5 Replies Latest reply on Sep 12, 2011 2:50 AM by whgibbo

    Moving Encrypted Asset between ePO Servers

      Product Versions:

      ePO 4.5.4 HF1

      MA 4.5

      EE 6.1.1

       

      Scenario:

      Asset - Laptop1

      Servers - ePO1 and ePO2

       

      Deploy EE and encrypt Laptop1 without PBA or SSO from ePO1. Then remove Laptop1 from ePO1 system tree and uninstall ePO1 MA from Laptop1. Then install MA from ePO2 on Laptop1.

       

      Question:

       

      Based on the above scenario would it be possible to manage EE of Laptop1 from ePO2, I have not tested this hence the question but I assume NO because the encryption keys are held within ePO1 database. If this is true is their a way to restore this information from ePO1 to ePO2 which would enable the management of EE on Laptop1 from ePO2 eg. policy changes, decryption ect.

       

      Thank you

        • 1. Re: Moving Encrypted Asset between ePO Servers
          whgibbo

          Hi,

          You can transfer a system from one ePO server to another, using the transfer systems.. 

          • From the System Tree
          • Select Actions
          • Select Transfer Systems.

           

          You will need to refer to the ePO documentation on how to set this up.  From an EEPC prospective, the following will happen..

          1. After the first wakeup agent or ASCI, the McAfee Agent will be told to transfer to the new ePO server.  At this point the keys will still be managed by the existing ePO server..  So you will be able to export the recovery information (until the machine is removed from ePO), so worth exporting the recovery information prior to the export.
          2. The machine will then appear on the new ePO server, but no wakeup or ASCI performed on the client from the new server.  So keys still managed be existing ePO server, along with policies and users.
          3. wake up agent or asci from new ePO server, keys will be sent to new ePO server.  Once confirmation that the keys have been stored, the machine will now enforce the policies and user assignments from the new ePO server.  From this point administrator recovery and export recovery information can be done from this server.

           

          Hope that helps.

          • 2. Re: Moving Encrypted Asset between ePO Servers

            Thanks for the reply.

             

            Say for arguments sake the following happened:

             

            Laptop1 was encrypted from ePO1 using a MA installed from ePO1. After the encryption the MA was uninstalled from Laptop1 (ePO1 agent) and the ePO2 agent was installed.

             

            How would one then manage EE from ePO2 for Laptop1? Is it possible? Should EEadmin and EEPC be re-deployed from ePO2 for this to work?

            • 3. Re: Moving Encrypted Asset between ePO Servers
              whgibbo

              Good Question

               

              The answer is the same, the EE agent will detect that the server has changed and react in the same way as if you did a system transfer.

               

              There is no need to re-deploy the EEAgent and EEPC from the ePO2.

              • 4. Re: Moving Encrypted Asset between ePO Servers
                SCtbe

                Interesting information when compared to official EEPC FAQ from KB66700, section Functionality and question "Can I migrate EEPC 6.x clients to a different ePO server?"

                It seems that version 6.x in this context mean 6.0 not 6.1.

                • 5. Re: Moving Encrypted Asset between ePO Servers
                  whgibbo

                  Looks like this document is out of date with regards to the transfer of systems..  I'll try and get this corrected.. 

                   

                  Many thanks