Client system transfer operation Drive Encryption 7.x.x provides the McAfee ePO administrator with a new capability to allow systems to be transferred from one McAfee ePO server to another whilst preserving user assignments and user data. Overview If the feature is enabled, a system installed with Drive Encryption 7.x.x will detect a server change, and request that the new Drive Encryption 7.x.x managing server automatically assigns users to the system within the context of the new managing server. Once the assignment is successful, the system will send its user token data up to the new managing server. Terminology The original managing McAfee ePO server is called the source server. The new managing ePO server is called the destination server. Fundamentals The transfer process is a system-initiated process. During the first policy enforcement under the control of the destination server, the system receives a manifest of users that are already assigned to it in the context of the destination server. User directory The McAfee ePO User Directory is a directory of users maintained by McAfee ePO. The McAfee ePO User Directory cannot be transferred from one McAfee ePO server to another and for this reason, system transfer of User Directory users is not supported. Pre-requisites - Software For the system transfer and user assignment to be successful: Pre-requisites - Configuration For the system transfer and user assignment to be successful: Reporting In order to monitor the transfer of systems and detect any issues with the process, a canned query has been provided, that can be monitored from within the destination server McAfee ePO console. This canned query reports any systems that have failed the McAfee ePO system transfer process, along with an initial root cause analysis of the failure. Error handling In the event that there is an error during the transfer process, the affected system's Drive Encryption service will go into an error state and not perform any further policy enforcement until the service is restarted or the system is restarted. This prevents the destination server becoming overloaded with many systems repeatedly requesting information in the event of a structural configuration issue. Scalability There is a direct correlation between the performance of the client transfer solution and the number of Drive Encryption users assigned to each system. Initiating system transfer In order to safely transfer systems that have McAfee Drive Encryption installed and activated on them, it is important to keep the system in the source McAfee ePO server until the transfer process has been successfully completed. If the transfer process fails, the system may need to be moved back to the source server until the problem is resolved. This cannot be done, if the system is deleted from the source server, as all user assignments and user data may have been deleted. Enable the system transfer feature Enabling system transfer must be performed using the web-API. An example python script to illustrate how this could be accomplished is included later in this document and is available via Software Manager. This section lists the two new web-APIs included to enable this feature.