For Symantec 12.1, you want to isolate VDI client groups from policy changes to allow scheduled scans defined on different days or off hours.
With such a vast library to study, simply reviewing all of these documents and implementing changes will present a whole new set of challenges to each unique environment let alone the Symantec Endpoint Protection known issues.
Powered by an automated data collection process, it generates a report that provides baseline evaluation of your security posture.
To run IPS and not firewall, you must withdraw the firewall policy to ensure IPS is protecting your network without forcing the use of the client firewall.
View best practices on Symantec SEP firewall settings here.
The article covers things like ensuring all SEP clients and SEPMS are running the latest maintenance release, using the Group Update Provider (GUP) for content distribution, and how to ensure out-of-date SEP clients to still get incremental updates.
It even explains the best way to use a MS-SQL database for large environments.
You can add IPS using the Endpoint Protection Manager under add/remove programs and full Symantec IPS instructions are available here.
As for firewall, in version 12.1 and later firewall is a separate function that does not need to be installed for IPS to function, however, for version 11 you must have the firewall running for IPS to work.
In 2009 a Small Business Edition (SBE) of SEP (version 11) was introduced Endpoint incorporates a rules-based firewall, as well as an anti-malware technique that Symantec calls "generic exploit blocking".
The firewall is based on technology developed by Sygate Technologies, who were purchased by Symantec.
There are twelve best practices for security you should consider with SEP, I will list the top three here and link to the rest.