Sophos Cloud Migration Tool Help. Product version: 1.0

Sophos Cloud Migration Tool Help Product version: 1.0 Document date: June 2015

Contents 1 About the Sophos Cloud Migration Tool...4 2 How does Sophos Cloud differ from on-premise management?...5 3 How does the migration tool work?...6 3.1 Evaluation...6 3.2 Migration...7 4 Planning migration...9 5 Important considerations...10 5.1 Policy settings...10 5.2 Interruption of protection...10 5.3 Reboot required...10 5.4 Update caching...11 6 Migration prerequisites...12 6.1 Sophos Cloud license...12 6.2 Operating systems...12 6.3 Features...13 6.4 Endpoint software...16 6.5 Server components...16 6.6 Active Directory synchronization...16 6.7 Update locations...16 7 Installing the Sophos Cloud Migration Tool...18 8 Check which computers can be migrated...19 9 Sophos Cloud readiness and migration states...21 9.1 Migration states displayed in the on-premise console...22 10 Change which columns are displayed...23 11 View the computer Cloud readiness report...24 11.1 View the computer Cloud readiness report in Excel...24 12 Migration exclusions...25 13 Migrate computers...26 14 View migrated computers in Sophos Cloud...28 15 Rolling back to on-premise management...29 16 Uninstall the Sophos Cloud Migration Tool...30 17 Migrate the on-premise management server...31 2

18 Where do I find the log?...32 19 Troubleshooting...33 19.1 Migration error...33 19.2 Sophos Cloud installer error...33 19.3 Migration timed out...33 19.4 Missing component...34 19.5 Post-migration installation error...34 20 Technical support...36 21 Legal notices...37 3

Sophos Cloud Migration Tool 1 About the Sophos Cloud Migration Tool The Sophos Cloud Migration Tool helps administrators to move management of protected computers from Sophos Enterprise Console 4.5 and later or Sophos Control Center 4.x to Sophos Cloud. The tool cannot migrate computers managed by Sophos Enterprise Manager. The tool can migrate protected computers that: Are running a supported operating system. Have features or policy settings that are supported by Sophos Cloud. Meet the other migration prerequisites described in Migration prerequisites (page 12). 4

Help 2 How does Sophos Cloud differ from on-premise management? Sophos Cloud differs from on-premise management in three ways. Management in the cloud The Sophos Cloud console is hosted in the cloud by Sophos. You don t require a management server and you don t have to install and update the management console. User-based policies On-premise management manages and applies security policies to computers. Sophos Cloud, on the other hand, manages users. User-based security policies follow the user across different devices, platforms and locations. Dedicated protection for servers On-premise management manages computers running client operating systems and the ones running server operating systems the same way. Sophos Cloud, on the other hand, manages Windows servers separately from users computers. Server security policies are applied to a particular server or servers, no matter who logs on. Server protection automatically recognizes certain common server applications, so you don t need to set complicated scanning exclusions. To read answers to frequently asked questions (FAQ) about Sophos Cloud, see knowledgebase article 119598. For information about the Sophos Cloud console and policies, see the Sophos Cloud Help. 5

Sophos Cloud Migration Tool 3 How does the migration tool work? The migration tool must be installed and run by the Administrator, on the server where Sophos Enterprise Console (management server and database) or Sophos Control Center is installed. Note: Only one instance of the tool can run on the same computer at the same time. For example, if the tool is already running on a computer, another user who connects to the computer using Remote Desktop Connection will not be able to open the tool. The tool can be used for assessing computers to see whether or not they can be migrated to Cloud, and for migrating the computers to Cloud. 3.1 Evaluation When you run the tool, it retrieves the list of managed computers from the Enterprise Console or Control Center database and checks them for Cloud readiness against the latest Cloud readiness assessment data retrieved from Sophos. The Cloud readiness assessment data includes: Cloud readiness rules, which include operating systems and features supported for migration. The Cloud readiness rules are updated automatically, for example when a new operating system or feature becomes available in Cloud. Information about the features licensed to a Cloud account. The tool can run in one of the two evaluation modes: full evaluation mode, which requires a Cloud account, or basic computer assessment mode. During basic computer assessment, the tool checks that a computer: Is running an operating system supported in Cloud. Has only those features enabled or installed that are supported in Cloud. Has no unsupported server software or component installed. Has an Endpoint Security and Control version that can be migrated. Downloads updates from a supported update location. If synchronized with Active Directory, does not have automatic protection enabled in synchronization properties. If you log in to your Cloud account when running the tool, then along with performing a basic computer assessment, the tool will also compare all features active on the computers against your Cloud license. It will then alert you if there are any features enabled that you are not licensed to use in Cloud. 6

