Configuring a client to detect unmanaged devices
Unauthorized devices can connect to the network in many ways, such as physical access in a conference room or rogue wireless access points. To enforce policies on every endpoint, you must be able to quickly detect the presence of new devices in your network. You must determine whether the devices are secure. You can enable any client as an unmanaged detector to detect the unknown devices. Unknown devices are unmanaged devices that do not run
Symantec Endpoint Protectionclient software. If the unmanaged device is a computer, you can install the
Symantec Endpoint Protectionclient software on it.
When a device starts up, its operating system sends the following traffic to the network to let other computers know of the device's presence:
- Address Resolution Protocol (ARP) traffic (ICMPv4)
- Neighbor Discovery Protocol (NDP) traffic (ICMPv6).ICMPv6 is supported as of version 14.2.
A client that is enabled as an unmanaged detector collects and sends this packet information to the management server. The management server searches the packet for the device's MAC address and the IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new. You can then decide whether the device is secure. Because the client only transmits information, it does not use additional resources.
You can configure the unmanaged detector to ignore certain devices, such as printers. You can also set up email notifications to notify you when the unmanaged detector detects an unknown device.
To configure the client as an unmanaged detector, you must do the following actions:
- Enable Network Threat Protection. See:
- Switch the client to computer mode. See:
- Install the client on a computer that runs all the time.
As of 14.3 RU1, enabling the Linux client as an unmanaged detector is deprecated.
To configure an unmanaged detector
- In the console, clickClients.
- UnderClients, select the group that contains the client that you want to enable as an unmanaged detector.
- On theClientstab, right-click the client that you want to enable as an unmanaged detector, and then clickEnable as Unmanaged Detector.
- To specify one or more devices to exclude from detection by the unmanaged detector, clickConfigure Unmanaged Detector.
- In theUnmanaged Detector Exceptions fordialog box, clickclient nameAdd.
- In theAdd Unmanaged Detector Exceptiondialog box, click one of the following options:
- Exclude detection of an IP address range, and then enter the IP address range for several devices.
- Exclude detection of a MAC address, and then enter the device's MAC address.
- To display the list of unauthorized devices that the client detects, in the console, clickHome.
- On theHomepage, in theSecurity Statussection, clickMore Details.
- In theSecurity Status Detailsdialog box, scroll to theUnknown Device Failurestable.
- Close the dialog box.
To see if unmanaged clients are being detected
- Go to theHomepage and clickView Detailsin theSecurity Statusarea.
- When theSecurity Status Detailswindow appears, clickUnknown Device Failures.Total Detected Unknown Devicesshows how many devices are unmanaged. This includes access points, routers, switches and other devices in addition to computers.
- To filter extraneous devices, go to theClientspage and right-click the unmanaged detector.
- ClickConfigure Unmanaged Detectorand add the IP or Mac addresses of the devices to be filtered.