Location Awareness Logic
Article ID: 178026
Updated On:
Products
Endpoint Protection
Issue/Introduction
How does Location Awareness determine what location to assign a Symantec Endpoint Protection (SEP) client?
Resolution
Location Awareness Logic during the boot process is as follows:
- SMC starts up and loads the policy profile.
- If "Remember last location" is set the location where client is in when the Symantec Management Client (SMC) stopped will be treated as the current location. If this is not set then the client will start in the specified default location. Once a location is set; however, it is considered the current location until the system configuration changes or SMC is restarted.
- To configure this behavior go to: Symantec Endpoint Protection Manager (SEPM)->Clients->select a client group->Policies tab->General Settings->General Settings tab->Remember the last location checkbox.
- To configure this behavior go to: Symantec Endpoint Protection Manager (SEPM)->Clients->select a client group->Policies tab->General Settings->General Settings tab->Remember the last location checkbox.
- If "Remember last location" is set the location where client is in when the Symantec Management Client (SMC) stopped will be treated as the current location. If this is not set then the client will start in the specified default location. Once a location is set; however, it is considered the current location until the system configuration changes or SMC is restarted.
- SMC locks Sylink and then queries registration information from the Operating System, including computer/domain names.
- When an application requests the computer name/domain information from a Domain computer, the Operating System will attempt to contact its domain controller(s). If it fails to connect, it will attempt connection to the next one on the list. If all fail, it has to go through the entire list and time-out on each one before giving cached name/domain information to the requesting application.
- It is necessary (as a managed product) to gather basic workstation identifying information on startup (name/domain) as early as possible for client-to-manager communication to work correctly. It is outside of our control how the Operating System responds to this information request.
- SMC unlocks Sylink once the registration information is received and allows the continuation of the location switching process
- When an application requests the computer name/domain information from a Domain computer, the Operating System will attempt to contact its domain controller(s). If it fails to connect, it will attempt connection to the next one on the list. If all fail, it has to go through the entire list and time-out on each one before giving cached name/domain information to the requesting application.
- Location Awareness then performs a location check & assigns location.
- Caveats:
- The location switching process starts by setting all locations to a score of 0.
- Scores are per-location not per-criteria. Each location evaluates to either "match" or "no match."
- Scoring:
- If a location is the current location: +10
- If a location matches the current system configuration: +15
- If a location does not match the current system configuration: -15
- If a location has no criteria defined: +0
- Conflict resolution:
- If the highest score is achieved by two (or more) locations the highest-ordered location is chosen unless one is the default. If one is the default then that location is chosen.
- If the highest score is achieved by two (or more) locations the highest-ordered location is chosen unless one is the default. If one is the default then that location is chosen.
- Caveats:
- After boot process is complete, location is assigned by policy constraint matching
Technical Information
EXAMPLE:
In this example situation there are 2 locations, LAN and Foreign.
- LAN is the last used location and is defined by being able to connect to a specific list of Gateways
- Foreign is a catch-all, undefined, location
- SMC starts and loads the policy profile
- SMC locks Sylink & queries the Operating System for registration information
- When an application requests the computer name/domain information from a Domain computer, the Operating System will attempt to contact its domain controller(s). If it fails to connect, it will attempt connection to the next one on the list until it is able to reach one to get the requested information. If all fail, it has to go through the entire list and time-out on each one before giving the cached credentials to the requesting application.
- Once registration information is received SMC unlocks Sylink and continues on with the location switching process
- CHECK 1: LAN gets +10 points for being the last location
- This is due to the “Remember the last location” option being checked in the SEPM
- CHECK 2: LAN then loses 15 points for not matching the constraint criteria
- This is due to the Operating System not yet being able to connect to the DHCP server & being able to confirm DHCP resolution. At this point no gateway information currently exists, which is the rule constraint definition for the LAN location, thusly the check fails.
- CHECK 3: LAN = -5, Foreign = 0. Foreign location is the accurate location match as it has the higher score. Location switches to the Foreign location.
- Foreign location neither gains nor loses points due to there being no conditions on this location.
- After a few seconds DHCP resolution occurs. The computer now has a gateway that matches the criteria for the LAN location.
- AutoLocation Switching then switches the location to LAN.
Feedback
Yes
No
Powered by
