Which tasks belong in Guardz vs. the SentinelOne Console?
Guardz manages SentinelOne on your behalf, which means many administrative tasks are performed from the Guardz dashboard rather than the SentinelOne console directly. Use this guide to know where to go for each task:
Task | Where to do it | Notes |
Install SentinelOne agent on a device | Guardz portal | Security Controls → Endpoint Security → Deploy |
Uninstall / remove agent from a device | Guardz portal | Security Controls → Endpoint Security → Deploy → Uninstall, or Devices → Remove Agent |
View device list and agent status | Guardz portal | Devices section |
Run threat mitigation actions (quarantine, kill, rollback) | Guardz portal | Detection & Response → take action on the alert |
Create or manage exclusions (paths, extensions, hashes) | SentinelOne Console | Exclusions must be configured in the S1 console under the site/group |
Create or manage policies | SentinelOne Console | Policies are managed at the site or group level in S1 |
Create groups and assign devices to groups | SentinelOne Console | Groups are managed in the S1 console; see the Groups article |
Transition agents between sites | SentinelOne Console | Use the S1 console to move agents between sites/groups |
Decommission an offline device | SentinelOne Console | Prevents the device from re-registering after removal |
View console-level service users (SSO accounts) | SentinelOne Console | Console & Service Users article |
View threat detections and malware alerts | Both | Alerts surface in Guardz; full threat details are in S1 |
Migrate from BYO to Managed (or vice versa) | Both | Follow the dedicated migration guide for your scenario |
Full Comparison:
Action / Capability | Guardz | SentinelOne Console |
Deploy agents (Windows / macOS / Linux) | Yes | Yes |
Deploy via MDM (Intune / Jamf / GPO) | Yes | Yes |
View endpoint health & status | Yes | Yes |
Kill — stop threat processes | Yes | Yes |
Quarantine — isolate threat files | Yes | Yes |
Remediate — delete threat files & system changes | Yes | Yes |
Rollback — restore via VSS snapshot (Windows only) | Yes | Yes |
Network-isolate (disconnect) a device | Yes | Yes |
Add threat hash to Blocklist | Yes | Yes |
Mark threat as False Positive / True Positive | Yes | Yes |
Assign and manage agent policies | Yes | Yes |
Global path exclusions | Yes | Yes |
Create / manage device groups & sites | Limited | Yes |
Associate S1 endpoints to Guardz users (auto + manual) | Yes | — |
Automatic remediation flows | Yes | — |
Security score per user and device | Yes | — |
Per-device or per-group exclusions | — | Yes |
Advanced exclusion modes (hash, cert, browser, path) | — | Yes |
Transition agents between sites | — | Yes |
Console service user & role management | — | Yes |
VDI / golden image configuration | — | Yes |
SentinelOne API token management | — | Yes |
Deep Visibility threat hunting queries | — | Complete tier |
Remote Shell access to endpoints | — | Complete tier |
Forensic storyline analysis | — | Complete tier |
Custom automated detection rules (STAR) | — | Complete tier |
Rogue device & network attack surface (Ranger) | — | Complete tier |
What You Can Do in Guardz
All of these SentinelOne management actions are available directly within the Guardz platform — no need to switch tools.
Deployment & Installation
✓ Install SentinelOne agents (Windows, macOS, Linux) via Guardz
✓ Deploy agents via Intune, GPO, or Jamf through Guardz
✓ Download agent installers for manual deployment
✓ Uninstall agents via Guardz interface
✓ Configure agent installation policies
✓ Manage Bring Your Own (BYO) S1 integration
✓ Migrate between Managed and BYO licensing
Endpoint Visibility & User Management
✓ View all endpoints and their security status
✓ Auto-associate SentinelOne endpoints to Guardz users
✓ See device health, agent version, and OS details
✓ View endpoint security score per device and per user
✓ Correlate endpoint threats with user identity
Threat Detection & Response
✓ View and triage active threats and detections
✓ Kill — stop all processes related to a threat
✓ Quarantine — move threat files to a confined, encrypted path
✓ Remediate — delete all files & system changes made by a threat
✓ Rollback — restore endpoint via VSS snapshot (Windows, ransomware recovery)
✓ Network isolate / disconnect a device from the network
✓ Add a threat hash to the Blocklist (auto-block on future detections)
✓ Add a threat to Exclusions directly from an alert
✓ Mark threat as False Positive or True Positive
✓ Trigger automatic remediation flows
Policies & Exclusions
✓ Assign and manage agent policies to devices
✓ Add path exclusions via Guardz (global scope)
✓ View active exclusions per customer
What Requires the SentinelOne Console
These capabilities are only available by accessing the SentinelOne console directly.
Advanced Group Management
Required for multi-site or segmented deployments
→ Create and manage custom device groups and sites
→ Assign devices to specific groups or sites
→ Transition agents between sites
→ Define group-level policies with granular overrides
Advanced Exclusions
Global exclusions can be managed in Guardz; per-device/group exclusions require the console
→ Create exclusions scoped to a single device or group
→ Configure advanced path exclusion modes
→ Define certificate-based and hash-based exclusions
→ Manage exclusions for browser content and file types
SentinelOne Complete Features (Advanced EDR)
Available on SentinelOne Complete tier only
→ Deep Visibility threat hunting queries
→ Remote Shell access to endpoints
→ Full forensic timeline and storyline analysis
→ Custom STAR (Automated Detection Rules) creation
→ Rogue device discovery
→ Ranger network attack surface mapping
Console Administration
→ Manage SentinelOne console service users and roles
→ Configure notification and reporting preferences
→ Access SentinelOne API tokens for integrations
→ Review console-level audit logs
→ Configure 2FA enforcement for console users
VDI / VM Advanced Configuration
→ Configure golden image / persistent VDI settings
→ Manage non-persistent VDI device lifecycle
→ Apply VM-specific policy overrides