Skip to main content
Migrating from Existing SentinelOne to Guardz
Updated over 2 weeks ago

πŸš€ Migrating SentinelOne Agents to Guardz Managed SentinelOne

πŸ“Œ Introduction

This guide provides a step-by-step process for moving SentinelOne Agents from an existing SentinelOne deployment to Guardz Managed SentinelOne under the Ultimate Plan.

βœ… Why migrate to Guardz Managed SentinelOne?

  • 🎯 Unified Security Management – Manage SentinelOne agents, policies, and detections within Guardz.

  • πŸ” Streamlined Threat Response – SentinelOne detections automatically surface in Guardz Detection & Response.

  • πŸ›‘οΈ Simplified Policy Enforcement – Configure SentinelOne security settings from Guardz without relying on multiple platforms.

πŸ’‘ Alternative Option:

  • If you prefer not to migrate agents, you can integrate your existing SentinelOne deployment using the Bring Your Own (BYO-S1) option. Learn more about BYO-S1.


πŸ“Œ Prerequisites

Before migrating agents, ensure that:

πŸ”Ή User Permissions:

  • You have Global or Account permissions for the existing SentinelOne Console.

  • You have Admin permissions in Guardz to retrieve the new Site Token.

πŸ”Ή Endpoint Readiness:

  • Operating System: The endpoints must be running a supported OS.

  • Threat Status: Endpoints must not have unresolved threats.

  • Full Disk Scans: Endpoints must not be running a Full Disk Scan during migration.

    • βœ… To check: In SentinelOne, go to Endpoints β†’ Expand Columns β†’ Select Full Disk Scan.

  • Active Directory Connectors: Endpoints must not be configured as an AD Connector.

    • βœ… To check: In SentinelOne, go to Policy & Settings > Exposure Management > Active Directory.

πŸ’‘ Note: If you need to move agents between Guardz-managed SentinelOne sites, contact Guardz Support for assistance.


πŸ“Œ Step 1: Retrieve the Site Token from Guardz

1️⃣ Log into Guardz.
2️⃣ Navigate to Security Controls > Endpoint Security > SentinelOne.
3️⃣ Click "Deploy" under SentinelOne Managed.
4️⃣ Click "View Site Token".
5️⃣ Copy the Site Token – you will need it for migration.

🚨 Each Site Token is unique to a customer. Do NOT reuse it across organizations.


πŸ“Œ Step 2: Migrate SentinelOne Agents from the Source Management Console

1️⃣ Log into the existing SentinelOne Management Console.
2️⃣ Navigate to Sentinels > Endpoints.
3️⃣ Select the endpoints to migrate:

  • βœ… You can select individual devices, groups, or apply a saved filter.
    4️⃣ Click Actions > Agent Actions > Migrate Agent.
    5️⃣ Paste the Guardz Site Token in the Site Token field.
    6️⃣ Click "Move", then "Approve", and finally "OK".

βœ… What Happens Next?

  • The Agent reconnects to the Management Console and reloads services.

  • If the OS temporarily displays "Turn on virus protection", the Agent is still reconnecting – this message will disappear when fully loaded.

  • Local configuration files are retained, and Guardz applies new management settings after the next keep-alive communication.

🚨 If the Agent fails to connect to Guardz within 3 minutes, it remains in the original Management Console.


πŸ“Œ Step 3: Monitor Migration Status in SentinelOne

1️⃣ In SentinelOne, go to Sentinels > Endpoints.
2️⃣ Expand Columns and select Console Migration Status.
3️⃣ Scroll right in the Endpoints page to review migration progress.

πŸ”Ž Migration Status Meanings:

  • N/A – No migration command was sent.

  • Pending – The Agent is attempting to migrate. If offline, it remains pending until it comes online.

  • Migrated – The Agent successfully moved to Guardz. It now appears as Offline in the original console.

  • Failed – The Agent failed to migrate and remains in the original Management Console.

βœ… To check migration history:

  • In SentinelOne, go to Activity Log.

  • Filter to Administrative > Move to another console.

πŸ“Œ Step 4: (Alternative) Migrate SentinelOne Agents Using SentinelCTL

If you prefer command-line migration, use SentinelCTL:

πŸ”Ή Windows

1️⃣ Open Command Prompt (Admin).
2️⃣ Bind the agent to the new Guardz-managed site:

sentinelctl bind SiteToken

3️⃣ Reload the agent:

sentinelctl unload -m -k "passphrase" sentinelctl load -m

πŸ”Ή macOS

1️⃣ Open Terminal.
2️⃣ Run:

sudo sentinelctl set registration-token -- SiteToken

πŸ”Ή Linux

1️⃣ Open Terminal.
2️⃣ Run:

sentinelctl management token set SiteToken

πŸš€ This method is useful for bulk migrations using scripts.


πŸ“Œ Troubleshooting Agent Migration Issues

πŸ”Ή Issue: "Migration Failed" for All Agents
βœ… Fix:

  • Ensure Global or Account permissions are correctly assigned.

  • Verify the Guardz Site Token is correct and the new account has available licenses.

  • Download a CSV Activity Log report for error details.

πŸ”Ή Issue: "Agent is in a Full Disk Scan and Cannot Migrate"
βœ… Fix:

  1. In SentinelOne, go to Sentinels > Endpoints.

  2. Enable the Full Disk Scan column.

  3. If the value is not "Completed," wait for the scan to finish and retry migration.

πŸ”Ή Issue: "Agent Has Unresolved Threats and Cannot Move"
βœ… Fix:

  1. In Sentinels > Endpoints, select the Agent that failed to migrate.

  2. Click Actions > Shortcuts > View Threats.

  3. Apply the Incident Status > Unresolved filter.

  4. Resolve any active threats before retrying migration.

πŸ”Ή Issue: "Agent Cannot Communicate with the New Management Console"
βœ… Fix:

  • Run a DNS resolution check from the local endpoint:

    nslookup myconsole.sentinelone.net
    • If no IP addresses are returned, check firewall/proxy settings.

  • Verify VPN settings if a proxy is required.

πŸ”Ή Issue: "Agent Migration Fails Due to Missing Cipher Suites"
βœ… Fix:

  • Run the SentinelOne Cipher Utility to ensure the endpoint and Management Console share compatible cipher suites.

  • Add the missing cipher suites to the endpoint and restart it.

πŸ”Ή Issue: "Agent OS Not Supported"
βœ… Fix:

  • Upgrade SentinelOne Agent to the latest version before migration.

  • If the OS is outdated, update it or check SentinelOne compatibility.


πŸ“Œ Best Practices for SentinelOne Agent Migration

βœ” Verify that endpoints meet all prerequisites before migration.
βœ” Use the Management Console for bulk agent migrations.
βœ” Test network connectivity to Guardz before starting large-scale migrations.
βœ” Schedule migrations outside business hours to minimize disruptions.


Did this answer your question?