Configuring a client to detect unmanaged devices

Unauthorized devices can connect to the network in many ways, such as physical access in a conference room or rogue wireless access points. To enforce policies on every endpoint, you must be able to quickly detect the presence of new devices in your network. You must determine whether the devices are secure. You can enable any client as an unmanaged detector to detect the unknown devices. Unknown devices are unmanaged devices that do not run
Symantec Endpoint Protection
client software. If the unmanaged device is a computer, you can install the
Symantec Endpoint Protection
client software on it.
When a device starts up, its operating system sends the following traffic to the network to let other computers know of the device's presence:
  • Address Resolution Protocol (ARP) traffic (ICMPv4)
  • Neighbor Discovery Protocol (NDP) traffic (ICMPv6).
    ICMPv6 is supported as of version 14.2.
A client that is enabled as an unmanaged detector collects and sends this packet information to the management server. The management server searches the packet for the device's MAC address and the IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new. You can then decide whether the device is secure. Because the client only transmits information, it does not use additional resources.
You can configure the unmanaged detector to ignore certain devices, such as printers. You can also set up email notifications to notify you when the unmanaged detector detects an unknown device.
To configure the client as an unmanaged detector, you must do the following actions:
As of 14.3 RU1, enabling the Linux client as an unmanaged detector is deprecated.
To configure an unmanaged detector
  1. In the console, click
    Clients
    .
  2. Under
    Clients
    , select the group that contains the client that you want to enable as an unmanaged detector.
  3. On the
    Clients
    tab, right-click the client that you want to enable as an unmanaged detector, and then click
    Enable as Unmanaged Detector
    .
  4. To specify one or more devices to exclude from detection by the unmanaged detector, click
    Configure Unmanaged Detector
    .
  5. In the
    Unmanaged Detector Exceptions for
    client name
    dialog box, click
    Add
    .
  6. In the
    Add Unmanaged Detector Exception
    dialog box, click one of the following options:
    • Exclude detection of an IP address range
      , and then enter the IP address range for several devices.
    • Exclude detection of a MAC address
      , and then enter the device's MAC address.
  7. Click
    OK
    >
    OK
    .
  8. To display the list of unauthorized devices that the client detects, in the console, click
    Home
    .
  9. On the
    Home
    page, in the
    Security Status
    section, click
    More Details
    .
  10. In the
    Security Status Details
    dialog box, scroll to the
    Unknown Device Failures
    table.
  11. Close the dialog box.
To see if unmanaged clients are being detected
  1. Go to the
    Home
    page and click
    View Details
    in the
    Security Status
    area.
  2. When the
    Security Status Details
    window appears, click
    Unknown Device Failures
    .
    Total Detected Unknown Devices
    shows how many devices are unmanaged. This includes access points, routers, switches and other devices in addition to computers.
  3. To filter extraneous devices, go to the
    Clients
    page and right-click the unmanaged detector.
  4. Click
    Configure Unmanaged Detector
    and add the IP or Mac addresses of the devices to be filtered.