Migrating the Symantec Endpoint Protection (SEP) clients from hybrid-managed to cloud-managed
Symantec Endpoint Protection(SEP) clients from hybrid-managed to cloud-managed
How do I migrate clients to the cloud console?
The easiest way to migrate from the on-premises
Symantec Endpoint Protection Manager(SEPM) to cloud-based management is to run the
Switch to Cloud Managedcommand from the cloud console. The command is only supported on devices that run Windows.
You use this method:
- For 14.2 RU1 b3332 and later clients.
- When you want to permanently move to cloud management rather than use hybrid management.
You do not migrate the management server or database, only the clients.
To migrate the policies, you import them manually. For more information, see:
For other ways to migrate on-premises managed clients to cloud managed agents, see: Converting a Symantec Endpoint Protection managed client to a cloud-managed Symantec Agent using Host Integrity
Clients and client groups in Symantec Endpoint Protection are called devices and device groups in the cloud console. The Symantec Endpoint Protection client is called the Symantec Agent in the cloud console, although the user interface and functionality is nearly identical.
Important information before you migrate
Before you migrate the SEPM device groups, read the following information:
Supported and unsupported clients
Things to know before you get started
Migrating client groups to Symantec Endpoint Security
To switch the devices to cloud-only management, perform the following steps.
Step 1: Enroll the Symantec Endpoint Protection Manager domain into the cloud console
If you have not already set up hybrid management, you must enroll the Symantec Endpoint Protection Manager domain first. You migrate the devices from a hybrid-managed configuration and not from an on-premises management configuration. For information on how to enroll SEPM, see:
Step 2: Switch SEPM-managed client groups to cloud-managed device groups
- In the cloud console, go toDevices>Device Groups.
- On theDevice Groupstab, underGroup Hierarchy, select one device group at a time, and then selectMore Actions>Switch to Cloud Management.
- In theSwitch devices from the Symantec Endpoint Protection Manager to cloud-managed onlypanel, selectNext.
- SelectNext.The migration wizard checks that the client software is version 14.2.3332 or later. The list of clients that are not supported appear on theDevices Not Eligible to Switchpage.
- SelectContinue>Continueto start the migration. While the cloud console migrates the devices:
- A progress notification appears in the upper right-hand corner:
- Groups that are migrating or have migrated appear with a blue cloud icon to the left of the group:
- After the migration completes successfully, the following notification appears:
- To check which devices successfully migrated, do one of the following tasks:
- In the notification, selectView Report.
- Go to theReports and Templates>Generated Reportstab, and download theDevice Switching Report.
- Open the report that Symantec Endpoint Security sends after the migration is complete.
Migrated device groups use the same hierarchy as they do in SEPM. The top-level group
My Companyappears in the cloud as
My Company. If an existing cloud group has a similar name to the SEPM group, the SEPM devices move under the Default cloud group. For example, if the SEPM group is called
Europeand the SES group is called
Europe, the migrated devices migrate to
The following table lists the possible issues and their solutions that might occur when you try to migrate the devices.
The Device migration wizard displays the following message:
Agent version not supported. Upgrade to 14.2.3332.1000 and try again.
The minimum Symantec Agent version that supports migration is 14.2 RU1 (14.2.3332).
To work around this issue, you must upgrade the Symantec Endpoint Protection clients to 14.2.3332 or later version.
If you start the migration, you can stop it by closing the migration dialog box even if not all the devices are migrated. [CDM-72428]
However, if you decide to then migrate the remaining devices, just re-trigger the migration on the same device group. The remaining devices or any new devices migrate.
The cloud also generates a report for each migration that specifies which devices are migrated and which ones were not.
If you stop the migration, the following message appears:
The switch is in progress. This action cancels the switch, however some devices might get switched later as a result of active commands running on Symantec Endpoint Protection Manager.[CDM-72436]
You can stop a running migration by closing the migration dialog box. However, the command to start the SEP client migration remains active for 30 days. Therefore, the offline clients that come online are migrated anyway.
You cannot reverse the migration. Instead, if you do not want to manage these clients by using the cloud console, you must reinstall them by reinstalling a client installation package on SEPM.
The devices from Symantec Endpoint Protection Manager that you mark for deletion but that are not yet deleted migrate [CDM-72029]
After you enroll the Symantec Endpoint Protection Manager in the cloud and the devices are synched, you can delete them. Before you delete a device or a device group, you mark it for delete.
Before the deletion process occurs, the devices display a
Marked for deletion.
However, if you start the migration before the cloud deletes the devices, the devices unintentionally migrate.
To work around this issue, wait several hours until the devices are deleted, and then start the migration process.