3 Replies Latest reply on Sep 16, 2013 9:44 AM by jmcleish

    EEPC 6.2 Migration to EPO 5.0.1 Server

      EEPC 6.2 Migration to EPO 5.0.1 Server

       

                      I just completed moving a handful of laptops running EEPC 6.2.1.315 from an old EPO server to a new EPO server and wanted to share my experience in case it's helpful to anyone.  We have an old EPO server running EPO 4.6.0.1029 along with about 20 PCs and laptops running EEPC 6.2.0.315.  We recently built a new EPO server running version 5.0.1.228 and recently imported the packages and extensions for EEPC 7.0.2.396.  We configured new EEPC policies and tasks on the new server rather than attempt to transfer them over.  The EEPC policies on each EPO server are a little different, but they both use the same Active Directory source for EEPC users.

       

                      I was told by a McAfee Support Engineer for EPO that in order to migrate the EEPC agents to the new EPO server, I would need to decrypt each unit before migrating it to the new EPO server.  Based on a few internet searches, including in this forum, I found evidence to indicate that prior to EEPC 6.2, that was true.  However, it appears that with EEPC 6.2 and higher, EEPC will upload the keys to a new EPO server.

       

                      Rather than registering the old EPO server with the new EPO server as a 'Registered Server' and using the 'Transfer Agent' functionality, I decided to just try deploying version 4.8 of the McAfee Agent from the new (5.0.1.228) EPO server to 'take ownership' of the agent.  Once the new agent was successfully installed and a wakeup call sent, the agent immediately received an inherited McAfee Agent Product Deployment Task that installed EEAgent and EEPC 7.0.2.396.  Sometimes the agent was still using an old repository list, and so the tasks would fail.  After a couple more wakeup calls, though, the agent would eventually get the current repository list and I would just use the ‘Run Client Task Now’ functionality to deploy the new EEPC components.

       

                      After the new policies applied, users had to set their EEPC password again and go back through self-recovery enrollment, but that wasn't a big deal for us.  I would imagine if you used the "Transfer Agent" functionality, the user's password and self-recovery information would also be transferred, but I am not sure as we did not test it.

       

                      I've completed this with about five laptops so far and have had great success.  This included Windows 7 Professional, Windows 7 Enterprise, and Windows XP operating systems.  Obviously, depending on how your policies are configured and what versions of EEPC/EPO you are using, your experience might vary.  However, because EEPC support on EPO 5.0.1 was just recently announced and added to the Product Compatibility List on August 30th, 2013, there wasn't a great deal of information available regarding migration of EEPC agents to EPO 5.x.

       

      Thanks,

      William

        • 1. Re: EEPC 6.2 Migration to EPO 5.0.1 Server
          jmcleish

          Thanks for posting that information as it may help other users.

           

          Can i ask if you have tested exporting the recovery information and checked that you can sucessfully decrypt the machines?

          Also, how are you assigning users to the system?

           

          Thanks

          • 2. Re: EEPC 6.2 Migration to EPO 5.0.1 Server

            Hi jmcleish,

             

                 Yes, I have tested the export of recovery information on two machines that were migrated.  One was a virtual machine for testing, and the other was a physical laptop; both Windows 7 Professional x64.  I exported the XML file from the new EPO server and then booted the machines into EETech.  I used the XML file to authenticate, authorized with the EETech Code, and began the decryption process.  I let it run through the entire decryption process and then confirmed that I was able to boot into Windows.  I'd suggest testing the process on a virtual machine first.

             

               As for user management, there are a couple AD groups that have access to all laptops.  Those AD groups contain only IT personnel.  Then, individual users are added as required.  In the migration, we just made sure the the proper users were added to Encryption Users on the new EPO server before migrating the agents.

             

            Thanks,

            William

            • 3. Re: EEPC 6.2 Migration to EPO 5.0.1 Server
              jmcleish

              Thanks William

               

              wmcglass wrote:

               

               

                  As for user management, there are a couple AD groups that have access to all laptops.  Those AD groups contain only IT personnel.  Then, individual users are added as required.  In the migration, we just made sure the the proper users were added to Encryption Users on the new EPO server before migrating the agents.

               

               

              So did you assign only the ad groups or also individual users?

               

              I'm asking because i'm about to have to transfer ~120 systems (v6.1.3 (well, they will be once i upgrade them))  that have 3 group admins and also indiviual users assigned to each system. when i transfer them over, i have to re-assign the individual users manually, which isn't going to be fun.

              Any chance you could please explain the "...the proper users were added to Encryption Users on the new EPO server" in more detail- how do you pre-stage the users?

               

              I noticed that when transferring systems from 4.5.4 to 4.6.6, if i had imported all my policies from 4.5.4 then when transferred, the systems would assign the correct policies. Just wondering if this is the same for individually assigned encrypted users.

               

              EDIT: wondering if this is a new feature of ePOv5

               

              Thanks

               

              Jane

               

              Message was edited by: jmcleish on 16/09/13 09:44:24 CDT