Help The tool then displays evaluation results, showing whether the computers are Cloud ready and, if they are not, the reason(s) why the computers cannot be migrated. For more information about migration prerequisites, see Migration prerequisites (page 12). For more information about computer Cloud readiness evaluation, see Check which computers can be migrated (page 19). 3.2 Migration When you choose to migrate computers, the Sophos Cloud Migration Tool downloads the Cloud agent software and places it in the update share (bootstrap location). The computers that are on the migration list and meet the migration prerequisites will get the Cloud software during their next scheduled update (specified in the Updating policy, on the Schedule tab). The Remote Management System (RMS), used for communications between the computer and the on-premise console, is then uninstalled and the Cloud agent software is installed. The Cloud agent software includes Sophos Management Communications System (MCS), used for communications between the computer and Sophos Cloud. 7

Sophos Cloud Migration Tool Note: The migration process may take up to a couple of hours, depending on the computers updating interval and network connection. When a computer is migrated to Cloud, it is treated either as a user s workstation, if it is running a Windows client operating system, or as a server, if it is running a Windows server operating system. When a workstation is migrated: A Cloud user account is created based on the last known user of the computer at the time of migration, and is added to the Cloud users list. A user policy is applied to the user (by default, this is the Base Policy). The computer is added to the Devices list in Cloud. When a server is migrated: The server is added to the Servers list in Cloud. A server policy is applied to the server (by default, this is the Base Policy). For more information about the migration process, see Migrate computers (page 26). 8

Help 4 Planning migration You can migrate your computers to Sophos Cloud by following these key steps: 1. Review Important considerations (page 10) and plan the migration accordingly. 2. Check migration prerequisites. See Migration prerequisites (page 12). 3. Install the Sophos Cloud Migration Tool. See Installing the Sophos Cloud Migration Tool (page 18). 4. Assess computers for Cloud readiness. See Check which computers can be migrated (page 19). 5. Migrate computers to Sophos Cloud. See Migrate computers (page 26). 6. If you have migrated all endpoint computers and none are managed by the on-premise management console, you can manually migrate the on-premise management server to Sophos Cloud. See Migrate the on-premise management server (page 31). 9

Sophos Cloud Migration Tool 5 Important considerations 5.1 Policy settings Policy settings are not migrated to Cloud, and the respective Cloud policy will be applied to migrated computers. By default, the base user policy will be applied to a user and the user s workstation, and the base server policy will be applied to a server (as described in Migration (page 7)). This means that some of the settings on the computers may change as a result of the migration. You may want to review the Cloud policies and check how the policy settings will change after the migration, especially if you have modified the default on-premise policies. For more information about Cloud policies, see the Sophos Cloud Help, User Policies or Server Policies. 5.2 Interruption of protection During the migration, the endpoint software is replaced. This means that your computers remain unprotected for the period of time after the on-premise endpoint software has been uninstalled and before the Cloud agent software has been installed. Therefore, we recommend that you consider migrating the computers when they are not being used, and to advise your users to save all their work prior to the migration and leave their computers turned on. We also recommend that, once the computers have been migrated, you run a full system scan of the computers to ensure that they haven t been compromised. 5.3 Reboot required Computers running Windows XP or Windows Server 2003 that are being migrated must be restarted as part of the migration, to migrate successfully and be fully protected again. By default, the logged on users will be prompted to restart their computers during the migration. If a computer is not restarted, you will then see: In the Sophos Cloud Migration Tool, the icon computer. and In Cloud (error) status next to the Note: If the error remains unresolved for longer than a predefined time interval, the status changes to In Cloud (critical error). In Sophos Cloud, the following event for the computer: Failed to install savxp: a reboot is required before the installation can succeed. For more information about the error, see Post-migration installation error (page 34). Important: Until the computers are restarted, they remain unprotected. You must ensure that they are restarted as soon as possible after the reboot is requested. 10

Help You can choose to restart the computers automatically during the migration, as follows: 1. On the File menu, click Options. 2. Select Automatically restart Windows Server 2003 computers and/or Automatically restart Windows XP computers. Important: Once you select the automatic restart option, the computers will restart automatically during the migration, without giving the logged on user any warning. You may want to consider migrating the computers when they are not being used, and to advise your users to save all their work prior to the migration and leave their computers turned on. If you do not enable these options, the logged on users will be prompted to restart their computers. 5.4 Update caching At the time of this release, Sophos Cloud does not yet support caching of endpoint updates, that is, the ability to store endpoint updates on your network in a central location from which computers can download them. After migration, each computer will download updates directly from Sophos, which may increase your bandwidth usage. Update caching will be available in a future release of Sophos Cloud. 11

