There is need to create a base drive image with Symantec Endpoint Protection installed as a managed client to deploy to systems.
To successfully create a drive image with a Symantec Endpoint Protection for Macintosh client, follow these steps:
- Install Mac OS X, updates and other applications to the Macintosh that will act as the source (or base) of your disk image. Configure as necessary and desired.
- Install an unmanaged Symantec Endpoint Protection client. Restart when prompted. This base image will be prepared with an unmanaged client and a communications settings file (below, if desired). When another machine that is prepared with this image (a clone) starts for the first time, it can use this settings file to convert SEP to a managed client with unique hardware identifiers. If an unmanaged client is the desired end result for clones, skip to step 6.
- In your Symantec Endpoint Protection Manager choose a client group that you wish your clones to be a member of. Right-click the desired client group and choose "Export Communications Settings..." and save the SyLink.xml file.
The following steps are to be performed only when you are ready to capture an image of this base system drive:
- On the Macintosh base image machine, for SEP 12.1 RU4 and newer, run the following command to stop the symdaemon service:
sudo launchctl unload /Library/LaunchDaemons.com.symantec.symdaemon.*plist
(NOTE: the asterisk in daemon pathnames will accommodate suffix variations - SEP 12.1.x uses .plist and SEP 14.0 uses .NFM.plist)
- Backup or rename /Library/Application Support/Symantec/SMC/SyLink.xml and replace it with the exported SyLink.xml file. Do NOT restart the Macintosh at this point. Otherwise SEP will be converted to a managed client that is unsuitable for cloning. If further restarts are necessary for base image maintenance, first restore the unmanaged SyLink.xml that was backed up in step 5. Otherwise you will have to uninstall the SEP client and repeat steps 2-5 before re-capturing the base image.
- Capture/save an image of this Macintosh's system drive, using the preferred tools and methods.
Once the image has been created, it can be deployed to a new Macintosh for use in a production environment. When preparing this Macintosh, follow these steps:
- Write the image to the target Macintosh using the preferred tools and methods.
- Restart the Macintosh normally. The SEP client will use the SyLink.xml file to connect to the SEPM.
- Change the Computer Name in the Sharing preference pane in System Preferences.
It is OK if different Macintoshes check in initially with the same name to the SEPM. The SEPM differentiates between different clients by using unique hardware identifiers generated at the client. Updating client names or networking information will update (on the next heartbeat) the corresponding unique client entry in the SEPM.