You need more details about the Options in the Policies of the Symantec Endpoint Protection Manager (SEPM)
- Use the default management server (recommended)
Downloads the updates from the Symantec Endpoint Protection Manager, and this setting is recommended for most organizations. This option is the simplest and requires no configuration other than applying this policy to a group.
- Use an alternate LiveUpdate server
Downloads the updates from either the Default Symantec LiveUpdate server over the Internet, or from an internal LiveUpdate Server. You can use and specify multiple internal LiveUpdate servers for failover support.
- Allow the user to modify LiveUpdate settings
Lets users change LiveUpdate settings on client computers.
- Allow the user to manually launch LiveUpdate
Lets users manually perform LiveUpdate on client computers. Disable this setting as a best practice for managed clients. Conflicts can occur if a scheduled LiveUpdate session is running when a user manually starts a LiveUpdate session.
- LiveUpdate Settings policy server settings
This panel lets you specify where client computers in a group get updates. The updates that are downloaded are specified in the LiveUpdate Content policy.
Table: LiveUpdate policy server settings
|Internal or External LiveUpdate Server||
If both options are enabled, clients try to retrieve updates from both sources. Typically, do not enable both options unless you have a specific reason. If the management server provides named update versions to clients, and the clients have previously downloaded the latest updates from a LiveUpdate server, the clients do not download and install the named (previous) versions.
|Group Update Provider||Use the Group Update Provider as the default LiveUpdate server Specifies one client in the group to act a proxy LiveUpdate server for the group. One reason that you might want to create a Group Update Provider is to conserve bandwidth to clients in a remote location over a slow link. In this scenario, the Group Update Provider downloads the latest updates from the management server. The Group Update Provider then updates the rest of the clients in the group. If the Group Update Provider is offline, the clients contact the management server for updates. The Group Update Provider can be in any group.|
|Third Party Management||Enable third-party content management
Enables third-party tools such as Microsoft SMS to provide updates to client computers securely.
To use this feature, you must set up a Symantec Endpoint Protection Manager to use as a staging server for content. This staging server does not require the clients that are connected to it. Configure the server to download updates on a periodic schedule. If you use continuous, the server downloads the latest updates when they are posted.
By default, the updates appear in the Default client groups content outbox, which is organized by content type. You can then pick up one or more content packages from the content outbox and deliver it to the clients inbox directory. The inbox directory is located at \\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\inbox\.
To ensure that only third-party management tools update client computers, disable the other LiveUpdate server options on this panel.
LiveUpdate Settings policy schedule
Use this panel to specify how often to push updates from LiveUpdate servers to clients in the groups to which this policy is applied. The Use a LiveUpdate Server checkbox must be selected on the Server Settings pane for you to enable this feature.
Table: LiveUpdate policy schedule options
|Frequency||Specifies how often to schedule clients to run LiveUpdate to download the latest updates. The specific time option is available for both Daily and Weekly settings. The specific day option is available for the Weekly setting only.
The Continuous setting causes the client computers that are infrequently powered on or that infrequently communicate with a management server to get the latest updates. They get the latest updates when they connect to the network and authenticate to a Symantec Endpoint Protection Manager.
|Retry Interval||Specifies the number of hours to keep trying to run LiveUpdate if the schedule run of LiveUpdate failed for some reason.|
|Download Randomization Options||Specifies a randomization option. You can stagger the updates, plus or minus the value that is specified, to minimize the impact on network traffic. By default, Symantec Endpoint Protection randomizes the LiveUpdate sessions to minimize bandwidth spikes.|
LiveUpdate Settings policy advanced settings
This panel lets you specify the control to give end users with using LiveUpdate on client computers. You must understand the relationship between these settings and product updates.
Table: LiveUpdate client security settings
|Product Update Settings||Download product updates using LiveUpdate Downloads and installs client software updates automatically when users click LiveUpdate or when a scheduled LiveUpdate session runs. When disabled, prevents downloading and installing client software updates, even if another Symantec product runs LiveUpdate on the client computer.
If the LiveUpdate Settings policy specifies that clients download updates from a Symantec Endpoint Protection Manager or Group Update Provider, the updates are in the form of microdefs. If the LiveUpdate Settings policy specifies that clients download updates from a LiveUpdate server, the updates are in the form of MSP (patch) files.
This setting lets you control client software versions. When this setting is disabled, client software can only be manually updated with the Symantec Endpoint Protection Manager Console. When the Symantec Endpoint Protection Manager downloads and processes patches, it creates a microdef, which automatically appears as a new package. The new package appears in the Client Install Packages pane. You can then select the package, and use the Upgrade Groups with Package feature.
- Security Definitions
This panel lets you select the type of updates that can be installed on Symantec Endpoint Protection clients. Use latest available specifies to install the latest update available from Symantec. Use named version lets you test an update first before installing it on clients, and also lets you rollback to a previous version if necessary.
The definitions and content types that you select must also be downloaded to the Symantec Endpoint Protection Manager if the Symantec Endpoint Protection Manager is the only update provider. You specify what is downloaded to the Symantec Endpoint Protection Manager with the local site server property settings for LiveUpdate.
Online Help - SEPM
Overview - Policies www.symantec.com/docs/TECH104436
Antivirus and Antispyware www.symantec.com/docs/TECH104430
Application and Device Control www.symantec.com/docs/TECH104431
Centralized Exceptions www.symantec.com/docs/TECH104432
Intrusion Prevention www.symantec.com/docs/TECH104434