Raynor

Gracefully migrating from EEC to Cloud Console (stress-free)

Recommended Posts

Right now, we are running EEC on Windows Server.

I want to migrate step-by step (i.e. stress-free) to the Cloud Console without
having to migrate/move all clients at once.

1) Can I create a workspace in my.emsisoft.com and start by only moving
some clients to that workspace, while most other clients still remain connected
to EEC? After creating the workspace, will the "legacy" clients  that are still connected
to EEC complain in any way, or will they just silently continue to work (and
remain connected to EEC)?

2) What happens to the license key if I create a workspace?
If I remember correctly, the key will be moved to the workspace as well.
Will that create licensing issues for the "legacy" clients still connected to EEC,
or will those clients still be able to use the now-workspace-assigned
license key without any problem?

3) Is there a way to move the clients from EEC to Cloud Console without reinstalling
the client software? (I don't have access to any client right now,
so I can't check this myself.)

 

Thanks for your help,
Raynor

Share this post


Link to post
Share on other sites

Hi,

Migrating to ECC is completely stress-free anyway, as it's migration procedure is robust and easy.

1. Yes.
When you create a new workspace (without assigning a license) and download the small 2mb webinstaller and run it on some devices where EAM is installed, it will apply a trial licence, disconnect from EEC and connect the devices to the workspace.
By default, all new devices will be connected to the 'new computers' group, but you could also create a token per protection group and download the webinstaller from there. Devices then will be automatically assigned to that policy group.

image.thumb.png.00676048afb1bab15a27d01de5295d49.png
Download Image

If you later want to assign a license to the workspace, all connected devices will get that license applied.


2. As soon as you assign a license to a workspace, all EEC connected devices will automatically disconnect from EEC and connect to ECC -new computers' group. Users will see a dialog where they need to confirm the switch to ECC, for security reasons.

3. yes. As i explained,  there is no need  to reinstall EAM. 


Another option is to run a2start /applytoken={token} on each client, via cmdline. It has the same effect as running the webinstaller+token on each device: check if EAM is installed, if so, apply the token and connec to to the workspace, of not, download latest MSI installer, install EAM and connect to the workspace.

Hope this helps.

Cheers

 

 

 

 

 

 

 

 

  • Thanks 1

Share this post


Link to post
Share on other sites
21 hours ago, Frank H said:

2. As soon as you assign a license to a workspace, all EEC connected devices will automatically disconnect from EEC and connect to ECC -new computers' group. Users will see a dialog where they need to confirm the switch to ECC, for security reasons.

 

Thanks a lot for your detailed reply.

We have the permissions for normal users set to read-only acces (via EEC).
Will the normal client PC users be able to confirm the dialog that appears before the switchover,
or will we have to set user permissions to basic access/full access before making the switch?

 

Share this post


Link to post
Share on other sites
On 12/28/2019 at 7:24 PM, Raynor said:

We have the permissions for normal users set to read-only acces (via EEC).
Will the normal client PC users be able to confirm the dialog that appears before the switchover,
or will we have to set user permissions to basic access/full access before making the switch?

Could I please get a reply on this one, the planned switchover date is approaching,
and I need to start preparing.

So, do I have to set user permissions to full access to enable our users to confirm the
"Switch to Cloud Console" security confirmation message you mentioned?

Thanks
Raynor

Share this post


Link to post
Share on other sites

@Raynor excuse me for the delayed reply.

i suggest you test this yourself, which is a good thing anyway to gain experience and see it working, before you start migrating  your network.

You could create a temp. workspace and switch one device to it to see how it works.

Share this post


Link to post
Share on other sites

Well, It turns out the migration did not work out completely stress-free after all 😐

What we did:

A few days ago, I moved my own work PC to a new workspace using the webinstaller provided by the cloud console.
As indicated by Frank above, this moved my PC to the cloud console workspace and assigned a trial licence.
So far, so good - the test went well.

Today, we migrated all our company's work PCs from the old local enterprise console (EEC)
to the cloud console (ECC). This is what we did and the hurdles and issues we ran into:

1) First, we assigned our real license key to the workspace that had been created a few days ago.
No confirmation messages appeared on any of the client PCs, and so none of the PCs were automatically
moved from EEC to ECC. 😪

2) Then we manually ran the small webinstaller provided by ECC on each PC. This worked, the PCs were successfully moved to ECC.

3) Important Note: I had all user permission policies (i.e. for all user groups, both admin and non-admin) 
set to "full access" in EEC (the old server console) before the switchover, just to be safe. This was done to ensure
that any confirmation messages that might appear could be successfully confirmed. 
In ECC (the cloud console), all permission policies were set to "read-only", as this is the setting we want to use for all users,
regardless of whether they are admins or normal users.

After the switchover (see step 2), the permissions for client PC users remained set to "full access".
The permission settings from the cloud console were not applied. All other settings (i.e. protection policies) were applied correctly.

4) Being slightly baffled, we took more radical measures. We uninstalled EAM on all client PCs and reinstalled it using the webinstaller
provided by ECC. This again worked fine, the PCs were instantly connected to the console, and all protection policies were applied correctly.
At first, it even seemed like the "read-only" permission policies were applied too, as all of the settings in the UI were grayed out.

But the we realized that this was not the case:

On PCs where the local user had admin permissions (we have a very small number of PCs where this is the case), the user
could change all settings, and in fact his permission level was "full access" (which happens to be the default for admins).
On PCs with normal users (most of our PCs), the user could still start scans manually, so the real permission level was "basic access"
(which happens to be the default for normal non-admin users).

 

Bottom line:

We found a rather annoying bug. While protection policies are applied correctly by the cloud console to the clients,
permission polices are never applied. The connected clients always stick to the default permission policies
(full access for admins  and basic access for normal users), even if "read-only" is explicitly specified in ECC as the
permission level for all user groups
.

