This Best Practice guide describes the recommended way of migrating from SafeGuard Easy (SGE) to SafeGuard Enterprise (SGN). It explains the prerequisites and the limitations of the migration procedure, and provides advice on a number of issues you should consider before you start.
Please note: This article applies to a migration of SafeGuard Easy (SGE) from version 4.x to version 5.x and higher as well as to a migration of SafeGuard Device Encryption (SDE) from version 4.x to version 5.x and higher.
Known to apply to the following Sophos product(s) and version(s)
SafeGuard Device Encryption
Windows XP x86
Before you start the migration, we recommend that you
- read through the considerations and limitations described below
- refer to the SGN Migration Matrix (which you can find in our knowledgebase article 112780) for a description of possible migration scenarios.
- Verify the requirements for SafeGuard Enterprise as follows:
- Check whether the type of hardware you are using has been tested with SafeGuard Enterprise? Refer to the tested hardware list attached to our knowledge base article.
- Check additional hardware requirements in the SafeGuard Enterprise Release Notes.
- Is a third party GINA in use? If you are unsure, refer to the knowledgebase article 110731 for further information.
- Are you using SafeGuard Easy in combination with tokens e.g. Aladdin eToken?
The SafeGuard Easy credentials of the token are not migrated to SafeGuard Enterprise. Therefore, if you are using them, you will need to reissue the tokens with SafeGuard Enterprise credentials. Details of how to do this are given in chapter 10 of the respective SafeGuard Enterprise manual.
- If you are using the modules Configuration Protection (CP) and / or Data Exchange (DX) , we strongly recommend installing them as a separate procedure after the migration is finished.
The following SafeGuard Easy installations cannot be migrated to SafeGuard Enterprise:
- Twin Boot / Multi-boot installations
- Installations with active Compaq Switch
- Lenovo Computrace installations (migration possible, but function gets lost)
- Hard disks where only the boot sector is encrypted
- Installations on hard drives with hidden partitions
- The file system is not NTFS 5 or FAT32
- Hard disks and removable media that have been encrypted with one of the following algorithms: XOR, Blowfish, STEALTH, DES, RIJNDAEL
- Initial installations of SafeGuard Easy without the GINA component (GINASYS=0). This is only valid for SGN versions lower than 5.40. Since SGN 5.40 you can migrate SGE installations initially set up with GINASYS=0.
- SafeGuard Advanced Security is installed on the system
- Any versions of SafeGuard Easy lower than 4.30 are no longer supported,have not been tested for the migration, and therefore are not supported for the migration process.
- This list does not reflect the full list of SGN installation requirements. Please refer to the appropriate SGN manual for more information.
4. Before you start
Do the following before you start the migration:
- Create a full data backup of the user PCs that you are going to migrate. This is to minimize the risk of possible data loss.
- Use the Windows "defrag" & "chkdsk" tools to obtain a clean file system:
To complete these steps you will need to reboot the computer.
- Use chkdsk to perform a detailed check of the NTFS file system.
- Use the Windows defrag tool.
- Create a valid SafeGuard Easy kernel back-up for every computer which will be migrated (sgeback.exe / edwizard.exe). Save these back-ups to a location that is not on the the local hard disk (e.g. network share, external hard disk).
- Create a test environment for the first migration tests in order to minimize the risk of potential data loss.
- Update older versions of SafeGuard Easy to (at least) version 4.30. It might be necessary to update SafeGuard Easy to a newer version than 4.30. This will depend on the SafeGuard Enterprise version, you want to migrate to. Refer to the respective SafeGuard Enterprise manual to check for the supported SafeGuard Easy versions within the migration process.
- Ensure that the computer can access the migration cfg file (SGE2SGN.cfg) with valid SafeGuard Easy credentials during the migration. The system key generated from this file is needed during migration to decrypt the encrypted SafeGuard Easy system kernel. You can validate the SafeGuard Easy credentials using the local administration of SafeGuard Easy (sgeadm.exe).
- Leave the user PCs switched on throughout the migration process. If laptops are to be migrated, make sure that the power cable is inserted into the laptop.
- We recommend deactivating hibernation mode for the duration of the migration, this is to prevent the machine from shutting down during the migration process.
5. Creating the required files and scripts
Be aware: When migrating SafeGuard Easy to SafeGuard Enterprise, only the client installation package SGNClient.msi can be installed on the client PC. The package SGNClient_withoutDE.msi as well as the package SGNClient_x64.msi is not supported for the migration to SafeGuard Enterprise.
- Use the Migration Wizard (wizldr.exe) from any of your SafeGuard Easy clients and create a new migration cfg file.
- Rename this file from SGEMIG.cfg to SGE2SGN.cfg.
- Use the msiexec command switch "MIGFILE" and add the path to your cfg file (e.g. MIGFILE=”C:\Install\Software\Sophos\SGE2SGN.cfg"). Ensure that this file is not write protected.
- Build an installation script to start the migration unattended, for example:
msiexec /i “C:\Install\Sophos\SGN\SGNClient.msi” /qn MIGFILE=”C:\Install\Sophos\SGE2SGN.cfg” POACFG=C:\Install\Sophos\HardwareCheck.xml
Hint: For troubleshooting purposes, you can add an additional switch for logging the installation (e.g.
The above mentioned msiexec command installs the default configuration of the SafeGuard Enterprise package (only Device Encryption). We do not recommend adding additional modules (Data Exchange or Configuration Protection) of SafeGuard Enterprise using the ADDLOCAL command at this point. For further information about the property “POACFG”, refer to our knowledgebase article SafeGuard Enterprise Client: Latest POA settings Database file
6. Migration workflow
- Make sure all prerequisites listed in sections 1-4 above have been met.
- Ensure that you have created the following, as described in section 5 above:
- the SGE2SGN.cfg file using the SafeGuard Easy Migration Wizard (wizldr.exe)
- Create the installation script for the migration including the parameter “MIGFILE”
- Install the “SafeGuard Pre-Install.msi”. Further information about this specific package see the knowledgebase article 110589 Microsoft security patch required before installing SafeGuard Enterprise v. 5.50.
- Execute the installation script described in step 2 above. Use the default installation mode of the SGNClient.msi without additional ADDLOCAL parameters.
Hint: We recommend copying the required install files onto the local computer. Therefore, a new folder, as shown in the example, should be used. Do not use system or temporary folders for saving the necessary files. This is to prevent any problems regarding write or read access for the necessary files or network disconnects.
- Install the SGN ClientConfig.msi.
- Reboot the computer.
- After the first logon to Windows, the user credentials will be replicated to the SafeGuard Enterprise Power On Authentication (POA). The migration process is now complete.
If you are using a managed client, please verify that the connection between SafeGuard Enterprise Client and the SafeGuard Enterprise Server is established. This connection is required to deploy SafeGuard Enterprise Policies to your SafeGuard Enterprise clients.
In order to test the communication, right-click the SGN tray icon and select “Synchronize”. If Synchronization does not work, please contact Sophos support for help in analyzing possible communication issues between SGN Client and Server.