The security policy that all Enforcers direct Symantec Network Access Control clients to run on client computers is the Host Integrity policy. Host Integrity policies specify the software that is required to run on a client. You can use an Enforcer to enforce Host Integrity policies. You can also run Host Integrity policies without an Enforcer.
You can configure the Enforcer to automatically do the following tasks:
Verify that a client has been installed on a user's computer.
Prompt a client to retrieve updated Host Integrity policies, if available.
Prompt the client to run a Host Integrity check.
Verify that the client passes the Host Integrity check. The client sends the results of the check to the Enforcer. If the client passes the check, the Enforcer grants the client access to the protected network. If the client fails the Host Integrity check, the Enforcer blocks the client. The client tries to recover with remediation, and runs the Host Integrity check again until it passes.
Each type of Enforcer appliance implements the network access criteria differently.
A Windows or Mac On-Demand Client can be set up to automatically download and install the latest Host Integrity policies from the Symantec Endpoint Protection Manager. If the client cannot connect to the console, the On-Demand Client gets the Host Integrity policy from the Enforcer appliance when it connects for the first time. After that it gets the Host Integrity policy from the Symantec Endpoint Protection Manager.
The Enforcers control network access for client computers based on the results of a Host Integrity check.