Sophos Cloud Migration Tool 6 Migration prerequisites To be migrated to Sophos Cloud, computers must run a supported operating system and not have any features that are not supported in Cloud enabled or installed. See the full list of prerequisites and actions you can take in the following subsections. Note: The list of Cloud readiness conditions against which the migration tool checks computers is updated automatically, for example, when a new operating system or feature becomes available in Cloud. 6.1 Sophos Cloud license You must have a valid Sophos Cloud account to be able to migrate computers to Sophos Cloud. Note: You do not need to have a Sophos Cloud account if you want to run the tool in the basic computer assessment mode, without logging in to your Sophos Cloud account. When you log in to your Sophos Cloud account when running the Sophos Cloud Migration Tool, then along with performing a basic computer assessment, the tool also compares all features active on the computers against your Sophos Cloud license. It then alerts you if there are any features enabled that you are not licensed to use in Sophos Cloud. If the tool has detected an active feature that you are not licensed to use in Sophos Cloud, you can either: Change your Sophos Cloud license to include the feature. For more information about available licenses, see www.sophos.com/en-us/products/enduser-protection-suites/how-to-buy.aspx and www.sophos.com/en-us/products/server-security/how-to-buy.aspx. Disable or uninstall the feature. To review the details of your Sophos Cloud license or licenses, go to Sophos Cloud, Account > Administration. 6.2 Operating systems Computers running the following operating systems can be migrated to Sophos Cloud using the Sophos Cloud Migration Tool, provided that all the other conditions are met. Windows XP Windows 2003 Windows Vista Windows 7 Windows 2008 Server Windows 2008 Server R2 Windows 8 12

Help Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows Small Business Server 2011 At the time of this release, Sophos Cloud Migration Tool does not support other operating systems that are supported by Sophos Cloud. Computers running other operating systems supported by Sophos Cloud can be migrated manually, by uninstalling the on-premise endpoint software and installing the Cloud agent software. For a full list of operating systems supported by Sophos Cloud, see knowledgebase article 121027. For information about how to uninstall Sophos products, see knowledgebase article 118849. For information about how to install Sophos Cloud software, see knowledgebase article 119265 and knowledgebase article 120611. 6.3 Features Feature Can be managed by Sophos Cloud? Remediation, if required Anti-virus and HIPS Yes Application control No Disable. Data control No Disable. Device control Yes Firewall No Uninstall. Full disk encryption No Migrate to SafeGuard Enterprise or uninstall. See Full disk encryption (page 14). Network Access Control (NAC) No Uninstall. Patch assessment No Uninstall. Tamper protection Yes Tamper protection is supported by Sophos Cloud, but it must be disabled before the migration to allow uninstallation of the on-premise endpoint software on the computer. See Tamper protection (page 15). Web control Yes 13

Sophos Cloud Migration Tool For information about how to disable and uninstall unsupported features, see knowledgebase article 121751. 6.3.1 Full disk encryption Full disk encryption is not supported in Sophos Cloud. If you use full disk encryption managed by Sophos Enterprise Console (Sophos Disk Encryption 5.61), you will need to do one of the following: Upgrade Sophos Disk Encryption to SafeGuard Enterprise 6.10. Note: A direct upgrade to SafeGuard Enterprise 7 is not supported. Uninstall Sophos Disk Encryption. Upgrade Sophos Disk Encryption to SafeGuard Enterprise Migration from Sophos Disk Encryption 5.61 to SafeGuard Enterprise 6.10 involves the following steps: 1. Export the SEC company certificate: In Enterprise Console on the Tools menu, click Manage Encryption and select Backup Company Certificate. Select a destination directory and file name and enter a password for the.p12 file when prompted. 2. Install SafeGuard Management Center and SafeGuard Enterprise Server. Note: If you have the SEC management server with encryption installed on this server, install SafeGuard Enterprise on a different server. For detailed information on SafeGuard Enterprise installation, see the SafeGuard Enterprise 6.1 installation guide. SafeGuard Enterprise documentation is available at www.sophos.com/en-us/support/documentation/safeguard-enterprise.aspx. 3. In the SafeGuard Management Center configuration wizard, select a new database to be created and import the company certificate exported before. 4. In SafeGuard Management Center, create the endpoint configuration package: On the Tools menu, click Configuration Packages Tool. Select Managed client packages, make your edits and create the configuration package. 5. Deploy the configuration package to the endpoints. After the endpoints have received it, they are able to connect to SafeGuard Enterprise Server. From that time on, the endpoint can be managed by SafeGuard Management Center. 6. To prevent a communication issue that causes endpoint computers to communicate with both the new SafeGuard Enterprise Server and the old Sophos Enterprise Console, see knowledgebase article 121160. 7. In SafeGuard Management Center, create and assign policies as desired. The migrated endpoints remain visible in Enterprise Console as "managed by SafeGuard Enterprise". All non-encryption related tasks can still be performed on them. Uninstall Sophos Disk Encryption 1. In Enterprise Console, check which full disk encryption policy is used by the group(s) of computers you want to migrate. In the Groups pane, right-click the group and click View/Edit Group Policy Details. In the group details dialog box, you can see the policies currently used. 14

