How to prevent users from changing settings within the Symantec Endpoint Protection client (such as stopping scheduled scans, disabling Auto-Protect, etc.) through policy.
1. Preventing users from changing policy elements.
Symantec Endpoint Protection Manager (SEPM) enables you to lock all important settings individually. Administrators can decide what to allow users to change and what must not be changed.
Edit any policy. Next to policy settings is a padlock icon. If it shows as locked, that means that the option cannot be changed from the client side.
If it shows as unlocked, then that setting can be changed from the client side.
NOTE: In order for these settings to be applied correctly on the clients, the policy on client machines must be updated.
2. Locking the client user interface:
Enhance users’ experience with SEP user interface by opening Clients and going to Policies tab in the SEPM. Expand Location-specific settings and click on the link next to Client User Interface Control Settings.
3. Options to choose from:
- Client control gives all the control to the client. Users will be able to change all settings just like on an unmanaged client although the client machine will remain managed and in contact with the SEPM.
- In Server control, choose (click on Customize…) helps on which elements of user interface will be available for the users.
Please note : The First 2 options: Display the notification area icon (when unchecked, will make the Symantec system tray icon disappear, but the client still will be able to be opened from the Start menu or from a shortcut) and Display the client (when unchecked client GUI will not be displayed and if SEP is selected in the Start menu it will give the error message below).
- Mixed mode will allow us to select exactly which elements should be controlled by the administrator and which by the users. To edit the settings on Client User Interface Settings tab, leave the corresponding setting on the tab Client/Server Control Settings on the server’s side.
Please Note: These settings are assigned to locations and not to groups. Better, incase of multiple locations for the groups where it could be changed for every one of them.
SEP can also be installed to a client without putting the SEP icon in the Start Menu. When the installation package is exported use custom Client Installation Settings with Add the program to the Start Menu option unchecked:
3. Securing the client
Protect the user interface and some actions on SEP client by using a password. Open the clients window and select the group, go to the Policies tab. In the part called Location-independent Policies and Settings, click on General setting, select Security Settings tab.
To Protect, set a password.
To be sure that Symantec software is protected from shutting down you can setup Tamper Protection. In the same window go to Tamper Protection Tab and select the action (block or log only) executed when Tamper Protection detects an attempt to tamper SEP process.
More information about tamper protection can be found here: How to configure Tamper Protection in Symantec Endpoint Protection 11.0