Definition
Symantec Endpoint Protection Manager (SEPM) is the on-premise management server for SEP agents. It runs on Windows Server with a SQL Server backend, replicates between sites for high availability, and provides policy management, reporting, and incident management. SEPM is still fully supported by Broadcom but is in active retirement: new endpoint deployments use the cloud-managed SES Complete tenant instead, and existing SEPM customers are migrating in waves. The migration converts agents in place (no re-image, no reinstall) by pushing a configuration change that switches each agent from SEPM-managed to cloud-managed. SEPM decommission happens after all agents are reporting in to SES Complete and policy enforcement parity has held for 2+ weeks. See our migration playbook.
Symantec products that implement this
- Symantec Endpoint Security - AI-driven malware prevention, EDR, application control, and device control across every endpoint - Windows, macOS, Linux, mobile. Cloud-managed (SES Complete) or on-prem (SEPM).
Related terms
- SEP (Symantec Endpoint Protection) - Symantec's historical endpoint protection product (now branded SES); also refers to the on-prem agent managed by SEPM.
- SES (Symantec Endpoint Security) - Modern brand name for Symantec's endpoint security platform; SES Complete is the cloud-managed SKU including EDR.
Deep-dives on SEPM
- Migrating SEPM 14.x to SES Complete: the engineer's playbook - A real-world playbook for moving from on-prem SEPM 14.x to cloud-managed SES Complete. Discovery, tenant prep, agent conversion, policy migr…
- Symantec licensing in 2026: what each SKU includes (and what it does not) - The Broadcom licensing model for Symantec products is dense. A buyer-side guide to what is actually included in SES Complete, DLP, Cloud SWG…