cancel
Showing results for 
Search instead for 
Did you mean: 
krisbultinck
Level 7

Migration of Encrypted systems from EPO4.6.7 to new server with EPO5.1.1

Hey all,

I am preparing the migration of the current EPO4.6.7 server to the new EPO5.1.1 server.

Current server:Header 2

EPO4.6.7

EEPC 7.0.3

EPO 5.1.1

Drive Encrypteion 7.1.1

I am concerned in the way this will affect the encrypted systems and the users currently know on this system.

I have searched this forums but cannot find a scenario that exactly matches the scenario that i am facing.

The users know in EEPC are created by the policy option "add local domain users" witch adds all pervious and current local domain users of the system.

I am planning on using the "transfer" option to move the clients form the current EPO to the new EPO.
McAfee KnowledgeBase - How to transfer/move computers from one ePO server to another

This document states in the beginning that this does not work for EEPC clients.

However my testing proves differently, it works. User and password keep working after migration a test workstation.

So now i am confused and would like to know more background information before using this on a large scale.

Reading true forum topics I get the impression that the "transfer" option does not work for manually assigned users/groups

I cannot find confirmation that users & password can be migrated, when the are dynamically created by the policy option "add local domain users"

Is there anybody with a similar scenario that can share his experience?

Thanks in advance.

7 Replies
jmcleish
Level 13

Re: Migration of Encrypted systems from EPO4.6.7 to new server with EPO5.1.1

It has been said on a few occasions that users are not transferable and i have found this to be the case. I've tried to move clients between two ePO 4.6.7 servers and i need to manually re-assign the users and they need to login with the default password again.

i don't use add local domain users so don't know how that would work.

I'm sure i have seen the key transfer to the new server once it starts its communications, but the only real way to test is to export the key from ePO and test decrypt/ authorise etc to check it does resend the key.

I would manually export the key for each machine out of your old server before transferring them as a precaution while testing.

However, i think if you are going to immediately upgrade then possibly the process of upgrading  EEPC to a new version may also re-send the key to the server.

Check the mfeepe.log as the process is happening to confirm.

HTH

Jane

mblower
Level 9

Re: Migration of Encrypted systems from EPO4.6.7 to new server with EPO5.1.1

We have done this recently, transferred from one ePO server (4.6.6) to a new ePO server (5.1 hotfix 1).  Machines were encrypted with EEPC 6.2, 7.0.2, and 7.0.3. New ePO server has DE 7.1.

We used the "Transfer Systems" option, which worked well.  We were not using the "add local domain users" option on the old server, but we turned it on (on the new server) for the migration, and this maintained the users and passcodes/tokens.

The DE 7.1 on the new ePO server can manage the older versions of EEPC with no trouble. We are slowly upgrading the machines to DE 7.1 now.  We found that some machines need a BIOS upgrade before the new version (7.1) will work properly.

Hope this helps!

jmcleish
Level 13

Re: Migration of Encrypted systems from EPO4.6.7 to new server with EPO5.1.1

That's very interesting info- thanks.

Is there any chance you could list what models and BIOS version you had to upgrade to and how did you find out they needed upgraded - pre-boot smart check or just be deploying? (Last time i upgraded the BIOS's of our encrypted machines was when we initially deployed 6.0.2 (?) and i'm concerned as some are quite old)

Thanks very much.

0 Kudos
mblower
Level 9

Re: Migration of Encrypted systems from EPO4.6.7 to new server with EPO5.1.1

We found issues with the Dell Latitude E6410, anything lower than BIOS A11 had issues.  We were upgrading them from EEPC 6.2 to EEPC 7.0.3, and then to DE 7.1.  The issue occurred when we went from 6.2 to 7.0.3.

0 Kudos
mcafeenewb
Level 9

Re: Migration of Encrypted systems from EPO4.6.7 to new server with EPO5.1.1

i had a similar scenario, like the documents state it is not supported.  What I had noticed is that ePO and the clients will not process user assignments for a few agent server communications.  The device will retain the current assignments in the PBFS until a user assignments are processed between ePO and the client.

here is one way to validate.

  • assign 4 users to a system in server 1
  • make sure the assignments get to the client
  • transfer the endpoint to server 2
  • now that the system is now homed to server 2, look at the assigned users in ePO.
  • review assignments on client.
  • allow for a few agent server communications and review the assignments in ePO.

what what I have found is since it is a new system, there are no users natively assigned to new systems.  If you policy is set to auto assign, that is another story.

remember, users are assigned from server to client, not client to server.

also, keep in mind the user token.  Once users are re-assigned, since this is a new epo server their token data does not carry over.  This means users will end to recreate passwords and recovery options.

good luck

0 Kudos
jmcleish
Level 13

Re: Migration of Encrypted systems from EPO4.6.7 to new server with EPO5.1.1

Thanks for that info. Much appreciated

0 Kudos
krisbultinck
Level 7

Re: Migration of Encrypted systems from EPO4.6.7 to new server with EPO5.1.1

Thanks all for your reply’s.

 

Some with very similar circumstances and very helpful answers and tips.

0 Kudos