How to block all Wireless traffic while an Ethernet interface is connected using the Symantec Endpoint Protection (SEP) 14.x agent.

There are two ways to accomplish the requirement:

1. Using a Firewall policy to block wireless traffic.
2. Using an Application and Device control policy to disable the wireless traffic.
   
   Using location awareness, set up locations as "Ethernet" and "Wireless", this is required for implementing both methods. See below for instructions for setting up the locations and followed by instructions for blocking the wireless traffic while an Ethernet interface is connected using Symantec Endpoint Protection 14.x.

Setting up automatic location switching: 

1. 1. Select Clients> Policies in the Symantec Endpoint Protection Manager console.
   2. To add the “Ethernet” location, Under "Tasks", select Add Locations.
   3. In "Specify Location Name" type: Ethernet
   4. Click Next.
   5. Under "Specify the Condition", select Network Connection Type.
   6. Under "Connection Type" select Ethernet.
   7. Click Next> Finish.
   8. To add the “Wireless” location, Under "Tasks", select Add Locations.
   9. In "Specify Location Name" type: Wireless
   10. Click Next.
   11. Under "Specify the Condition", select Network Connection Type.
   12. Under "Connection Type" select Wireless.
   13. Click Next> Finish.
   14. Select Manage Locations
   15. Select to highlight Wireless.
   16. Under "Switch to this location when:" select Client computer uses Wireless
   17. Click Add
   18. Select Add Criteria with AND Relationship.
   19. Under "Specify Location Criteria", select Network Connection Type
   20. Select If the client computer does not use the network connection type specified below.
   21. Select Ethernet.
   22. Click OK> OK.

           Note: By using the second requirement in the "Wireless location", the agent will switch away from this location as soon as an ethernet cable is attached.

Using a Firewall policy to block wireless traffic:

1. 1. Select Clients> Policies in the Symantec Endpoint Protection Manager console.
   2. Under "View Policies", select Firewall.
   3. Double click the Firewall Policy for the "Ethernet" location.
   4. Select Rules on the left
   5. Click the "Add a new Blank Rule." button on the lower right side of the window.
   6. Select the Blank Rule made in the previous step and move it to the top of the rule list.
   7. Double click Action and select Block.
   8. Double click Adapter and select Wireless.
   9. Leave "Application", "Host", "Service" and "Time" as Any.
   10. Click OK. The action is now completed.

             Note: When using this method some initial packets (like DHCP) can still be sent over the Wireless interface while the agent is in the Ethernet location.

Using an Application and Device control policy to disable the wireless traffic

The "Device ID" string will have a format similar to the following:
PCI\VEN_8086&DEV_4220&SUBSYS_27128086&REV_03\1&F31B64E&0&21BC

Note: Wildcards can be used for the Device ID, and it is recommended to shorten the string enough to match all hardware of the same model.
For example: PCI\VEN_8086&DEV_4220&SUBSYS_27128086* OR PCI\VEN_8086&DEV

Once the "Device ID" string has been found using the DevViewer tool

1. Open the Symantec Endpoint Protection Manager console and navigate to the "Policies" tab
2. Expand the Policy Components list and select Hardware Devices.
3. Select Add Hardware Device and enter the <name> paste in the <Device ID> string for the wireless adapter (Do not enter as "Class ID")
4. Go to Clients> Policies in the console.
5. Create a new (or edit the existing) "Application and Device Control Policy" for the Ethernet location.
6. Select Device Control and add the newly created Hardware Device to the "Blocked Devices" list.