Preparing Windows and Mac computers for remote deployment of Endpoint Protection

Products

Endpoint Protection

Issue/Introduction

You need to prepare computers for remote deployment of Symantec Endpoint Protection (SEP).

Resolution

Before you deploy Symantec Endpoint Protection (SEP) from Symantec Endpoint Protection Manager (SEPM), you must take steps to prepare the computers to ensure a successful remote installation. These steps pertain only to remote installation. You can reverse these changes afterward, but you must apply them again to perform another remote installation.

Table: Tasks to prepare all computers for remote deployment lists the tasks that you must perform on all computers to which you plan to remotely deploy the Symantec Endpoint Protection client.

Table: Windows remote deployment preparation tasks lists the additional tasks that you must perform on Windows computers. See your Windows documentation for more information on any tasks you do not know how to perform.

Table: Mac remote deployment preparation tasks lists the additional tasks that you must do on Mac computers. See your Mac documentation for more information on any tasks you do not know how to perform.

Note:

You cannot deploy the Symantec Endpoint Protection client to Linux computers remotely from Symantec Endpoint Protection Manager.

Table: Tasks to prepare all computers for remote deployment

Task	Details
Have administrative rights to your client computers	If the client computer is part of an Active Directory domain, you should use domain administrator account credentials for a remote push installation. Otherwise, have the administrator credentials available for each computer to which you deploy.
Modify firewall settings	Modify firewall settings to allow communication between Symantec Endpoint Protection components. See Communication ports for Symantec Endpoint Protection.
Uninstall Symantec Endpoint Protection clients that do not uninstall normally	As of 14, you can uninstall an existing installation of the Symantec Endpoint Protection client for Windows. You should only use this option if the existing Symantec Endpoint Protection installation does not uninstall normally. You should not use this option as part of a standard deployment. You configure this tool before you deploy, and the uninstallation occurs before Symantec Endpoint Protection installs. See Configuring client packages to uninstall existing security software.
Uninstall unsupported or consumer Symantec security software	Uninstall any unsupported Symantec security software, such as Symantec AntiVirus or Symantec Client Security. Migration directly from these products is not supported. You must also uninstall any consumer-branded Symantec security products, such as Norton Internet Security. See the documentation for your Symantec software for information about uninstallation. See Supported upgrade paths to the latest version of Symantec Endpoint Protection 14.x.

Table: Windows remote deployment preparation tasks

Operating system	Tasks
Prepare Windows Vista, Windows 7, or Windows Server 2008 / 2008 R2 computers	Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. To disable UAC remote restrictions, see: http://support.microsoft.com/kb/951016 Perform the following tasks: Disable the Sharing Wizard. The Sharing Wizard prevents more advanced sharing options from working during Remote Push. Enable network discovery by using the Network and Sharing Center. Network discovery lets you browse the network. You do not need it to search the network. Enable the built-in administrator account and assign a password to the account. Remote Push fails when the local administrator account has a blank password. If the Windows client computer is part of an Active Directory domain, use domain administrator account credentials with local administrator privileges for Remote Push. Verify that the account with which you push the installation has administrator privileges. Enable and start the Remote Registry service. Disable or remove Windows Defender. Consult the operating system's documentation for guidance on how to successfully complete these tasks.
Prepare Windows 8 / 8.1 or later, or Windows Server 2012 / 2012 R2 or later computers	Before you deploy, perform the following tasks: Disable the registry key LocalAccountTokenFilterPolicy. To disable UAC remote restrictions, see: http://support.microsoft.com/kb/951016 Enable and start the Remote Registry service. Disable or remove Windows Defender.

Operating system

Tasks

Prepare Windows Vista, Windows 7, or Windows Server 2008 / 2008 R2 computers

Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy.

To disable UAC remote restrictions, see:

http://support.microsoft.com/kb/951016

Perform the following tasks:

Disable the Sharing Wizard.

The Sharing Wizard prevents more advanced sharing options from working during Remote Push.
Enable network discovery by using the Network and Sharing Center.

Network discovery lets you browse the network. You do not need it to search the network.
Enable the built-in administrator account and assign a password to the account.

Remote Push fails when the local administrator account has a blank password.

If the Windows client computer is part of an Active Directory domain, use domain administrator account credentials with local administrator privileges for Remote Push.
Verify that the account with which you push the installation has administrator privileges.
Enable and start the Remote Registry service.
Disable or remove Windows Defender.

Consult the operating system's documentation for guidance on how to successfully complete these tasks.

Prepare Windows 8 / 8.1 or later, or Windows Server 2012 / 2012 R2 or later computers

Before you deploy, perform the following tasks:

Disable the registry key LocalAccountTokenFilterPolicy.

To disable UAC remote restrictions, see:

http://support.microsoft.com/kb/951016
Enable and start the Remote Registry service.
Disable or remove Windows Defender.

Table: Mac remote deployment preparation tasks

Operating system	Tasks
Prepare the Mac computers on any supported operating system	Before you deploy, perform the following tasks on the Mac computers: Click System Preferences > Sharing > Remote Login and either allow access for all users, or only for specific users, such as Administrators. If you use the Mac firewall, disable stealth mode. With stealth mode enabled, the remote push installation cannot discover the client through Search Network. To disable stealth mode on the Mac, see the following article and select your version of the Mac operating system. Use stealth mode to keep your Mac more secure Ensure that the firewall does not block the port that Secure Shell (SSH) uses. By default, this port is TCP port 22. This port allows the required communication for remote logon. The Bonjour service does not support IPv6 networking. To ensure that Browse Network or Search Network displays these Macs, ensure that they also have IPv4 networking enabled. IPv6 networking is supported as of 14.2.

Operating system

Tasks

Prepare the Mac computers on any supported operating system

Before you deploy, perform the following tasks on the Mac computers:

Click System Preferences > Sharing > Remote Login and either allow access for all users, or only for specific users, such as Administrators.
If you use the Mac firewall, disable stealth mode. With stealth mode enabled, the remote push installation cannot discover the client through Search Network.
To disable stealth mode on the Mac, see the following article and select your version of the Mac operating system.
Use stealth mode to keep your Mac more secure
Ensure that the firewall does not block the port that Secure Shell (SSH) uses. By default, this port is TCP port 22. This port allows the required communication for remote logon.
The Bonjour service does not support IPv6 networking. To ensure that Browse Network or Search Network displays these Macs, ensure that they also have IPv4 networking enabled.

IPv6 networking is supported as of 14.2.

See Communication ports for Symantec Endpoint Protection.

See Installing Symantec Endpoint Protection clients with Remote Push.

See Preparing for client installation.