Introduction
This guide provides a step-by-step process for moving SentinelOne Agents from an Guardz BYO option to the Guardz Managed SentinelOne under the Ultimate Plan.
Please note:
When migrating from an existing SentinelOne environment to Guardz, only the agents are migrated automatically (and it is possible to migrate selected agents only).
Groups: not migrated, these must be recreated manually
Exclusions: can be imported into Guardz
Network policies: can be exported from the existing deployment and imported through the Network Control page in Guardz
Prerequisites
Before migrating agents, ensure that:
1. User Permissions:
You are on the Guardz Ultimate plan
You have Global or Account permissions for the existing SentinelOne Console
You have Admin permissions in Guardz to retrieve the new Site Token
2. Endpoint Readiness:
Operating System: the endpoints must be running a supported OS
Threat Status: endpoints must not have unresolved threats
Full Disk Scans: endpoints must not be running a Full Disk Scan during migration
In SentinelOne, go to Endpoints → Expand Columns → Select Full Disk Scan
Verify the status is ‘Completed’ and not ‘Running’
Migrating Agents: Step-by-Step
Step 1: Disconnect the BYO
Log into Guardz
Navigate to Security Controls > Endpoint Security > SentinelOne
Click the 'Disconnect' button under the BYO section
Step 2: Retrieve the Site Token from Guardz
Click "Deploy" under SentinelOne Managed
Click "View Site Token"
Copy the Site Token – you will need it for migration
Each Site Token is unique to a customer - do not reuse it across organizations
Step 3: Migrate SentinelOne Agents from the Source Management Console
Log into the existing SentinelOne Management Console
Navigate to Sentinels > Endpoints
Select the endpoints to migrate:
You can select individual devices, groups, or apply a saved filter
Click Actions > Agent Actions > Migrate Agent
Paste the Guardz Site Token in the Site Token field
Click "Move", then "Approve", and finally "OK"
The Agent reconnects to the Management Console and reloads services
If the OS temporarily displays "Turn on virus protection", the Agent is still reconnecting – this message will disappear when fully loaded
Local configuration files are retained, and Guardz applies new management settings after the next keep-alive communication
If the Agent fails to connect to Guardz within 3 minutes, it remains in the original Management Console
Step 4: Monitor Migration Status in SentinelOne
In SentinelOne, go to Sentinels > Endpoints
Expand Columns and select Console Migration Status
Scroll right in the Endpoints page to review migration progress
Migration status meanings:
N/A – no migration command was sent
Pending – the Agent is attempting to migrate. If offline, it remains pending until it comes online
Migrated – the Agent successfully moved to Guardz. It now appears as Offline in the original console
Failed – the Agent failed to migrate and remains in the original Management Console
To check migration history (to be tracked via the pre-migrated account):
In SentinelOne Go to Activity Log > Filter to Administrative > Move to another console.
Step 5: (Alternative) Migrate SentinelOne Agents Using SentinelCTL
The Site Token must be for a Site on a different Console. These commands will fail without an indication if the token is for a Site on the source Console. They succeed if the UUID of the Agent is not already registered with the target Console.
Windows:
sentinelctl bind SiteToken
Then run the following commands:
sentinelctl unload -m -k “passphrase”
sentinelctl load - m
macOS
sudo sentinelctl set registration-token --SiteToken
Linux
sentinelctl management token set SiteToken