Help 2. Open the Full disk encryption policy you want to disable and deselect all the options under Volumes to encrypt. 3. Under Power-on Authentication (POA), clear the Enable Power-on Authentication check box. Click Yes in the confirmation message. Click OK. Make sure the updated policy is applied to the endpoints. (In the computer list, the Policy compliance status changes to Awaiting policy transfer, and then back to Same as policy when the updated policy is applied to the computers.) 4. On the endpoint, if tamper protection is enabled, disable it. See Tamper protection (page 15). 5. Make sure that an update is not currently being performed. a. Check the updating status by right-clicking the Sophos shield in the notification area in the taskbar and ensuring that View updating status is grayed out and cannot be selected. If an update is currently in progress, wait for it to complete before continuing. b. Open Windows services. Depending on your operating system, click Start > Run and type services.msc, or click Start, type services.msc in the Start menu search box, and then press Enter. c. Right-click on the Sophos AutoUpdate Service and select Stop. Note: Stopping the Sophos AutoUpdate Service prevents an update from occurring during the uninstallation. If the service is not stopped and the uninstallation of Sophos SafeGuard is delayed for a period longer than the update interval, then Sophos SafeGuard could be re-installed. 6. In Control Panel, depending on your operating system, double-click Add/Remove Programs or click Programs and Features. 7. Uninstall Sophos SafeGuard 5.61.0 Client. Encrypted drives on the computer are decrypted during the uninstallation. 8. Uninstall Sophos SafeGuard 5.61.0 Preinstall. 9. Restart the computer. You can now use the Sophos Cloud Migration Tool to migrate the computer to Sophos Cloud. 6.3.2 Tamper protection Even though tamper protection is supported by Sophos Cloud, it must be disabled before the migration to allow uninstallation of the on-premise endpoint software on the computer. To disable tamper protection: 1. Check which tamper protection policy is used by the group(s) of computers you want to migrate. In the Groups pane, right-click the group and click View/Edit Group Policy Details. In the group details dialog box, you can see the policies currently used. 2. In the Policies pane, double-click Tamper protection. Then double-click the policy you want to disable. 3. In the Tamper Protection Policy dialog box, clear the Enable tamper protection check box. Click OK. Make sure the updated policy is applied to the computers. In the computer list, the Policy compliance status changes to Awaiting policy transfer, and then back to Same as policy when the updated policy is applied to the computers. 15

Sophos Cloud Migration Tool After the computers have been migrated to Cloud, the Cloud tamper protection policy will be applied to them. 6.4 Endpoint software To be migrated, computers must be running Sophos Endpoint Security and Control 10.0 or later. If an earlier version is installed on a computer, upgrade it before migrating the computer. 6.5 Server components You cannot use Sophos Cloud Migration Tool to migrate a computer that: Has Sophos Enterprise Console management server or Sophos Control Center installed. Has Sophos Update Manager installed. Acts as a message relay between endpoint computers (running Endpoint Security and Control) and the Enterprise Console management server. Has one of the following installed: PureMessage for Microsoft Exchange, Sophos for Microsoft SharePoint, or PureMessage for Lotus Domino. Note: You may be able to migrate your on-premise management server to Sophos Cloud manually, after you have migrated all endpoint computers and none are managed by the on-premise management console. See Migrate the on-premise management server (page 31). 6.6 Active Directory synchronization If a computer is part of a group tree that is automatically synchronized with an Active Directory container, and for which automatic protection is enabled, you should disable automatic protection in the Active Directory synchronization settings before migrating the computer. To disable automatic protection during synchronization with Active Directory, right-click the group that is synchronized with an Active Directory container (synchronization point) and select Synchronization Properties. In the Synchronization Properties dialog box, clear the Install Sophos security software automatically check box. Note: If you migrate a computer that is part of a synchronized group tree for which automatic protection is enabled, or move an already migrated computer in Active Directory so that it ends up in such a group tree, the computer will be automatically re-protected by Enterprise Console during the next scheduled synchronization and revert back to on-premise management. 6.7 Update locations A primary update location that is not the default update location is not supported. The default update location is a UNC share \\<ComputerName>\SophosUpdate, where ComputerName is the name of the computer where Sophos Update Manager and Sophos Management Server are installed. The computer can still be migrated to Sophos Cloud without using the Sophos Cloud Migration Tool, by running the Sophos Cloud agent installer on that computer. For more information about 16

Help deploying Sophos Cloud software, see knowledgebase article 119265 and knowledgebase article 120611. Alternatively, you can change the computer s group updating policy so that it updates from the default update location, and then migrate it using the Sophos Cloud Migration Tool. 17

Sophos Cloud Migration Tool 7 Installing the Sophos Cloud Migration Tool The Sophos Cloud Migration Tool must be installed by the Administrator on the computer where the Sophos Enterprise Console management server or Sophos Control Center is installed. The Sophos Enterprise Console or Sophos Control Center database must be installed on the same computer. (Remote databases are not currently supported.) If User Account Control (UAC) is enabled on the server, turn it off before installing the Sophos Cloud Migration Tool and restart the server, if prompted. Note: You can turn UAC on again after you have completed the installation. If, later, you want to uninstall the tool, again ensure that UAC is turned off before you uninstall the tool. Besides this, the following prerequisites must be met: Microsoft.NET Framework 4.0 The tool requires Microsoft.NET Framework 4.0. If you don t have it installed, you can choose to install it during the tool s installation. You may need to restart the computer afterwards. Windows Installer Framework 4.5 or later The tool requires Windows Installer Framework 4.5 or later. If you don t have it installed, install it before installing the tool. Recommended Windows updates and a root certificate update for Windows Server 2003 If you are installing the Sophos Cloud Migration Tool on Windows Server 2003, make sure that all recommended Windows updates and the required root certificate update are installed. See knowledgebase article 122286. 18

