Migrating from Business Suite to Protection Service for Business

UPDATE: Before exporting the Business Suite profile, please ensure that the Offload Scanning is turned off. Currently Offload Scanning is not supported on F-Secure Elements Endpoint Protection (formerly PSB)

Many companies are moving away from having their own datacenters and dedicated IT teams, and are starting to move their infrastructure towards cloud-based solutions.

F-Secure is ready to help our partners achieve this, by having the cloud-managed Protection Service for Business. This solution does not need any dedicated servers to run a management portal, everything can be managed using a web-browser.

For customers who are already using our on-premise Business Suite with Client Security, we can now offer an easy way to migrate the protected workstations to cloud-managed Computer Protection. Just a few quick and easy steps are required from the Business Suite administrator, in the simplest of cases it is:

Ensure that the end-company has a valid PSB account, with appropriate product subscriptions
Import the migration Jar file into Policy Manager
Configure the distribution with a valid PSB subscription key for the product and organization
Distribute the Policies

For some organizations though, some extra steps are needed. Many will want to transfer their configuration settings from the Policy Manager to PSB, and that is now possible. It is even possible to automatically take different profiles into use, depending on the host device’s place in the organizations Active Directory structure.

In the following description, we use Client Security and PSB Computer Protection as the example, but it is also possible to perform the same actions with Server Security and PSB Server Protection.

Ensure the end-company has a valid PSB account and subscriptions

For most customers, their Business Suite has been bought via a distributor or reseller. This distributor or reseller may already be selling PSB products, and should be contacted to order the required accounts and subscriptions for using PSB.

Export settings from Policy Manager

Open Policy Manager Console
Navigate to the relevant point in the domain tree
Right click, and select “Export policy file for 14.x host”
Save the exported file to local drive.

Import Active Directory structure into PSB Portal (Optional)

If you need to have AD profile specific profiles in PSB, it is necessary to manually import the AD structure. For this, you need access to the AD server, and Powershell. In some cases, the Active Directory server may not have login access, and you will need to ask your AD administrator to perform this action for you.

Log in to the AD server
Start Powershell
Execute:

- import-module activedirectory ; Get-ADOrganizationalUnit -filter "*" | %{ $_.DistinguishedName } | Out-File -Encoding utf8 -FilePath ad_hierarchy.txt

Copy “ad_hierarchy.txt” to a local drive
Log into the PSB Portal and select the correct organization (if needed)
Navigate to the Profiles page and select the “Default profiles” tab
At the side of “Active Directory”

- Click the “…” action menu

- Select “Upload Active Directory Structure”

- Select the previously created “ad_hierarchy.txt” file and click “Upload”

Create a new PSB profile and import the PM settings

To import PM settings, you first need to create a target profile. The easiest way to do this is to clone one of the existing profiles as a starting point.

In PSB, navigate to the Profiles page and select the “All profiles” tab
Find a suitable starting profile, and in the Action menu at the right side select “Clone profile”
In the profile editor that is opened, enter a new name and description
In the same editor, select “Import profile” from the action menu at the top right corner, and choose the file you previously exported from Policy Manager
Save the profile

At this point we strongly suggest that the administrator carefully checks that the settings imported are suitable for deployment. While every care is taken during the import to merge the settings, it is the administrator’s responsibility to check this.

Make the new PSB profile the default for an Active Directory group (Optional)

If installation of new devices should be assigned a profile based on the device’s position in the AD structure, it is possible to set this in the PSB portal.

Select the Profile page, and the “Default profiles” tab
In the lower section of the displayed page, locate the AD group that you wish to set a default profile for
At the right-hand side, click “Change”
In the dialog that opens, select the correct default profile for each kind of device. If you are only using for example Computer Protection for Windows, it is okay to just change that profile.
Click “Change”, and you will see on the page that the default profile has been changed for this AD group.

Import the migration Jar into Policy Manager and push to selected devices

In order to actually migrate the Client Security, it is necessary to download the appropriate “Jar” file. These can be downloaded from Help Center and care should be taken to download the correct one for the PSB server that your PSB organization is located in.

Once you have the correct Jar

Start Policy Manager Console
Navigate to the correct Domain branch in the hierarchy
Go to the “Installation” page
Under “Policy-based installations” click “Install” and then “Import”
Select the Jar file you previously downloaded, and then click “Ok”
In the “Installation options” dialog that opens, paste in the PSB Subscription Key. This can be found from your account in PSB under the “Subscriptions” page.
Change any other Installation options required. It is not necessary to restart the host device during the migration, but you might want to force the installation language
Once this is done, in the Policy Manager Console click “Distribute Policies”. This will instruct the Client Security installations to download the migration package and execute it

Check that the device shows up in PSB Portal

After the host device has installed PSB Computer Protection via the migration package, the administrator should check that it is correctly showing in the PSB Portal

Log into the PSB Portal
Select the “Devices” page
Locate the device. This should show up with the hostname of the device, the same as it showed in Policy Manager
Check the assigned profile. This should be the “Default profile” configured in the Profiles page, and if AD-specific profile was set earlier then it should match this.
Check that the host device is shown as “Protected”.

We strongly recommend that the administrator tests this process fully with a test computer, before applying the changes to their Production environment.

We have prepared a demonstration video to show this process in action: Migrating Business Suite installations to Protection Service for Business

Please note, for security reasons, in this video we do not display the actual keycode used.