Migrating from Business Suite to WithSecure™ Elements Endpoint Protection

Background

Many companies are moving away from having their own datacenters and dedicated IT teams, and are starting to move their infrastructure towards cloud-based solutions.

WithSecure™ is ready to help our partners and customers achieve this, with the cloud-managed WithSecure™ Elements Endpoint Protection (Elements EPP). This solution does not need any dedicated servers to run a management portal, everything can be managed using a web-browser.

For customers who are already using our on-premise Business Suite with Client Security or Server Security, we can now offer an easy way to migrate the protected computers to cloud-managed Elements. Just a few quick and easy steps are required from the Business Suite administrator, in the simplest of cases it is:

Ensure that the end-company has a valid WithSecure™ Elements account, with appropriate product subscriptions
Import the migration Jar file into Policy Manager
Configure the distribution with a valid Elements EPP subscription key for the product and organization
Distribute the Policies

For some organizations though, some extra steps are needed. Many will want to transfer their configuration settings from the Policy Manager to WithSecure™ Elements EPP, and that is now possible. It is even possible to automatically take different profiles into use, even if you are using Active Directory.

In the following description, we use Client Security and WithSecure™ Elements EPP as the example, but it is also possible to perform the same actions with Server Security, including the Premium versions.

Ensure the end-company has a valid WithSecure™ Elements account and subscriptions

In order to migrate to WithSecure™ Elements EPP, the customer must have:

a valid login to the WithSecure™ Elements Security Center with Security Administration role.
a valid subscription for the replacement WithSecure™ Elements product.

For most customers, their Business Suite has been bought via a distributor or reseller. This distributor or reseller may already be selling the WithSecure™ Elements products, and should be contacted to order the required accounts and subscriptions for using WithSecure™ Elements EPP. Partners are able to order these via the WithSecure™ Partner Portal, and we recommend ordering the new licenses at the time when the Business Suite license is due for renewal.

Export settings from Policy Manager

For customers with customized profiles, it is natural that they would want to transfer these profiles to WithSecure™ Elements EPP, so they do not have to re-make all the changes manually. This can be achieved in two steps, and the first step is to export the existing profiles:

Open Policy Manager Console
Navigate to the relevant point in the domain tree
Right click, and select “Export policy file for 14.x host”
Save the exported file to a local drive, with a descriptive name. This name can help you remember the name of the PM profile you just exported, for example.

In a couple of steps, we will show how to import these into WithSecure™ Elements EPP.

It could be a good time to review the profiles that you have in use in your Policy Manager environment. You might have some older profiles that are no longer used, so migrating them could be an unnecessary step, but it probably makes sense to export them as a backup in case you need to refer back to them in future

Create a new WithSecure™ Elements EPP profile and import the Policy Manager settings

To import the Policy Manager settings that were previously exported, you first need to create a target profile. The easiest way to do this is to clone one of the existing profiles as a starting point.

In the Elements Security Center’s Endpoint Protection section, navigate to the Profiles page and select the correct tab for your profile, for example if it is for Windows Workstations then choose the “for Windows Computers” tab
Find a suitable starting profile, and in the Action menu at the right side select “Clone profile”
In the profile editor that is opened, enter a name for the new profile (eg “Imported PM profile”) and enter a description. The description can be anything you want, but we would recommend giving details of the original PM profile for future reference.
In the same editor, select “Import profile” from the action menu at the top right corner, and choose the file you previously exported from Policy Manager
Save the profile

At this point we strongly suggest that the administrator carefully checks that the settings imported are suitable for deployment. While every care is taken during the import to merge the settings, it is the administrator’s responsibility to check this.

Make the new Elements EPP profile the default for an Active Directory group (Optional)

If installation of new devices should be assigned a profile based on the device’s position in the AD structure, it is possible to set this in the WithSecure™ Elements Security Center.

Navigate to “Endpoint Protection”
Select the Profile page, and then the “Profile Assignment rules” tab
In the lower section of the displayed page, locate the Active Directory group that you wish to set a default profile for
At the right-hand side, click “Change”
In the dialog that opens, select the correct default profile for each kind of device. If you are only using for example WithSecure™ Computer Protection for Windows, it is okay to just change that profile.
Click “Change”, and you will see on the page that the default profile has been changed for this AD group.

Import the migration Jar into Policy Manager and push to selected devices

In order to actually migrate the Client Security on the endpoint to WithSecure™ Elements, it is necessary to download the appropriate “Jar” file. This can be downloaded from here https://www.withsecure.com/userguides/product.html#business/psb-portal/latest/en/task_92573A8D65A94616915AC3266DB89CE7-psb-portal-latest-en

Once you have downloaded the Jar file:

Start Policy Manager Console
Navigate to the correct Domain branch in the hierarchy
Go to the “Installation” page
Under “Policy-based installations” click “Install” and then “Import”
Select the Jar file you previously downloaded, and then click “Ok”
In the “Installation options” dialog that opens, paste in the WithSecure™ Elements EPP Subscription Key. This can be found from your account in the Elements Security Center under the “Subscriptions” page.
Change any other Installation options required. It is not necessary to restart the host device during the migration, but you might want to force the installation language
Once this is done, in the Policy Manager Console click “Distribute Policies”. This will instruct the Client Security installations to download the migration package and execute it.

When the migration package is downloaded on the endpoint, it will

Remove Client Security
Install WithSecure™ Elements Agent with the correct subscription

Check that the device shows up in the WithSecure Elements Security Center

After the host device has installed WithSecure™ Elements Agent via the migration package, the administrator should check that it is correctly showing in the WithSecure™ Elements Security Center

Log into the WithSecure™ Elements Security Center
Navigate to the Endpoint Protection section in the left menu
Select the “Devices” page
Locate the device. This should show up with the hostname of the device, the same as it showed in Policy Manager
Check the assigned profile. This should be the “Default profile” configured in the Profiles page, and if an AD-specific profile was set earlier then it should match this.
Check that the host device is shown as “Protected”.

We strongly recommend that the administrator tests this process fully with a test computer, before applying the changes to their Production environment.

Please see the video on how to conduct the migration in practice.

https://www.youtube.com/watch?v=D8ZYbBTrw9k