Help 8 Check which computers can be migrated To check whether your computers can be migrated to Cloud: 1. Open the Sophos Cloud Migration Tool. Note: Only one instance of the tool can run on the same computer at the same time. For example, if the tool is already running on a computer, another user who connects to the computer using Remote Desktop Connection will not be able to open the tool. 2. In the Connect to Sophos Cloud dialog box, choose whether you want to log in to Sophos Cloud or perform a basic computer assessment, without taking into account any of your Sophos Cloud license details. During basic computer assessment, the tool checks the computers operating systems, enabled features, etc. If you log in to your Cloud account, along with performing a basic computer assessment, the tool will also compare all features active on the computers against your Cloud license. It will then alert you if there are any features enabled that you are not licensed to use in Cloud. Click OK. The Sophos Cloud Migration Tool retrieves the list of computers from the on-premise management database, checks them for Cloud readiness, and displays the list of results. 3. Review the list and see which computers are ready to be migrated to Cloud and which computers can t be migrated, and for what reason. There are three main Cloud readiness states: Ready. The computer can be migrated to Cloud. Not ready - can be remediated. The computer cannot be migrated to Cloud in its present state, but certain remediation actions can be taken that will enable migration. For example, you can disable features that are not supported in Cloud. Not ready - cannot be migrated. The computer cannot be migrated to Cloud and no remediation actions are available. For example, the computer is running an operating system that is not supported in Cloud. For more information about computer Cloud readiness and migration states, see Sophos Cloud readiness and migration states (page 21). Note: Even though Tamper Protection is supported in Cloud, you must disable it to allow the migration tool to uninstall the on-premise endpoint software and install the Cloud agent software. 19

Sophos Cloud Migration Tool The results of computer assessment for Cloud readiness may look like this: 4. Optionally, you can generate a more detailed report for selected computers. See View the computer Cloud readiness report (page 24). If you are ready to migrate your computers to Cloud, see Migrate computers (page 26). 20

Help 9 Sophos Cloud readiness and migration states After being assessed by the migration tool, computers may end up in or go through the following states. Note: For more information about the status and remediation actions, if any (for example, for computers that are not ready for migration or have encountered an error), highlight the computer entry by clicking on it and view the details displayed in the right pane. Icon Status Description Ready The computer can be migrated to Sophos Cloud. Not ready (fixable) The computer cannot be migrated to Sophos Cloud in its present state, but certain remediation actions can be taken that will enable migration. For example, you can disable features that are not supported in Sophos Cloud. Not ready The computer cannot be migrated to Sophos Cloud. Not ready (excluded) The computer has been excluded from migration by the administrator. See Migration exclusions (page 25). Pending The administrator has chosen to migrate the computer, but the migration process has not started yet. Migrating The computer is being migrated. In Cloud The computer has been migrated successfully and has been found in the list of computers managed by Sophos Cloud. Error An error has occurred during migration. The computer is not yet managed by Sophos Cloud. See Troubleshooting (page 33). In Cloud (error) The computer has been migrated and is managed by Sophos Cloud, but an installation error has occurred that has most likely left the computer unprotected. See Post-migration installation error (page 34). In Cloud (critical error) The computer has been migrated and is managed by Sophos Cloud, but an installation error hasn t been resolved, and the computer has remained unprotected for more than a predefined time interval (by default, 24 hours). See Post-migration installation error (page 34). 21

Sophos Cloud Migration Tool 9.1 Migration states displayed in the on-premise console Once a computer has started the migration process, its migration state is displayed in the on-premise management console, in the Computer description column, for example: The following table shows the correspondence between the migration state shown in the migration tool and the computer description in the on-premise console. Migration state Computer description / Status in on-premise console Description Pending {SC:Pending:<jobid>} The computer has been added to the migration list and is awaiting migration. <jobid> is a unique integer associated with the migration request, here and below. Migrating {SC:Migrating:<jobid>} The computer is being migrated. In Cloud {SC:InCloud:<jobid>} The computer has been found in the list of computers managed by Sophos Cloud and has successfully updated at least once since then. Error {SC:Error:<jobid>;<error code>} An error has occurred during migration. Timed out {SC:Timeout:<jobid>} The computer has been in the Pending or Migrating state for longer than a predefined timeout interval. For more information, see Migration timed out (page 33). In Cloud (error) {SC:FailedInstallation:<jobid>} The computer has been found in the list of computers managed by Sophos Cloud, but the installation of the Cloud agent software has failed. In Cloud (critical error) {SC:NotProtected:<jobid>} The Cloud agent software installation error hasn t been resolved for longer than a predefined time interval (by default, 24 hours). For more information about these states and what actions to take, if necessary, see the details in the Sophos Cloud Migration Tool, log (page 32), or Sophos Cloud. For information about resolving errors, see Troubleshooting (page 33). 22

