Migrating from Kaspersky Security Center Windows to Kaspersky Security Center Linux

Expand all | Collapse all

You can migrate mobile device data from Kaspersky Security Center Windows to Kaspersky Security Center Linux by transferring the mobile device management infrastructure from Windows to Linux servers. Following migration, mobile devices are automatically connected to Kaspersky Security Center Linux without the need for manual reconnection and are managed by the same policy as on Windows servers.

Prerequisites

Before you start:

• Make sure that the necessary features of Kaspersky Security Center Windows are supported in Kaspersky Security Center Linux. For detailed information on the main features of Kaspersky Security Center as a Windows-based solution or Linux-based solution, refer to the Kaspersky Security Center Help.
• Get acquainted with the DBMSes and Kaspersky Security Center and iOS MDM Server versions between which migration is possible.
  • Mobile device data can be migrated between the following DBMSes:
    • Kaspersky Security Center Windows + Microsoft SQL Server → Kaspersky Security Center Linux + PostgreSQL, Postgres Pro
    • Kaspersky Security Center Windows + MariaDB → Kaspersky Security Center Linux + PostgreSQL, Postgres Pro
    • Kaspersky Security Center Windows + MySQL → Kaspersky Security Center Linux + PostgreSQL, Postgres Pro
    • Kaspersky Security Center Windows + PostgreSQL, Postgres Pro → Kaspersky Security Center Linux + PostgreSQL, Postgres Pro
    • Kaspersky Security Center Windows + MariaDB → Kaspersky Security Center Linux + MariaDB
    • Kaspersky Security Center Windows + MySQL → Kaspersky Security Center Linux + MySQL

    To enable migration to PostgreSQL or Postgres Pro, you must install a patch for the corresponding version of Kaspersky Security Center Windows Administration Server. Contact Kaspersky Technical Support to get the required patch.
    
    For Kaspersky Secure Mobility Management based on Kaspersky Security Center Windows 14.2: 14.2.0.26967-pf5
    
    For Kaspersky Security Center Windows 14.2: 14.2.0.48079-pf5
    
    For Kaspersky Security Center Windows 15.1: 15.1.0.20748-pf2

    If you use MySQL or MariaDB as a DBMS for Kaspersky Security Center Windows and Kaspersky Security Center Linux, before creating a data backup, make sure that the lower_case_table_names parameter matches for the current and new DBMSes.
    
    When installing MySQL or MariaDB for Kaspersky Security Center Linux, you must set this parameter to the same value as specified for Windows. For detailed information about backing up and restoring Administration Server data when using MySQL or MariaDB, refer to the Kaspersky Security Center Help.

  • Migration between the following versions of Kaspersky Security Center is possible:
    • Kaspersky Security Center Windows 14.2 MMC-based Administration Console (on-premises) → Kaspersky Security Center Linux 15.4 Web Console (on-premises)
    • Kaspersky Security Center Windows 14.2.0.48079 MMC-based Administration Console (on-premises) (for Kaspersky Secure Mobility Management) → Kaspersky Security Center Linux 15.4 Web Console (on-premises)
    • Kaspersky Security Center Windows 15.1 MMC-based Administration Console (on-premises) → Kaspersky Security Center Linux 15.4 Web Console (on-premises)
    • Kaspersky Security Center Windows 14.2 Web Console and Cloud Console (on-premises) → Kaspersky Security Center Linux 15.4 Web Console (on-premises)
    • Kaspersky Security Center Windows 15.1 Web Console and Cloud Console (on-premises) → Kaspersky Security Center Linux 15.4 Web Console (on-premises)
  • Migration between the following versions of iOS MDM Servers is possible:
    • iOS MDM Server Windows 14.2 (for Kaspersky Secure Mobility Management) → iOS MDM Server Linux 15.4
    • iOS MDM Server Windows 14.2 → iOS MDM Server Linux 15.4
    • iOS MDM Server Windows 15.1 → iOS MDM Server Linux 15.4
• Learn about the data that is transferred during migration.

  The following data is transferred:

  • Kaspersky Security Center settings
    • FQDN for connecting mobile devices to Kaspersky Security Center
    • Mobile-specific settings: licenses, Firebase Cloud Messaging (FCM) integration settings, certificates for signing device management profiles, settings for issuing mobile certificates, information on accepted End User License Agreements, Kaspersky Security Network (KSN) proxy settings, Kaspersky Private Security Network (KPSN) configuration files

      PKI integration settings for issuing mobile certificates are not migrated.

    • Role-based access control configuration files
    • Kaspersky Endpoint Security for Android database update settings
    • Signing keys for Kaspersky Endpoint Security for Android APK files
  • Mobile devices
    • Information on mobile devices managed by Kaspersky Endpoint Security for Android and Kaspersky Protection for iOS
    • Event logs of mobile devices managed by Kaspersky Endpoint Security for Android and Kaspersky Protection for iOS
    • History of previously executed and pending commands on Android devices and their results
    • Information on links, installation packages, and device management profiles created for mobile devices waiting to be connected
    • Kaspersky Endpoint Security for Android settings and installation packages
    • iOS MDM Server settings and installation packages

      Information on Android devices awaiting connection is not migrated.

