You add locations after you set up the groups that you need to manage. Each group can have different locations if your security strategy requires it. In the Symantec Endpoint Protection Manager console, you set up the conditions that trigger automatic policy switching based on location. Location awareness automatically applies the security policy that you specify to a client, based on the location conditions that the client meets.
Location conditions can be based on a number of different criteria. These criteria include IP addresses, type of network connection, whether the client computer can connect to the management server, and more. You can allow or block client connections based on the criteria that you specify.
A location applies to the group you created it for and to any subgroups that inherit from the group. A best practice is to create the locations that any client can use at the My Company group level. Then, create locations for a particular group at the subgroup level.
It is simpler to manage your security policies and settings if you create fewer groups and locations. The complexity of your network and its security requirements, however, may require more groups and locations. The number of different security settings, log-related settings, communications settings, and policies that you need determines how many groups and locations you create.
Some of the configuration options that you may want to customize for your remote clients are location-independent. These options are either inherited from the parent group or set independently. If you create a single group to contain all remote clients, then the location-independent settings are the same for the clients in the group.
The following settings are location-independent:
Custom intrusion prevention signatures
System Lockdown settings
Network application monitoring settings
LiveUpdate content policy settings
Client log settings
Client-server communications settings
General security-related settings, including location awareness and Tamper Protection
To customize any of these location-independent settings, such as how client logs are handled, you need to create separate groups.
Some settings are specific to locations.
As a best practice, you should not allow users to turn off the following protections:
The firewall rules that you have created
Table: Location awareness tasks that you can perform
See the knowledge base article Best Practices for Symantec Endpoint Protection Location Awareness.