Migration with a hierarchy of Administration Servers

This section describes the migration of managed devices and related objects from Kaspersky Security Center Web Console running on-premises to Kaspersky Security Center Cloud Console. The process involves a hierarchy: Kaspersky Security Center Web Console running on-premises acts as the secondary Administration Server and Kaspersky Security Center Cloud Console acts as the primary Administration Server.

Every administration group that you transfer to Kaspersky Security Center Cloud Console must contain the managed devices of a single operating system. If your network includes the devices of different operating systems, allocate them in different administration groups, and then migrate each group separately.

After you finish the migration, all Network Agents in the group within the migration scope are upgraded and managed through Kaspersky Security Center Cloud Console.

Before you start, do the following:

Upgrade Administration Server running on-premises to the following version:
- For Windows devices—version 12 or later
- For Linux devices—version 12 Patch A or later
Install Kaspersky Security Center Web Console version 12.1 or later.
Upgrade Network Agent on the managed devices to version 12 or later.
On Windows devices, use Network Agent without an uninstallation password.
If the password has already been set, do one of the following in Kaspersky Security Center Web Console:
- Disable the Use uninstallation password option in the Network Agent policy settings.
- Uninstall Network Agent remotely by using the Uninstall application remotely task. In the Application to uninstall field of the task, select Kaspersky Security Center Network Agent. Do not forget to enter the uninstallation password.
Upgrade the managed applications to the versions supported by Kaspersky Security Center Cloud Console.
Make sure that you have policies for the latest versions of the managed applications. If you use outdated policies, create new ones for the application versions supported by Kaspersky Security Center Cloud Console.
To use actual policies, upgrade the web plug-ins for the applications that you intend to manage through Kaspersky Security Center Cloud Console.
Uninstall Kaspersky applications from managed devices if these applications are not supported by Kaspersky Security Center Cloud Console, and then replace the uninstalled applications with supported ones.
Decrypt all the data (disk-level or file-level) that was encrypted by Kaspersky Endpoint Security for Windows on managed devices running the Windows operating system, and disable the encryption feature on the managed devices through the application policy or locally. For more information, see Help for Kaspersky Endpoint Security for Windows.
If the Windows device still stores any files or folders encrypted through Kaspersky Endpoint Security for Windows, the Network Agent upgrade will be canceled during the migration process. A notification will prompt you to decrypt all data on the device and disable the encryption feature.

Kaspersky Security Center Cloud Console allows for a maximum of 25,000 managed devices per one Administration Server.

To perform a migration to Kaspersky Security Center Cloud Console:

Estimate the scope of the migration process, that is, review the administration group to export and assess the number of managed devices in it. Make sure that all the activities listed as migration prerequisites have been completed successfully.
In Kaspersky Security Center Cloud Console, proceed to the secondary Administration Server for the managed devices that you want to migrate.
In the main menu, go to Operations → Migration.
The welcome page of the Migration wizard opens.
On the welcome page, click Next.
The Managed devices to export page opens, displaying the entire hierarchy of administration groups of the secondary Administration Server.
On the Managed devices to export page, click the chevron icon () next to the Managed devices group name, and then expand the hierarchy of administration groups. Select the administration group that you want to export.
The Migration wizard checks the total number of managed devices included in the selected administration group. If this number exceeds 10,000, an error message appears. The Next button remains unavailable (dimmed) until the number of managed devices in the selected administration group falls within the limit.
Select the managed applications whose policies and tasks must be transferred to Kaspersky Security Center Cloud Console together with group objects. To select the managed applications whose objects are to be exported, select the check boxes next to their names in the list.
Although Kaspersky Security Center Administration Server is present on the list, selecting the corresponding check box does not result in the export of its policies.

To make sure that your managed applications are supported by Kaspersky Security Center Cloud Console, click the corresponding link. It will redirect you to the Online Help topic containing the list of applications managed by Kaspersky Security Center Cloud Console.

If you select applications that are not supported by Kaspersky Security Center Cloud Console, the policies and tasks of these applications will be migrated anyway, but you will not be able to manage them in Kaspersky Security Center Cloud Console, due to the unavailability of the dedicated plug-ins.
View the list of group objects exported by default. You can also specify non-group objects to be exported together with the selected administration group, if necessary, such as global tasks, custom device selections, reports, custom roles, internal users and security groups, and custom application categories with content added manually. This page includes the following sections:
- Global tasks
  The list of global tasks of managed applications, as well as global tasks of Network Agent.
  
  If a global task that you selected applies to a specific object selection, this selection will also be exported.
  
  Although the global tasks of Administration Server are present on the list, you cannot export them; selecting those tasks does not affect the export scope. Remote installation tasks also remain outside the export scope, because their respective installation packages cannot be exported.
- Device selections
  The list of custom device selections.
- Reports
  The editable list of report instances to be exported.
  
  If a report that you selected applies to a specific object selection, this selection will also be exported.
  
  Kaspersky Security Center Cloud Console contains the same set of report templates as Kaspersky Security Center Web Console, so you can select for export only the reports that you created manually or reconfigured.
- Group objects
  The list of group objects to be exported by default. The following objects related to the selected administration group will be exported in their entirety by default:
  - Administration group structure, that is, all subgroups of the selected administration group
  - Devices that have been included in the administration groups to be exported
  - Tags that have been assigned to the devices to be exported
    If a tag was created in Kaspersky Security Center Web Console but never assigned to any device, it will not be exported. The auto-tagging rules will not be exported, either.
  - Group policies of the managed applications that have been selected
    Administration Server policies and Network Agent policies are not exported.
  - Group tasks of the managed applications that have been selected and Network Agent group tasks
    Administration Server tasks are not exported.
  You can also prevent certain types of non-group objects from being exported:
  - To cancel export for custom roles (that is, those created by the user only), select the Exclude custom roles from export check box.
  - To cancel export for internal users and security groups, select the Exclude internal users and security groups from export check box.
  - To cancel export for custom application categories with content added manually, select the Exclude custom application categories from export check box.
If you transfer devices of various operating systems to Kaspersky Security Center Cloud Console, non-group objects only need to be migrated once.
After you defined the migration scope, click Next to start the export process. The Creating the export file page opens, where you can view the export progress for each type of object that you included in the migration scope. Wait until each refresh icon (), located next to each item in the list of objects, is replaced with a green check mark (). The export finishes and the export file is automatically saved to a temporary folder. The next page opens, displaying the entire hierarchy of administration groups in Kaspersky Security Center Cloud Console, which acts as the primary Administration Server.
Select the check box next to the administration group to which the group objects must be imported, and then click Next. The file is unpacked, and the non-group objects and the group objects are restored to the target administration group.
If the name of the object that you restore is identical to the name of an existing object, the restored object has an incremental suffix added.

When the import completes, the exported structure of administration groups, including the details of devices, appears under the target administration group that you selected. The non-group objects are also imported.

You cannot minimize the Migration wizard and perform any concurrent operations during the import. Wait until each refresh icon (), located next to each item in the list of objects, is replaced with a green check mark () and the import finishes. After this, the devices start switching to Kaspersky Security Center Cloud Console.
After the import completes, the Migration wizard displays a list of Network Agent installation packages available in Kaspersky Security Center Cloud Console for an appropriate operating system. Select the installation package containing the relevant version and localization of Network Agent.
Select the Kaspersky Network Agent for Windows installation package only if you have previously completed the quick start wizard in your Kaspersky Security Center Cloud Console workspace and if you perform the migration of Windows devices.
Click Next.
The Migration wizard creates a new stand-alone installation package (or uses an existing one) and a custom installation package based on it, as well as the corresponding remote installation task. The task scope includes the administration group that you selected on the Managed devices to export page. The task startup schedule is set to Manually by default. The Migration wizard displays the creation progress.
Wait until each refresh icon () is replaced with a green check mark (), and then click Next.
If necessary, select the Run newly created remote installation task check box (cleared by default) for the devices in the selected administration group in Kaspersky Security Center Web Console running on-premises and all of its subgroups. After the Network Agent installation completes, you can manage the selected devices through Kaspersky Security Center Cloud Console. The full path is displayed to the administration group in which the task is to be run.
The remote installation task must only be started after the import to Kaspersky Security Center Cloud Console finishes. Otherwise, the devices may be duplicated.
Click Finish to close the Migration wizard and start the remote installation task for the following purposes:
- Upgrading the Network Agent instances
- Managing the Network Agent instances through Kaspersky Security Center Cloud Console
If you have left the Run remote installation task check box cleared, you can start the task later manually, if necessary.

You can check that you can now manage the migrated Network Agent instances through Kaspersky Security Center Cloud Console. To do this, go to Assets (Devices) → Managed devices. Make sure that migrated managed devices have the confirmation icon () in the Visible, Network Agent is installed, and Network Agent is running columns. Also, make sure that these devices do not have the Not connected for a long time status description.