Data Loss Prevention

Before upgrading to 12.5 we use to be able to move our endpoint agents between our Production Endpoint servers and UAT Endpoint servers.  Now with 12.5 and the certificates that are created for the enforce and endpoint server this does not seem to work anymore.  I followed the steps in the below link to make sure the CA certs are the same on both enforce servers.

http://www.symantec.com/business/support/index?page=content&id=TECH223377

I also renamed the endpoint certs in keystore on both enforce servers and had them regenerated and copied the certs between the 2 enforce servers. 

I created new agent package and installed in Production and was able to successfully move the agent from Prod to Uat but when I tried to move it back to Prod it failed.  Same for when I installed in UAT first, after clean install I can move it to Prod but then not back to UAT.  Not sure if i'm missing something or your just not supposed to be able to move endpoint agents between environments anymore?

Thanks.

The enforce server is a root CA and all cerficates are signed by the CA. You may need to copy the root ca certificate from production to UA enforce serrver and regenerate enforce-monitor certificate pair in the UAT setup. You will also need to regenerate all the mintor trsut srouces, and then finaly create an ednpoint package.

I did that and got some strange behavior.  I noticed that the trust sources for the endpoints were different in prod vs uat so after i regenerated them I made sure they both had the same ones listed.

When i install the new agent i'm able to move the agent once between the environments but then not back again.  I talked to support and they said this is not a supported feature to move between environments but are looking into it.