search cancel

Migrating / Moving SEE Clients from one SEE Management Server to another (Moving SEE Client from old SEEMS Database to a *net-new* SEEMS Database)

book

Article ID: 163292

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

If Symantec Endpoint Encryption (SEE) client machines are 'migrated' from one SEE environment to another, typically by running an over-top upgrade using client installers from the new SEE environment, this will hinder a Help Desk assisted recovery procedure on the endpoint when performed in conjunction with the server-side Help Desk console through the new SEE Environment.

Definition:  An SEE environment is one where all SEE Management Servers (SEEMS servers) are connected to the same backend SQL database. Two separate SEE environments would have two completely different SQL databases on the backend, that are not synchronized in any fashion--due to having multiple SEE Database environments, the SEE Clients are also unique and tied to their specific Management Servers.

This KB will discuss how to ensure the SEE Clients can be moved from one SEE database to another, and still perform recovery.

Cause

"Incorrect Authentication. Try Again"

Resolution

Symantec Endpoint Encryption Clients are unique and tied to a specific SEE Management Server.  This is because unique encryption keys are configured for these environments.  When moving from one SEE Database to another, it is necessary to create a new SEE Client that will build-in these unique encryption keys.  This is because SEE can perform Connectionless Recovery and this process will reinstate these keys properly.

This guide will have two sections as listed in the Table of Contents to go through this entire process:

 

 

Section 1 of 2: Creating a new SEE Client from the new SEE Database Environment and deploying to the endpoints

This process will go over creating a new SEE Client and how to deploy it in the scenario where a completely new SQL Database has been created and the new Symantec Endpoint Encryption Management Server has been installed and configured.

Migration of Symantec Endpoint Encryption Clients may be done while the drive is still encrypted.

 

Symantec Endpoint Encryption Windows Clients 

1. From the new Symantec Endpoint Encryption Manager, create a new Management Agent Client with updated communication settings.

2. From the client machine, open Command Prompt as Administrator and run the following command to upgrade the Management Agent Client. (replace <path to .msi> with the full path to the install file)

If you are upgrading from an older version of Symantec Endpoint Encryption to a newer version, such as SEE Client 11.3.1 to SEE Client 11.4, run the following command to deploy:

msiexec /i SEEClientinstall.msi

 

If you are installing over the top with the same version, see the following article for a "Repair" option.  

151446 - Instructions for repairing Symantec Endpoint Encryption 

Tip: This is a good opportunity to upgrade your clients at the same time so this option is less recommended.  Rather than do a "Repair", perform an upgrade for best results.

3. When prompted, reboot the client machine.

The client machine should now be checking in with the new Symantec Endpoint Encryption Management Server



Symantec Endpoint Encryption for FileVault Clients:

1. From the new Symantec Endpoint Encryption Management Server, create a new Mac FileVault Client with the new communication settings.

2. Double-click the newly created Mac FileVault Client and follow the prompts to update the client machine. A reboot is not necessary.

The client machine should now be checking in with the new Symantec Endpoint Encryption Management Server

 

The solution is to disable and re-enable the following settings through policy (either through SEE Native Policies or through GPO)

Policy setting 1: Enable Help Desk Recovery

Policy setting 2: Help Desk Recovery Communication Unlock  (if this feature is in use)

Once the new SEE Client from the new SEE Database has been installed over the top of the old SEE Client from the old SEE Database, the clients will start to check in with the new SEE Management Server.  Whatever policy the clients are checking in to, have the two policy settings above be disabled.  This will clear the old recovery key set from the old SEE Database.

Once all the New SEE Clients have done this and are successfully checking in, then enable the two settings above and the next time the clients check in, the new recovery keys will be reinstated.


Step to accomplish the above

Step 1: Once you've installed the SEE Client from the new database/environment, then uncheck the two settings from the new server and save the policy:

Step 2: Once the policy above has been unchecked, have all your SEE Clients Check in to the new SEE Management Server:

SEE Clients can check in manually via the SEE Management Agent, or they will check in automatically as per the check-in interval (Default value is every 60 minutes).  

 

Step 3: Check the Computer Status Report to validate all the clients have checked in *after* this new policy update has gone into effect. 

 

Step 4: Once you have validated all the SEE Clients have checked in after this policy update, re-enable the two settings on the SEE Management Server by checking the two boxes (make sure to save these settings):

Step 5: Check in with the SEE Client again.

Step 6: Once you validate all the SEE Clients have checked in, the recovery keys will have been recalculated to the new SEE Clients and all should be working again. 

The above steps will reset Help Desk settings properly on the endpoint so that it can successfully complete a Help Desk recovery procedure in conjunction with the server-side Help Desk console through the new SEE Environment.

 

 

Additional Information

Scenario 1:
163292 - Migrating from one SEE Management Server to another (Completely new SEE Database)

Scenario 2: (PGP to SEE)
227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)

Scenario 3: Moving SEE Clients from the same database to another SEE Management Server with the same Database
154122 - How to Migrate Symantec Endpoint Encryption Management Console and all the clients from one Server to another Server, without moving the existing SQL Server

Scenario 4: Moving same SEE database from one DB instance to another
152340 - How to move the SEE-MS SQL database from one server/instance to another

Scenario 5: Moving from one SEE database to a completely different SEE database.
178631 - How to migrate Symantec Endpoint Encryption version 11 Clients from one Management Server to another

Attachments