Help 10 Change which columns are displayed You can add columns to the tool s computer list view to display more information about the computers, such as computer description, its operating system, active features, and so on. The Name, Domain/workgroup, Status, and Group columns are always displayed by default. You cannot hide them. To change which columns are displayed: 1. On the View menu, click Columns (or right-click anywhere in the table header) and then click on the name of the column you want to display or hide. The columns that are displayed in the view have check marks next to their names. 2. After you have added the columns to the view, you can: Drag and drop the column headings to rearrange the order in which the columns are displayed. Change the width of a column by dragging the boundary on the right side of the column heading until the column is the width that you want. Sort the list of computers by any column by clicking on its heading. Consider also generating a report to see more information (see View the computer Cloud readiness report (page 24)). In the report, all information about computers and their status is displayed, irrespective of the columns displayed in the tool s computer list view when the report is generated. 23

Sophos Cloud Migration Tool 11 View the computer Cloud readiness report To generate a Cloud readiness report: 1. In the migration tool, select the computers for which you want to generate a report. For example, to generate a report listing all computers that are not ready for migration, click Not Ready at the top of the screen, right-click anywhere in the computer list, and then click Select all. 2. Click the Report button. An HTML report is displayed, containing details of the selected computers, their Cloud readiness state, and required remediation actions, if any. If you want to view the Cloud readiness report in Excel, see View the computer Cloud readiness report in Excel (page 24). 11.1 View the computer Cloud readiness report in Excel Every time you click the Report button in the migration tool, besides an HTML report that is displayed to you, the migration tool also generates an XML copy of the report, report.xml, in the following location. For Windows Vista or later/windows Server 2008 or later: C:\ProgramData\Sophos\Cloud Migration Tool\ For Windows XP or Windows Server 2003: C:\Documents and Settings\All Users\Application Data\Sophos\Cloud Migration Tool\ The file report.xml is updated every time you click Report. If you want to view the computer Cloud readiness report as an Excel spreadsheet, follow these steps: 1. Open Excel. 2. In Excel, on the File menu, click Open. Browse to C:\ProgramData\Sophos\Cloud Migration Tool\ or C:\Documents and Settings\All Users\Application Data\Sophos\Cloud Migration Tool\ and open the file report.xml. Note: ProgramData or Application Data is a hidden folder. Therefore, you have to either type in the full path when browsing for the file or disable hidden folders in Windows Explorer. 3. When prompted, choose to open the file without applying the stylesheet. Click OK. 4. When prompted, choose to open the file as an XML table. Click OK. 5. In the message saying that no schema is present, click OK or Cancel. This will produce an Excel table with the computers you selected before you clicked Report and their Cloud readiness status. You can sort and group the entries in the table. 24

Help 12 Migration exclusions If you don t want to migrate a computer to Cloud, you can add it to the migration exclusion list. That way, it won t be accidentally selected for migration and migrated to Cloud. Note: Computers that are already managed by Cloud cannot be excluded from migration. Any Cloud-managed computers that have been selected will not be added to the exclusion list. To exclude computers from migration: 1. Select the computer or computers in the computer list, right-click and click Add to Exclusion List. 2. In the Exclude computers from migration dialog box, type in the reason for the exclusion, if you wish, to serve as a reminder. Click OK. Excluded computers status will change to Not Ready with a padlock icon. If you later change your mind and decide to migrate the computers to Cloud, you can similarly remove them from the exclusion list. After you have re-included computers in the migration process, they may appear as either Ready or Not Ready, depending on their Cloud readiness evaluation results. 25

Sophos Cloud Migration Tool 13 Migrate computers Important: During the migration, the endpoint software is replaced. This means that your computers will remain unprotected for the period of time after the on-premise endpoint software has been uninstalled and before the Cloud agent software has been installed. To migrate your computers to Cloud: 1. Open the Sophos Cloud Migration Tool and check which computers can be migrated, as described in Check which computers can be migrated (page 19). 2. If you haven t entered your Sophos Cloud credentials when you opened the migration tool, click the Login button and enter the credentials. 3. Perform remediation actions required for computers that cannot be migrated to Cloud in their present state, but for which migration is possible. For example, disable features that are not supported in Cloud. If you have tamper protection enabled, disable it. See Tamper protection (page 15). 4. Select the computers that are ready to be migrated.to view only the computers that are ready, click Ready at the top of the screen. Click Migrate, and then click Yes in the confirmation message. The computers go into the Pending state and await their next scheduled update to begin the migration. When the migration starts, the computers change their state to Migrating. (For more information about migration states, see Sophos Cloud readiness and migration states (page 21).) The migration process may take up to a couple of hours, depending on the computers updating interval and network connection. You can see the computers that are being migrated in the Migrating view. Note: Some computers may display a Windows Action Center alert in the notification area, saying that the computers are unprotected. The alert will disappear once the computers have been migrated successfully. Once a computer has been migrated to Cloud, it s moved to the In Cloud view of the tool. You can also see it in Sophos Cloud, on the Devices page or Servers page, depending on the operating system the computer is running. In the on-premise console, a migrated computer is displayed as follows: For more information about migration states displayed in the on-premise console, see Migration states displayed in the on-premise console (page 22). 26