      History of commands executed on iOS MDM devices is not migrated.
      
      Commands sent to iOS MDM devices in the first 15-30 minutes after completing the migration are also missing from the command history.

  • Policies
    • Policies for mobile device management in MMC-based Administration Console of Kaspersky Security Center (Android and iOS devices)
    • Policies for mobile device management in Kaspersky Security Center Web Console and Cloud Console (Android and iOS devices)
  • Certificates
    • Mobile Administration Server certificates (main and reserve certificates, Web Server certificates)
    • Information on user certificates (mobile, mail, and VPN certificates) and their statuses
  • iOS MDM Servers
    • Installed iOS MDM Servers
    • iOS MDM Server event logs
  • iOS MDM Server settings, certificates (iOS MDM Server certificate, APNs certificate), and configuration profiles

    iOS MDM Server apps are not migrated.

    Host-specific data such as information on profiles created for mobile devices awaiting connection and commands awaiting execution is not migrated.

    When migrating iOS MDM Server settings from Kaspersky Security Center Windows 14.2 to Kaspersky Security Center Linux, the notification and storage settings of the iOS MDM Server events are not transferred and instead take default values. After the migration, you will need to specify the required values manually.

  • Web Server
    • Kaspersky Endpoint Security for Android settings and installation packages
    • iOS MDM Server settings and installation packages

    Apps for mobile devices stored on Kaspersky Security Center Web Server are not migrated using the klbackup utility and must be transferred manually.

  • Connection gateway (Network Agent) settings

  The installed mobile management plug-ins are not migrated. After you restore the Administration Server and iOS MDM Server data from a backup copy, you need to download and install the Kaspersky Mobile Devices Protection and Management plug-in and iOS MDM Server plug-in.

Stages

The migration process entails creating a data backup using the klbackup utility to transfer the Administration Server data and using the kliosbackup utility to transfer the iOS MDM Server data.

For the transferred mobile devices to be displayed correctly in Kaspersky Security Center Web Console, both Administration Server and iOS MDM Server must be migrated. First you need to migrate Administration Server and then iOS MDM Server as described in the scenario below.

Migration proceeds in stages:

1. Prepare for migration
   1. Make sure that you have the administrator's internal user account under which you can log in to Administration Server.

      The administrator's account will be used to log in to Kaspersky Security Center Linux Administration Server. If you do not have this account and you are logged in only under a local Windows account or a domain account, you will not be able to log in to Kaspersky Security Center Linux Administration Server after restoring data from the backup. Kaspersky Security Center Linux Administration Server does not support logging in using the local Windows account. Logging in under the domain account is possible, but may require additional configuration of Administration Server.

      If you do not have the administrator's account, you will have to create this account after restoring data from the backup copy using the kladduser utility.

   2. In Kaspersky Security Center Windows, enable the Inherit settings from Administration Server or parent group option in the Security section of the Managed devices group properties window to ensure the inheritance of rights and access to policy settings.

      The Security section is available if the Display security settings sections check box is selected in the interface settings window.

   3. Create a task for downloading updates to the Kaspersky Security Center repository.

      This task is required to download the latest role-based access control configuration file from Kaspersky servers to the repository of Administration Server. For detailed information on creating this task, refer to the Kaspersky Security Center Help.

   4. If you need to migrate policies created in the Kaspersky Security for Mobile (Policies) plug-in of Kaspersky Security Center Web Console and Cloud Console, delete all its policy profiles. The policies of this plug-in that contain policy profiles will not be migrated.
2. Create an up-to-date backup copy of the Kaspersky Security Center Windows Administration Server data

   Depending on the DBMS type used for Kaspersky Security Center Windows and Kaspersky Security Center Linux, do one of the following:

   • To migrate MySQL or MariaDB to MySQL or MariaDB: create a backup copy using the klbackup utility on the device that has Administration Server installed.
   • To migrate Microsoft SQL Server to MySQL or MariaDB: create a backup copy using the klbackup utility, with the Migrate to MySQL/MariaDB format option enabled.
   • To migrate Microsoft SQL Server to PostgreSQL or Postgres Pro:
     1. Install a patch for the corresponding version of Kaspersky Security Center Windows Administration Server:
        • For Kaspersky Secure Mobility Management based on Kaspersky Security Center Windows 14.2: 14.2.0.26967-pf5
        • For Kaspersky Security Center Windows 14.2: 14.2.0.48079-pf5
        • For Kaspersky Security Center Windows 15.1: 15.1.0.20748-pf2

        Contact Kaspersky Technical Support to get these patches.

