π Migrating SentinelOne Agents to Guardz Managed SentinelOne
π Introduction
This guide provides a step-by-step process for moving SentinelOne Agents from an existing SentinelOne deployment to Guardz Managed SentinelOne under the Ultimate Plan.
β Why migrate to Guardz Managed SentinelOne?
π― Unified Security Management β Manage SentinelOne agents, policies, and detections within Guardz.
π Streamlined Threat Response β SentinelOne detections automatically surface in Guardz Detection & Response.
π‘οΈ Simplified Policy Enforcement β Configure SentinelOne security settings from Guardz without relying on multiple platforms.
π‘ Alternative Option:
If you prefer not to migrate agents, you can integrate your existing SentinelOne deployment using the Bring Your Own (BYO-S1) option. Learn more about BYO-S1.
π Prerequisites
Before migrating agents, ensure that:
πΉ User Permissions:
You have Global or Account permissions for the existing SentinelOne Console.
You have Admin permissions in Guardz to retrieve the new Site Token.
πΉ Endpoint Readiness:
Operating System: The endpoints must be running a supported OS.
Threat Status: Endpoints must not have unresolved threats.
Full Disk Scans: Endpoints must not be running a Full Disk Scan during migration.
β To check: In SentinelOne, go to Endpoints β Expand Columns β Select Full Disk Scan.
Active Directory Connectors: Endpoints must not be configured as an AD Connector.
β To check: In SentinelOne, go to Policy & Settings > Exposure Management > Active Directory.
π‘ Note: If you need to move agents between Guardz-managed SentinelOne sites, contact Guardz Support for assistance.
π Step 1: Retrieve the Site Token from Guardz
1οΈβ£ Log into Guardz.
2οΈβ£ Navigate to Security Controls > Endpoint Security > SentinelOne.
3οΈβ£ Click "Deploy" under SentinelOne Managed.
4οΈβ£ Click "View Site Token".
5οΈβ£ Copy the Site Token β you will need it for migration.
π¨ Each Site Token is unique to a customer. Do NOT reuse it across organizations.
π Step 2: Migrate SentinelOne Agents from the Source Management Console
1οΈβ£ Log into the existing SentinelOne Management Console.
2οΈβ£ Navigate to Sentinels > Endpoints.
3οΈβ£ Select the endpoints to migrate:
β You can select individual devices, groups, or apply a saved filter.
4οΈβ£ Click Actions > Agent Actions > Migrate Agent.
5οΈβ£ Paste the Guardz Site Token in the Site Token field.
6οΈβ£ Click "Move", then "Approve", and finally "OK".
β What Happens Next?
The Agent reconnects to the Management Console and reloads services.
If the OS temporarily displays "Turn on virus protection", the Agent is still reconnecting β this message will disappear when fully loaded.
Local configuration files are retained, and Guardz applies new management settings after the next keep-alive communication.
π¨ If the Agent fails to connect to Guardz within 3 minutes, it remains in the original Management Console.
π Step 3: Monitor Migration Status in SentinelOne
1οΈβ£ In SentinelOne, go to Sentinels > Endpoints.
2οΈβ£ Expand Columns and select Console Migration Status.
3οΈβ£ Scroll right in the Endpoints page to review migration progress.
π Migration Status Meanings:
N/A β No migration command was sent.
Pending β The Agent is attempting to migrate. If offline, it remains pending until it comes online.
Migrated β The Agent successfully moved to Guardz. It now appears as Offline in the original console.
Failed β The Agent failed to migrate and remains in the original Management Console.
β To check migration history:
In SentinelOne, go to Activity Log.
Filter to Administrative > Move to another console.
π Step 4: (Alternative) Migrate SentinelOne Agents Using SentinelCTL
If you prefer command-line migration, use SentinelCTL:
πΉ Windows
1οΈβ£ Open Command Prompt (Admin).
2οΈβ£ Bind the agent to the new Guardz-managed site:
sentinelctl bind SiteToken
3οΈβ£ Reload the agent:
sentinelctl unload -m -k "passphrase" sentinelctl load -m
πΉ macOS
1οΈβ£ Open Terminal.
2οΈβ£ Run:
sudo sentinelctl set registration-token -- SiteToken
πΉ Linux
1οΈβ£ Open Terminal.
2οΈβ£ Run:
sentinelctl management token set SiteToken
π This method is useful for bulk migrations using scripts.
π Troubleshooting Agent Migration Issues
πΉ Issue: "Migration Failed" for All Agents
β
Fix:
Ensure Global or Account permissions are correctly assigned.
Verify the Guardz Site Token is correct and the new account has available licenses.
Download a CSV Activity Log report for error details.
πΉ Issue: "Agent is in a Full Disk Scan and Cannot Migrate"
β
Fix:
In SentinelOne, go to Sentinels > Endpoints.
Enable the Full Disk Scan column.
If the value is not "Completed," wait for the scan to finish and retry migration.
πΉ Issue: "Agent Has Unresolved Threats and Cannot Move"
β
Fix:
In Sentinels > Endpoints, select the Agent that failed to migrate.
Click Actions > Shortcuts > View Threats.
Apply the Incident Status > Unresolved filter.
Resolve any active threats before retrying migration.
πΉ Issue: "Agent Cannot Communicate with the New Management Console"
β
Fix:
Run a DNS resolution check from the local endpoint:
nslookup myconsole.sentinelone.net
If no IP addresses are returned, check firewall/proxy settings.
Verify VPN settings if a proxy is required.
πΉ Issue: "Agent Migration Fails Due to Missing Cipher Suites"
β
Fix:
Run the SentinelOne Cipher Utility to ensure the endpoint and Management Console share compatible cipher suites.
Add the missing cipher suites to the endpoint and restart it.
πΉ Issue: "Agent OS Not Supported"
β
Fix:
Upgrade SentinelOne Agent to the latest version before migration.
If the OS is outdated, update it or check SentinelOne compatibility.
π Best Practices for SentinelOne Agent Migration
β Verify that endpoints meet all prerequisites before migration.
β Use the Management Console for bulk agent migrations.
β Test network connectivity to Guardz before starting large-scale migrations.
β Schedule migrations outside business hours to minimize disruptions.