Help If an error has occurred during migration and a computer hasn t been migrated, it s moved to the Error view of the tool, where you can find out about the error. Note: If you close the tool during the migration, you must enter your Sophos Cloud credentials every time you reopen the tool. Otherwise, the migration data from Sophos Cloud will not be retrieved and you may not see the actual, latest migration status. Sometimes computers that have been migrated may need to be restarted. The tool doesn t display this information for migrated computers, so check in Sophos Cloud to see if any of the migrated computers need to be restarted. Important: We recommend that you run a full system scan of the computers to ensure that they were not compromised during the period when they remain unprotected during the migration. 27

Sophos Cloud Migration Tool 14 View migrated computers in Sophos Cloud Once a computer has been migrated to Sophos Cloud, its details in the migration tool are not updated anymore. For the latest, up-to-date information about the computer, including any protection alerts, go to Sophos Cloud. 1. In Sophos Cloud: To view the details for a migrated workstation, go to Users & Devices > Devices. To view the details for a migrated server, go to the Servers page. 2. In the list of devices or servers, click on the name of the computer to view its full details. For more information, see the Sophos Cloud Help. 28

Help 15 Rolling back to on-premise management This version of the Sophos Cloud Migration Tool doesn t support automatic rollback. That is, after you have migrated to Cloud, you cannot roll back to the on-premise endpoint software (Endpoint Security and Control 10.x for Windows) automatically, using the tool. To roll back, use a script as described in knowledgebase article 122211. 29

Sophos Cloud Migration Tool 16 Uninstall the Sophos Cloud Migration Tool 1. If User Account Control (UAC) is enabled on the server where the Sophos Cloud Migration Tool is installed, turn it off before uninstalling the tool and restart the server, if prompted. 2. In Control Panel, depending on your operating system, double-click Add/Remove Programs or click Programs and Features. 3. Uninstall Sophos Cloud Migration Tool. After you have uninstalled the tool, you can turn UAC on again. 30

Help 17 Migrate the on-premise management server If you have migrated all endpoint computers and none are managed by the on-premise management console, you can migrate the on-premise management server to Sophos Cloud. 1. If User Account Control (UAC) is enabled on the server, turn it off. Restart the server, if prompted. 2. Uninstall the Sophos Cloud Migration Tool. 3. Uninstall the on-premise management software. Uninstall Sophos Enterprise Console in this order: Sophos Management Console Sophos Management Database Sophos Management Server Sophos Update Manager Note: Uninstalling the Sophos Management Database component will not remove the databases attached to the SQL Server instance. For a list of databases associated with each console, see knowledgebase article 17323. If you are planning to leave the SQL Server instance, the databases will remain attached. See also knowledgebase article 116912. Uninstall Sophos Control Center. For information about uninstalling Sophos Control Center, see knowledgebase article 11019. Note: After you have uninstalled the software, you can turn UAC on again. 4. Run the Sophos Cloud agent installer to migrate the server. 31

Sophos Cloud Migration Tool 18 Where do I find the log? You can find the Sophos Cloud Migration Tool log file in the following location. For Windows Vista or later/windows Server 2008 or later: C:\ProgramData\Sophos\Cloud Migration Tool\Logs\CloudMigration.log For Windows XP or Windows Server 2003: C:\Documents and Settings\All Users\Application Data\Sophos\Cloud Migration Tool\Logs\CloudMigration.log Note: ProgramData or Application Data is a hidden folder. Therefore, you have to either type in the full path when browsing for the file or disable hidden folders in Windows Explorer. The logs created during installation or uninstallation of the tool can be found under C:\Windows\Temp. The logs are: mtc-dbinstall.log mtc-dbuninstall.log mtc-install.log mtc-setup.log 32

