Protection Manageron one computer with a database on the same computer only
One site, one
Symantec Endpoint Protection Manageron one computer with a Microsoft SQL Server database on the second computer
One site, multiple
Symantec Endpoint Protection Managers
Multiple sites, one
Symantec Endpoint Protection Manageron each site, with replication*
Yes (14.2 and later)
Multiple sites, multiple
Symantec Endpoint Protection Managers on each site, with replication*
Yes (14.2 and later)
* Only one
Symantec Endpoint Protection Manageron one of the sites in a replication partnership is supported to enroll with the cloud.
For more information, see:
Groups, clients, locations
- If you renameMy Companyin the cloud console, the group name does not change inSymantec Endpoint Protection Manager.
- Cloud-managed features require a managed client. You cannot manage an unmanaged client or apply a policy that uses cloud features to an unmanaged client. If you apply policies that use cloud features to an unmanaged client, the policy defaults to the equivalent legacySymantec Endpoint Protectionoptions.
- Version 14 MP2 and earlier client computers appear in the cloud console, but do not support any of the new cloud-based features.
- If theManage Devices from the Cloudoption is turned on in the cloud console, the cloud console manages the devices. If it is off, thenSymantec Endpoint Protection Managermanages the devices.If you use Active Directory withSymantec Endpoint Protection Managerto manage groups and clients, thenSymantec Endpoint Protection Managerautomatically manages devices. In this case, you cannot switchManage Devices from the Cloudto the cloud console. This setting returns control of the device organization only toSymantec Endpoint Protection Manager. It does not affect policy protection on any group. You continue to manage advanced policy features from the cloud console.
- Whenever you make a change to the device group structure, there is a 10-minute delay before the change appears inSymantec Endpoint Protection Manager. The reverse is also true. The behavior is similar to howSymantec Endpoint Protection Managerreplication functions. During the delay, you should not try to make additional topology changes.
- If you add a group or policy in the cloud console that contains any of the following special characters:/ \ * ? < > | : ", these characters are converted to a dash in theSymantec Endpoint Protection Manager. For example, if you name a groupEurope***, onSymantec Endpoint Protection Manager, this group is labeled asEurope---.
- The cloud console supports location awareness for 14.3 and later agents. For earlier agent versions, if aSymantec Endpoint Protection Managergroup has multiple locations and each location uses a different policy (shared or non-shared), then only the default location's policy gets synched up and applied to the equivalent group on the cloud console. After the cloud console syncs back withSymantec Endpoint Protection Manager, that group's policy in the cloud console is applied as a shared policy to all the locations in the equivalent group on theSymantec Endpoint Protection Manager. This process applies to both the Memory Exploit Mitigation policy and the Exceptions policy in theSymantec Endpoint Protection Manager.
- The cloud console does not support a connection over IPv6. Enrollment ofSymantec Endpoint Protection Managerover an IPv6 network results in the following error:An error has occurred requesting the status for this enrollment token.Symantec Endpoint Protection Manager cannot connect to the cloud console. Check the network connection and try again.
- You can manage policy settings for 14.0.1 and later clients from the cloud.You must still manage policy settings for clients earlier than 14.0.1 directly fromSymantec Endpoint Protection Manager. However, there are exceptions. If you apply an Exceptions policy from the cloud, and the client supports the exception type, then the exception applies to the client regardless of version. Memory Exploit Mitigation policies apply to all version 14 clients and later.
- Policies that come from the cloud do not follow the policy inheritance configuration forSymantec Endpoint Protection Manager. Instead, they follow the inheritance rules that are defined in the cloud.
- In the Virus and Spyware Protection policy, a cloud icon appears next to some options when the domain is enrolled in the cloud console. If an Intensive Protection policy is in effect, the policy overrides these options for 14.0.1 and later clients.
- The first default cloud policies that you create and assign in the cloud console is appended with avand a number (#) inSymantec Endpoint Protection Manager, as follows:Default MEM Policy v1. If you then unenroll and then reenroll theSymantec Endpoint Protection Managerdomain, an additionalv#is appended to the policy name. For example,Default MEM Policy v1may becomeDefault MEM Policy v1 v1orDefault MEM Policy v1 v3. For differences between theSymantec Endpoint Protection ManagerExceptions policy and the cloud console Allow List and Deny List policies:
- InSymantec Endpoint Protection Manager, some cloud policies appear in the list on theClients > Policiestab. A cloud icon indicates that the policy originates from the cloud.Cloud iconsIconDescriptionThe group does not inherit the policy from its parent in the cloud console. The policy applies directly to the group.The group inherits the policy from its parent in the cloud console.Some cloud console policies are new policies and some are cloud versions of existing policies. The client version determines which policies the client supports. If you apply a policy to a client that does not support the policy, the client ignores the policy. This behavior is true whether the policy originates in the cloud console or inSymantec Endpoint Protection Manager. The user interface inSymantec Endpoint Protection Managerindicates which options or entire policies the cloud console controls.
- The hybrid-managed cloud console currently supportsSymantec Endpoint Protection Managerpolicies for Windows clients but not for Mac or Linux clients. You must still manage Mac and Linux clients entirely from the cloud or entirely fromSymantec Endpoint Protection Manager. See:
In the cloud console, child device groups inherit policies from their parent device group. However, you can apply policies directly to child groups or child devices. You do not have to turn off inheritance. See: