Introduction
This guide provides a step-by-step process for moving SentinelOne Agents from an existing SentinelOne deployment to Guardz Managed SentinelOne under the Ultimate Plan.
Why migrate to Guardz Managed SentinelOne?
Unified Security Management – manage SentinelOne agents, policies, and detections within Guardz
Streamlined Threat Response – SentinelOne detections automatically surface in Guardz Detection & Response
Simplified Policy Enforcement – configure SentinelOne security settings from Guardz without relying on multiple platforms
Alternative Option:
If you prefer not to migrate agents, you can integrate your existing SentinelOne deployment using the Bring Your Own (BYO-S1) option. Learn more about BYO-S1.
If you need to move agents between Guardz-managed SentinelOne sites, contact Guardz Support for assistance.
Prerequisites
Before migrating agents, ensure that:
1. User Permissions:
You have Global or Account permissions for the existing SentinelOne Console
You have Admin permissions in Guardz to retrieve the new Site Token
2. Endpoint Readiness:
Operating System: the endpoints must be running a supported OS
Threat Status: endpoints must not have unresolved threats
Full Disk Scans: endpoints must not be running a Full Disk Scan during migration
In SentinelOne, go to Endpoints → Expand Columns → Select Full Disk Scan
Verify the status is ‘Completed’ and not ‘Running’
Migrating Agents: Step-by-Step
Step 1: Retrieve the Site Token from Guardz
Log into Guardz
Navigate to Security Controls > Endpoint Security > SentinelOne
Click "Deploy" under SentinelOne Managed
Click "View Site Token"
Copy the Site Token – you will need it for migration
Each Site Token is unique to a customer - do not reuse it across organizations
Step 2: Migrate SentinelOne Agents from the Source Management Console
Log into the existing SentinelOne Management Console
Navigate to Sentinels > Endpoints
Select the endpoints to migrate:
You can select individual devices, groups, or apply a saved filter
Click Actions > Agent Actions > Migrate Agent
Paste the Guardz Site Token in the Site Token field
Click "Move", then "Approve", and finally "OK"
The Agent reconnects to the Management Console and reloads services
If the OS temporarily displays "Turn on virus protection", the Agent is still reconnecting – this message will disappear when fully loaded
Local configuration files are retained, and Guardz applies new management settings after the next keep-alive communication
If the Agent fails to connect to Guardz within 3 minutes, it remains in the original Management Console
Step 3: Monitor Migration Status in SentinelOne
In SentinelOne, go to Sentinels > Endpoints
Expand Columns and select Console Migration Status
Scroll right in the Endpoints page to review migration progress
Migration status meanings:
N/A – no migration command was sent
Pending – the Agent is attempting to migrate. If offline, it remains pending until it comes online
Migrated – the Agent successfully moved to Guardz. It now appears as Offline in the original console
Failed – the Agent failed to migrate and remains in the original Management Console
To check migration history (to be tracked via the pre-migrated account):
In SentinelOne Go to Activity Log > Filter to Administrative > Move to another console.
Step 4: (Alternative) Migrate SentinelOne Agents Using SentinelCTL
The Site Token must be for a Site on a different Console. These commands will fail without an indication if the token is for a Site on the source Console. They succeed if the UUID of the Agent is not already registered with the target Console.
Windows:
sentinelctl bind SiteToken
Then run the following commands:
sentinelctl unload -m -k “passphrase”
sentinelctl load - m
macOS
sudo sentinelctl set registration-token --SiteToken
Linux
sentinelctl management token set SiteToken
Troubleshooting Agent Migration Issues
Issue: "Migration Failed" for All Agents
Fix:
Ensure Global or Account permissions are correctly assigned
Verify the Guardz Site Token is correct and the new account has available licenses
Download a CSV Activity Log report for error details
Issue: "Agent is in a Full Disk Scan and Cannot Migrate"
Fix:
In SentinelOne, go to Sentinels > Endpoints
Enable the Full Disk Scan column
If the value is not "Completed," wait for the scan to finish and retry migration
Issue: "Agent Has Unresolved Threats and Cannot Move"
Fix:
In Sentinels > Endpoints, select the Agent that failed to migrate
Click Actions > Shortcuts > View Threats
Apply the Incident Status > Unresolved filter
Resolve any active threats before retrying migration
Issue: "Agent Cannot Communicate with the New Management Console"
Fix:
Run a DNS resolution check from the local endpoint:
nslookup myconsole.sentinelone.netIf no IP addresses are returned, check firewall/proxy settings.
Verify VPN settings if a proxy is required
Issue: "Agent Migration Fails Due to Missing Cipher Suites"
Fix:
Run the SentinelOne Cipher Utility to ensure the endpoint and Management Console share compatible cipher suites
Add the missing cipher suites to the endpoint and restart it
Issue: "Agent OS Not Supported"
Fix:
Upgrade SentinelOne Agent to the latest version before migration
If the OS is outdated, update it or check SentinelOne compatibility