Skip to main content

Migrating from Existing SentinelOne to Guardz

Updated this week


Introduction

This guide provides a step-by-step process for moving SentinelOne Agents from an existing SentinelOne deployment to Guardz Managed SentinelOne under the Ultimate Plan.

Why migrate to Guardz Managed SentinelOne?

  • Unified Security Management – manage SentinelOne agents, policies, and detections within Guardz

  • Streamlined Threat Response – SentinelOne detections automatically surface in Guardz Detection & Response

  • Simplified Policy Enforcement – configure SentinelOne security settings from Guardz without relying on multiple platforms

Alternative Option:

If you prefer not to migrate agents, you can integrate your existing SentinelOne deployment using the Bring Your Own (BYO-S1) option. Learn more about BYO-S1.

If you need to move agents between Guardz-managed SentinelOne sites, contact Guardz Support for assistance.


Prerequisites

Before migrating agents, ensure that:

1. User Permissions:

  • You have Global or Account permissions for the existing SentinelOne Console

  • You have Admin permissions in Guardz to retrieve the new Site Token

2. Endpoint Readiness:

  • Operating System: the endpoints must be running a supported OS

  • Threat Status: endpoints must not have unresolved threats

  • Full Disk Scans: endpoints must not be running a Full Disk Scan during migration

    • In SentinelOne, go to Endpoints → Expand Columns → Select Full Disk Scan

    • Verify the status is ‘Completed’ and not ‘Running’


Migrating Agents: Step-by-Step

Step 1: Retrieve the Site Token from Guardz

  • Log into Guardz

  • Navigate to Security Controls > Endpoint Security > SentinelOne

  • Click "Deploy" under SentinelOne Managed

  • Click "View Site Token"

  • Copy the Site Token – you will need it for migration

Each Site Token is unique to a customer - do not reuse it across organizations

Step 2: Migrate SentinelOne Agents from the Source Management Console

  • Log into the existing SentinelOne Management Console

  • Navigate to Sentinels > Endpoints

  • Select the endpoints to migrate:

    • You can select individual devices, groups, or apply a saved filter

    • Click Actions > Agent Actions > Migrate Agent

    • Paste the Guardz Site Token in the Site Token field

    • Click "Move", then "Approve", and finally "OK"

  • The Agent reconnects to the Management Console and reloads services

  • If the OS temporarily displays "Turn on virus protection", the Agent is still reconnecting – this message will disappear when fully loaded

  • Local configuration files are retained, and Guardz applies new management settings after the next keep-alive communication

  • If the Agent fails to connect to Guardz within 3 minutes, it remains in the original Management Console

Step 3: Monitor Migration Status in SentinelOne

  • In SentinelOne, go to Sentinels > Endpoints

  • Expand Columns and select Console Migration Status

  • Scroll right in the Endpoints page to review migration progress

Migration status meanings:

  • N/A – no migration command was sent

  • Pending – the Agent is attempting to migrate. If offline, it remains pending until it comes online

  • Migrated – the Agent successfully moved to Guardz. It now appears as Offline in the original console

  • Failed – the Agent failed to migrate and remains in the original Management Console

To check migration history (to be tracked via the pre-migrated account):

In SentinelOne Go to Activity Log > Filter to Administrative > Move to another console.

Step 4: (Alternative) Migrate SentinelOne Agents Using SentinelCTL

The Site Token must be for a Site on a different Console. These commands will fail without an indication if the token is for a Site on the source Console. They succeed if the UUID of the Agent is not already registered with the target Console.

Windows:

sentinelctl bind SiteToken

Then run the following commands:

sentinelctl unload -m -k “passphrase”

sentinelctl load - m

macOS

sudo sentinelctl set registration-token --SiteToken

Linux

sentinelctl management token set SiteToken


Troubleshooting Agent Migration Issues

Issue: "Migration Failed" for All Agents

Fix:

  • Ensure Global or Account permissions are correctly assigned

  • Verify the Guardz Site Token is correct and the new account has available licenses

  • Download a CSV Activity Log report for error details

Issue: "Agent is in a Full Disk Scan and Cannot Migrate"

Fix:

  • In SentinelOne, go to Sentinels > Endpoints

  • Enable the Full Disk Scan column

  • If the value is not "Completed," wait for the scan to finish and retry migration

Issue: "Agent Has Unresolved Threats and Cannot Move"

Fix:

  • In Sentinels > Endpoints, select the Agent that failed to migrate

  • Click Actions > Shortcuts > View Threats

  • Apply the Incident Status > Unresolved filter

  • Resolve any active threats before retrying migration

Issue: "Agent Cannot Communicate with the New Management Console"

Fix:

  • Run a DNS resolution check from the local endpoint:
    nslookup myconsole.sentinelone.net

    • If no IP addresses are returned, check firewall/proxy settings.

  • Verify VPN settings if a proxy is required

Issue: "Agent Migration Fails Due to Missing Cipher Suites"

Fix:

  • Run the SentinelOne Cipher Utility to ensure the endpoint and Management Console share compatible cipher suites

  • Add the missing cipher suites to the endpoint and restart it

Issue: "Agent OS Not Supported"

Fix:

  • Upgrade SentinelOne Agent to the latest version before migration

  • If the OS is outdated, update it or check SentinelOne compatibility

Did this answer your question?