     2. Create a backup copy using the klbackup utility.
        • If you run klbackup from the command line, use the -migrate postgres flag.
        • If you use the klbackup interface, enable the Migrate to Postgres format option.
     3. Disconnect Kaspersky Security Center Windows Administration Server from the network.
3. Prepare a new device for the installation of Kaspersky Security Center Linux
   1. Choose a new device on which to install Administration Server. This device must meet hardware and software requirements.
   2. Make sure that the ports used on Administration Server are available.
   3. Assign to the new device the same Host Name and FQDN as on the Windows server.
   4. Set the environment variable KLCS_FF_UMDM_POLICIES_MIGRATION to 1:

      export KLCS_FF_UMDM_POLICIES_MIGRATION=1

      As an alternative, immediately after the installation of Kaspersky Security Center Linux, use the klscflag utility to configure the corresponding server flag using the command:

      klscflag -fset -pv .core/.independent -s klcsff -n KLCS_FF_UMDM_POLICIES_MIGRATION -t d -v 1

4. Install and configure the DBMS
   1. Choose the DBMS type that provides optimum performance taking into account the number of networked devices, network topology, and load on the network. You can choose from one of the supported DBMSes.
   2. Install the DBMS that corresponds to the DBMS type selected when creating a backup. For detailed information on installing the selected DBMS, refer to its documentation.

      The new database version must not be lower than the current one.

   3. Configure the DBMS to work with Kaspersky Security Center Linux.
5. Install Kaspersky Security Center Linux and complete the migration of Administration Server
   1. Install Kaspersky Security Center Linux on the new device.

      The administrator's internal user account created during the installation, as well as other objects (groups, policies, tasks, users) created before the restoration of Administration Server data from the backup, will be lost after the restoration. These objects will be replaced by objects that are contained in the backup.

   2. After the installation is complete, restore the Administration Server data on the new device using the klbackup utility.

      Due to limitations of PostgreSQL, you need to temporarily grant PostgreSQL superuser privileges to the account that Administration Server uses to connect to the DBMS.

      We recommend that you start the data restoration process immediately after the Kaspersky Security Center Linux installation without any intermediate reboots.

   3. If you did not have the administrator's internal user account under which you were logged in to Kaspersky Security Center Windows Administration Server and you used a local Windows account or a domain account, create an administrator's account using the kladduser utility:

      /opt/kaspersky/ksc64/sbin/kladduser -n ksc -p <password>

      where the <password> parameter meets the following requirements:

      • The user password cannot have less than 8 or more than 256 characters
      • The password must contain characters from at least three of the groups listed below:
        • Uppercase letters (A-Z)
        • Lowercase letters (a-z)
        • Numbers (0-9)
        • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
   4. Check the restoration status (for example, using the journalctl -u kladminserver_srv.service -b command) to ensure that mobile policies migrate successfully.
   5. Install Kaspersky Security Center Web Console.
   6. Log in to Kaspersky Security Center Web Console under the administrator's internal user account.

      The data initialization process usually takes up to 15 minutes after the Administration Server data is restored. The exact time depends on hardware performance and the volume of Administration Server data. During this time, Kaspersky Security Center Web Console may fail to connect and may display errors.

   7. Deploy the mobile management plug-ins.
   8. Install Network Agent Linux.
   9. Check the functionality of the main Administration Server features when the data initialization in the database is complete. Verify that Administration Server synchronizes with managed devices and the Administration Server data is restored.

      Forced synchronization with mobile devices is performed to check their connection after migration.

   10. Poll domain controllers to restore information on the domain structure, user accounts, groups, and DNS names of devices that are included in the domains.
   11. If necessary, uninstall Administration Server and the database server from the previous device.

       There must not be multiple Administration Servers on the same network with the same connection address and Administration Server certificate.

       The administrator now has access to the Administration Server data and devices previously managed by Kaspersky Security Center Windows, taking into account the functionality supported in Kaspersky Security Center Linux.

       For the Saving location history option of the Location tracking policy settings to work correctly, add the Device location history event type on the Event settings tab and enable its storage in the Administration Server database in the event properties. This action must be performed for all migrated policies.

6. Migrate the iOS MDM Server Windows data

   If you have multiple iOS MDM Servers installed, you need to perform the migration procedure for each of them.

   1. Make sure that the FQDN of iOS MDM Server Linux is the same as the FQDN of iOS MDM Server Windows.
   2. If you have reserve iOS MDM Server certificates, make sure that the kliosmdm.ini file located in the iOS MDM working directory contains the SrvResCertPwd password.

      If there is no password in the kliosmdm.ini file, reissue or delete the reserve iOS MDM Server certificate (kliosmdmserver2_cert.pem), the password for which is missing from the file.

   3. Create a backup copy of iOS MDM Server using the kliosbackup utility.
   4. Deploy iOS MDM Server on the new device with Kaspersky Security Center Linux installed.
   5. Transfer the files with iOS MDM Server backup data to the new device.
   6. Restore iOS MDM Server data using the kliosbackup utility.

      If any setting value fails to migrate, it will be replaced with the default value.

   Once the migration process is complete, all connected devices are automatically synchronized with iOS MDM Server Linux without the need for reconnection.

Page top