Help 19 Troubleshooting 19.1 Migration error If an error has occurred before a computer has been migrated to Sophos Cloud, you will see a yellow warning triangle ( ) and the word "Error" in the Status column next to the computer. See computer details for more information about the error. For more information about the timed out error, see also Migration timed out (page 33). 19.2 Sophos Cloud installer error In rare circumstances, the Sophos Cloud agent installer may report an error during the migration. In this case, in the Sophos Cloud Migration Tool, you will see an Error in the Status column next to the computer. In Sophos Enterprise Console, you will see the following status in the Computer description column: {SC:Error:<jobid>;<error code>}, where <jobid> is a unique integer associated with the migration request and <error code> is an error code returned by the Sophos Cloud agent installer. You can look up the error by its error code and read about remediation steps in knowledgebase article 122157. 19.3 Migration timed out If a migration action has timed out on a computer before the computer could be migrated to Sophos Cloud, you will see a yellow warning triangle ( column next to the computer. This error appears when: ) and the words "Error (Timed out)" in the Status The computer has been in the Pending state for more than a predefined timeout interval. The timeout occurs in two hours (by default) if the computer is connected to the network and communicating with the on-premise management console. If the computer is offline, the timeout will occur in 15 days. The computer has been in the Migrating state and has not been found in the list of computers managed by Sophos Cloud for more than a predefined timeout interval (by default, one hour). There may be several possible reasons for the timeout error. For example, there may be a connection problem between Sophos Cloud and the server on which the Sophos Cloud Migration Tool is running. Check in Sophos Cloud to see if the computer has been migrated and appears in Sophos Cloud. 33

Sophos Cloud Migration Tool Note: A computer appears in Sophos Cloud as soon as it has registered with Sophos Cloud, but it doesn t appear in the Sophos Cloud Migration Tool until it has successfully updated at least once after that and is protected. If the computer appears in Sophos Cloud, wait several minutes and check the computer entry in the Sophos Cloud Migration Tool again. If it still shows the error, try restarting the tool and logging in to your Sophos Cloud account again. If the computer hasn t appeared in Sophos Cloud, go to that computer and check the Sophos Endpoint Security and Control installation status. Try running the Sophos Cloud agent installer manually on the computer. 19.4 Missing component The Sophos Cloud Migration Tool requires that Sophos Anti-Virus and Sophos AutoUpdate be installed and running on the migrated computer. If a working installation of either cannot be detected, you will see the error The migration requires that Sophos AutoUpdate be installed or The migration requires that Sophos Anti-Virus be installed. To resolve the error, re-protect the endpoint computer. 1. In Sophos Enterprise Console, select the computers you want to re-protect, right-click, and then click Protect Computers. 2. Follow the steps in the Protect Computers Wizard. Remember not to select any of the features that are not supported in Sophos Cloud, such as Encryption software, Firewall or Patch. For more information about protecting computers, see the Sophos Enterprise Console Help, Protect computers automatically. 19.5 Post-migration installation error If an installation error has occurred after a computer has been migrated to Sophos Cloud, and the computer hasn t been protected successfully, you will see one of the following icons next to the computer, depending on how long the error has remained unresolved: Icon Status Description In Cloud (error) The computer has been migrated and is managed by Cloud, but an installation error has occurred that has most likely left the computer unprotected. This error will appear for computers that must be restarted to become protected. To resolve the error, restart the computers as soon as possible. In Cloud (critical error) The computer has been migrated and is managed by Cloud, but an installation error hasn t been resolved, and the computer has remained unprotected for more than a predefined time interval (by default, 24 hours). To resolve the error, restart the computer as soon as possible. 34

Help Important: In Sophos Cloud, this error event may not be escalated to a warning and displayed in the Action Center right away. To check the Cloud events for a computer, do one of the following: For a workstation, go to Users & Devices > Devices, click on the computer name and go to the Events tab. For a server, go to Servers, click on the server name and go to the Events tab. To view events for all computers, go to Reports > Events, and filter the events by the type Protection > Failed to protect computer or server. If you see an event Failed to install savxp: a reboot is required before the installation can succeed, you must restart the computer to ensure it is protected successfully following the migration. For more information about events and alerts in Sophos Cloud, see the Sophos Cloud Help. 35

Sophos Cloud Migration Tool 20 Technical support You can find technical support for Sophos products in any of these ways: Visit the SophosTalk community at community.sophos.com/ and search for other users who are experiencing the same problem. Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx. Download the product documentation at www.sophos.com/en-us/support/documentation.aspx. Open a ticket with our support team at https://secure2.sophos.com/support/contact-support/support-query.aspx. 36

Help 21 Legal notices Copyright 2015 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 37

Sophos Cloud Migration Tool Index A Active Directory synchronization, unsupported settings 16 assessing computers 19 automatic restart 10 E endpoint software, supported versions 16 error 33 34 migration 33 migration timed out 33 missing component 34 post-migration installation 34 Sophos Cloud installer 33 troubleshooting 33 excluding computers from migration 25 F features, support for in Sophos Cloud 13 I installation 18 installation prerequisites 18 L logs 32 M migrating computers 26 migration considerations 10 migration error 33 migration exclusions 25 migration prerequisites 12 migration status 21 migration timed out 33 missing component, error 34 O operating systems 12 overview, Sophos Cloud Migration Tool 6 P policy settings, changes 10 post-migration installation error 34 prerequisites 12, 18, 30 installation 18 migration 12 uninstallation 30 R reboot, required 10 report 24 rollback 29 S server components, unsupported 16 Sophos Cloud installer error 33 Sophos Cloud license 12 Sophos Cloud Migration Tool overview 6 T troubleshooting 33 U uninstallation 30 uninstallation prerequisites 30 update locations, unsupported 16 38