Please note that the "read only" permission policy worked absolutely flawlessly with the old EEC server console.

Please fix this 😋
All the best
Raynor

 

Share this post


Link to post
Share on other sites

Another interesting observation that might help to track down the bug mentioned above:

I tried changing the permission policies with my private home MyEmsisoft account,
and with my home workspace, changing the permission levels works as expected.

So something must be different with our company's workspace or with our company's
client PCs. As we uninstalled and re-installed EAM on all company PCs, i find it hard to imagine
that something is wrong on the PCs themselves (but who knows for sure).

What's funny and strange at the same time: After re-installing EAM on the company PCs via the
webinstaller (see step 4 in the post above), the whole permissions section vanished from the Settings UI of the clients.
I saw this behavior on every PC that I checked. In other words: when you click on "Settings" you normally have a "Permissions"
tab/section in the settings section. That tab/section completely vanished as soon as the clients were connected to the
cloud console... 🙄

On my home PCs, this section stays visible at all times, so everything works as expected there.

Could there be any interference from the old EEC server console that is still running on our Windows Server 2016?
Note: The client entries are still there in EEC, and they all show "offline" as the status for the clients (as expected
because the clients are no longer connected to EEC). I haven't deleted the entries from EEC yet, nor have I uninstalled EEC so far.

Could there be any remnants in the registry that cause an interference and that are not removed by uninstalling EAM?

Share this post


Link to post
Share on other sites

Hi Raynor , thanks for your extensive feedback, appreciated.

6 hours ago, Raynor said:

What's funny and strange at the same time: After re-installing EAM on the company PCs via the
webinstaller (see step 4 in the post above), the whole permissions section vanished from the Settings UI of the clients.
I saw this behavior on every PC that I checked. In other words: when you click on "Settings" you normally have a "Permissions"
tab/section in the settings section. That tab/section completely vanished as soon as the clients were connected to the
cloud consol

by default, and it always has been like this: the permissions tab is hidden for regular windows users. it is visible for local admin users.

Regarding

On 3/31/2020 at 3:44 PM, Raynor said:

1) First, we assigned our real license key to the workspace that had been created a few days ago.
No confirmation messages appeared on any of the client PCs, and so none of the PCs were automatically
moved from EEC to ECC. 😪

did you wait till EAM started an update ? Only an update triggers the switch.

 

On 3/31/2020 at 3:44 PM, Raynor said:

After the switchover (see step 2), the permissions for client PC users remained set to "full access".
The permission settings from the cloud console were not applied. All other settings (i.e. protection policies) were applied correctly.

Where did you see this ? did you check it on the clients ?fyi and maybe obsolete:
* Protection policies are computer/device based
* Permission policies are  user based.

How did you run the webinstallers on devices with windows user accounts ?  did you run it under the user context in elevated mode ?
 

 

Share this post


Link to post
Share on other sites
Quote

by default, and it always has been like this: the permissions tab is hidden for regular windows users. it is visible for local admin users

OK, so that clears that up. Nearly all of our domain PC users are regular users with "normal" (i.e. limited) user permissions, so it comes
as no surprise that the permissions section vanished from those PCs. On my own work PC, I'm an admin (my domain user has been manually
added to the LOCAL admins group), and I can correctly see the permissions panel on my PC.

 

Quote

did you wait till EAM started an update ? Only an update triggers the switch

Well, I believe we clicked on "update now" on several clients, in fact, I'm about 90% sure, but I can't really say that with 100% confidence...

 

Quote

Where did you see this ? did you check it on the clients ?fyi and maybe obsolete:
* Protection policies are computer/device based
* Permission policies are  user based.

How did you run the webinstallers on devices with windows user accounts ?  did you run it under the user context in elevated mode ?

The read-only permission policies were not applied to any of the clients we checked. We checked about 15 of our client PCs,
none of them had read-only permissions applied.
We verified this by directly checking the EAM UI on each of the the client PCs.
What I did was I started a manual scan. The scan was started without me being asked for the EAM admin password set in the cloud console.
Normally, read-only users are always prompted for the admin password before being able to initiate a scan.

On top of that, I checked the permissions panel in the settings UI on my own work PC (where I am a local admin, see above).
The permissions panel showed my user as having "full access", which was also not the expected permission level , as I have set the permissions
to "read-only" in the cloud console for all users
(i.e. for non-admins as well as for admins).

The webinstallers (downloaded from the cloud console) were run on each client PC using the normal limited domain user account.
We were then prompted for admin credentials (as expected), and entered the credentials for the local admin user in order to get
elevated permissions for the installer. The installation then went smootly (again, as expected).

Summing up, I am very confident that we did not do anything wrong during the installation of the clients.

After all, they all show up correctly in the cloud console, the local EAM UI correctly shows "managed by workspace XXX",
and, very importantly, all protection policies are applied correctly. Just the permission policies are not applied,
all clients use the defaults: "basic access" for normal limited domain users (verified by being able to start a scan without being asked
for a password) and "full access" for users with local admin permissions (verified by looking at the permissions panel in the EAM UI).

Could the support maybe try to connect a test PC to our console and see if the behaviour could be reproduced?

When I'm back at work next week, I will try connecting a freshly installed PC that never had EAM installed before and thus also had never
been connected to our old EEC server console.

I have a slight hunch that there must be some leftovers from the old EEC server console connection that cause some interference
with the permission policies. But then again, that hunch could be way off the mark.

As I also mentioned above, I can't reproduce this behaviour with my three private home PCs that are connected to another (private) workspace.
At home, the read-only policy is applied correctly to all three PCs.

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.