A managed Endpoint Protection client will not change group or domain membership after some operations
Last Updated September 30, 2017
A managed Symantec Endpoint Protection (SEP) client will not change group or domain membership in SEP Manager (SEPM )after some operations, such as importing new communications settings (SyLink.xml) or re-installing or upgrading the client with a new package exported from the SEPM.
NOTE: "domain" in this article refers to a SEPM domain, not Active Directory.
If the SEP client is already registered with the SEPM then this behavior is by design and is meant to prevent unauthorized changes. Uninstalling a SEP client will also leave behind a Hardware ID that will be re-used in a new managed installation to re-establish any existing registration with the SEPM.
The client will move and join the appropriate group and domain, if the imported SyLink.xml points to a different SEPM (with which the client is not already registered).
To otherwise change the group or domain membership of an existing managed SEP client, use one of the following methods:
Use the move operation in the SEPM clients list (only available for changing groups, not domains). Simplest.
Delete the client's entry in the SEPM clients list, then deploy new communication settings to client *
Delete Hardware ID files from client, then deploy new communications settings to client **
Use the MoveClient tool in the Tools/NoSupport directory of the SEP product media.
* Deploying new communications settings to a client must be done before the next heartbeat with SEPM, otherwise the client will re-register with the SEPM using its current group/domain settings. This heartbeat can be prevented by running smc -stop at the client.
** How to prepare a SEP client for cloning describes how the Hardware ID files may be deleted from the client so that it will re-generate a new unique ID. Given a new SyLink.xml file, the client should then register with the correct group and domain. NOTE: SEP Linux and Macintosh clients use a simple hash of the MAC address and system disk identifier; the Hardware ID for these clients will not change given the same hardware. Macintosh and Linux clients will require deletion of any corresponding client entries from the SEPM before a new SyLink.xml will change group or domain settings.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe