McAfee EMM Best Practices Document Upgrading your High Availability EMM installation For use with EMM 9.x and 10.x versions McAfee Support Enterprise Mobility Management (EMM) Document Rev. 2.2
Page 2 Introduction This document provides the general steps for upgrading your McAfee EMM software while maintaining service interruption to a minimum and ensuring you have all the tools to be able to restore your original installation in the case of a failure. Below are some important steps and best practices to keep in mind for upgrading your EMM installation. Back-up and other pre-upgrade measures The measures below will be necessary to restore your installation to a working state if the EMM upgrade fails for any reason: - Back up the EMM database (full backup) - Create snapshots of the hub and proxy servers in case a roll back is required (Only applicable if EMM runs on a virtual platform). - Verify the Push, MDM and Portal Certificates are current in the console and that no Trusted Certificates exist under the System Settings > Certificates section (if upgrading from 9.5.5). Also verify you have copies all the certificate files (pfx or p12 format) and their corresponding passwords. - Login to the EMM Console on the Hub server and export the Encryption key. You will have to click on the server name from the upper left hand corner of the Web UI Choose a password that you ll remember easily. You ll then need to save the file to a folder the server. Note: You will not be prompted for the encryption key unless the upgrade fails or the software is moved to a different physical server. If the upgrade fails, it will be necessary to uninstall all EMM components, install the version of EMM you were upgrading from as a custom installation and point the installer to the existing database. You will have the ability to specify the database encryption key when prompted. Refer to the EMM disaster recovery document for more information KB73237 - Make backups of the web.config documents for each installed component:
Page 3 Refer to the table below for the exact location of the web.config files for the different EMM components: EMM Component Default Location EMM Hub EMM Console EMM PKI Agent EMM BES Agent EMM Portal EMM EAS Proxy EMM Push Notifier C:\Program Files (x86)\mcafee\emmplatform\emmhub\web.config C:\Program Files (x86)\mcafee\emmplatform\emmconsole\web.config C:\Program Files (x86)\mcafee\emmplatform\emmcertenroll\web.config C:\Program Files (x86)\mcafee\emmplatform\emmbes\web.config C:\Program Files (x86)\mcafee\emmplatform\emmportal\web.config C:\Program Files (x86)\mcafee\emmplatform\eas Filter\TrustDigital-Server-ActiveSync\web.config C:\Program Files (x86)\mcafee\emmplatform\eas Filter\Proxy-Server-ActiveSync\web.config C:\Program Files (x86)\mcafee\emmplatform\eas Filter\filter.config C:\Program Files (x86)\mcafee\emmplatform\emmpushnotifier\emmpushnotifier.exe.config Once the disaster recovery steps above are followed and all back up files are safely stored, you can proceed with upgrading your EMM software. Upgrading your EMM installation 1. Ensure that you are logged on to Windows on your EMM Hub (internal) server with the service account that was used during the original install. The specific service account used for the original install can be found in the file InstallerData.xml in the EMM installation directory: C:\Program Files (x86)\mcafee\emmplatform Note: If SQL Authentication was used during the original EMM installation, you should be able to login to the server with any administrator account to run the upgrade. Verify that the SQL user still db_owner rights to the EMM database in SQL.
Page 4 2. Stop IIS on the proxy servers (DMZ) and on the EMM Hub (internal) servers you are not upgrading first in order to eliminate device requests to the EMMHub servers and write attempts from other EMM Hub servers to the database while the upgrade is running. Open a command prompt with Admin privileges (Window 2008) and run the following command iisreset stop 3. Run the setup.exe on the first EMM Hub (internal) server. Uncheck the box to Use configuration from a previous installation and click Next. 4. Choose the Upgrade option
Page 5 5. All the settings should be pre-populated from original installation settings. Specify any passwords that may be required and click Next. 6. Once all the components to be upgraded have been verified, click Upgrade.
Page 6 7. Each component being upgraded will complete with a green checkmark if successful or a red X if unsuccessful 8. Upgrade on the first Hub server is now complete. NOTE: Verify that you can log into the console and all the settings and policies look correct.
Page 7 9. Stop IIS on the server that was just upgraded. iisreset stop 10. Start IIS on the next EMMHub Server being upgraded. iisreset start 11. Repeat steps 3-8 on the second EMM Hub Server and on any additional Hub Servers if you have more than two. 12. Once the Upgrade is complete on all EMM Hub Servers, verify IIS is started on all servers iisreset start 13. Start the installation on the first EMM Proxy (DMZ) server and click Next.
Page 8 14. Choose the Upgrade option 15. Once all the components to be upgraded have been verified, click Upgrade.
Page 9 16. Each component being upgraded will complete with a green checkmark if successful or a red X if unsuccessful 17. Upgrade of the first Proxy Server is complete.
Page 10 18. Repeat Steps 13-17 on the remaining Proxy servers. 19. Your EMM Upgrade is now complete. Supported Upgrade paths McAfee strongly recommends that customers running older versions of EMM upgrade their installations to EMM 10.2. Refer to the chart below for the supported upgrade paths: Current EMM Version Upgrade to this version Then upgrade to this version 9.5.5 10.0.1 10.2 9.6.x 10.2 (directly) N/A 9.7.x 10.2 (directly) N/A 10.0.x 10.2 (directly) N/A 10.1.x 10.2 (directly) N/A Upgrade Failure In the case of an upgrade failure of one or more EMM Components, it is recommended that you contact McAfee Technical Support for assistance. You can also review KB73237 for additional instructions to rollback your installation. For contact details: Go to http://www.mcafee.com/us/about/contact/index.html Non-US customers - select your country from the list of Worldwide Offices. Alternatively: Log in to the ServicePortal at https://mysupport.mcafee.com If you are a registered user, type your User Id and Password and click OK. If you are not a registered user, click New User and complete the required fields. Your password and login instructions will be emailed to you The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2011 McAfee, Inc.