Migrating the
Symantec Endpoint Protection
(SEP) clients from hybrid-managed to cloud-managed

How do I migrate clients to the cloud console?

The easiest way to migrate from the on-premises
Symantec Endpoint Protection Manager
(SEPM) to cloud-based management is to run the
Switch to Cloud Managed
command from the cloud console. The command is only supported on devices that run Windows.
You use this method:
  • For 14.2 RU1 b3332 and later clients.
  • When you want to permanently move to cloud management rather than use hybrid management.
You do not migrate the management server or database, only the clients.
To migrate the policies, you import them manually. For more information, see:
For other ways to migrate on-premises managed clients to cloud managed agents, see: Converting a Symantec Endpoint Protection managed client to a cloud-managed Symantec Agent using Host Integrity
Clients and client groups in Symantec Endpoint Protection are called devices and device groups in the cloud console. The Symantec Endpoint Protection client is called the Symantec Agent in the cloud console, although the user interface and functionality is nearly identical.

Important information before you migrate

Before you migrate the SEPM device groups, read the following information:
Supported and unsupported clients
Things to know before you get started
  • After you start the migration, you cannot cancel it.
  • The migrating process occurs immediately. However, some clients may take up to 30 days to migrate because they are offline.
    You can change the number of days by changing the
    Delete clients that have not connected for specified time
    option in the SEPM domain properties. For more information, see:
  • After you migrate these devices to the cloud, you cannot migrate them back to the SEPM. If you want to revert to on-premises managed devices, you must uninstall and reinstall the client software.
  • You migrate one group at a time.
  • Devices and device groups that successfully migrate to the cloud are automatically removed from SEPM.
  • Child groups migrate automatically.
  • The selected SEPM group hierarchy is replicated in the cloud console alongside the cloud console group hierarchy.
  • The migration ignores the
    Manage Devices from the Cloud
    option. This setting applies to hybrid management only. See:
  • Devices that you add to the SEPM after the migration starts do not migrate. Symantec recommends that you avoid making changes to the selected device group while the migration is in progress.
  • After replication, in SEPM the migrated device is displayed as
    Online on Remote Site
    instead of

Migrating client groups to Symantec Endpoint Security

To switch the devices to cloud-only management, perform the following steps.
Step 1: Enroll the Symantec Endpoint Protection Manager domain into the cloud console
If you have not already set up hybrid management, you must enroll the Symantec Endpoint Protection Manager domain first. You migrate the devices from a hybrid-managed configuration and not from an on-premises management configuration. For information on how to enroll SEPM, see:
Step 2: Switch SEPM-managed client groups to cloud-managed device groups
  1. In the cloud console, go to
    Device Groups
  2. On the
    Device Groups
    tab, under
    Group Hierarchy
    , select one device group at a time, and then select
    More Actions
    Switch to Cloud Management
  3. In the
    Switch devices from the Symantec Endpoint Protection Manager to cloud-managed only
    panel, select
  4. Select
    The migration wizard checks that the client software is version 14.2.3332 or later. The list of clients that are not supported appear on the
    Devices Not Eligible to Switch
  5. Select
    to start the migration. While the cloud console migrates the devices:
    • A progress notification appears in the upper right-hand corner:
    • Groups that are migrating or have migrated appear with a blue cloud icon to the left of the group:
  6. After the migration completes successfully, the following notification appears:
  7. To check which devices successfully migrated, do one of the following tasks:
    • In the notification, select
      View Report
    • Go to the
      Reports and Templates
      Generated Reports
      tab, and download the
      Device Switching Report
    • Open the report that Symantec Endpoint Security sends after the migration is complete.
Migrated device groups use the same hierarchy as they do in SEPM. The top-level group
My Company
appears in the cloud as
My Company
. If an existing cloud group has a similar name to the SEPM group, the SEPM devices move under the Default cloud group. For example, if the SEPM group is called
My Company
and the SES group is called
, the migrated devices migrate to


The following table lists the possible issues and their solutions that might occur when you try to migrate the devices.
The Device migration wizard displays the following message:
Agent version not supported. Upgrade to 14.2.3332.1000 and try again.
The minimum Symantec Agent version that supports migration is 14.2 RU1 (14.2.3332).
To work around this issue, you must upgrade the Symantec Endpoint Protection clients to 14.2.3332 or later version.
If you start the migration, you can stop it by closing the migration dialog box even if not all the devices are migrated. [CDM-72428]
However, if you decide to then migrate the remaining devices, just re-trigger the migration on the same device group. The remaining devices or any new devices migrate.
The cloud also generates a report for each migration that specifies which devices are migrated and which ones were not.
If you stop the migration, the following message appears:
The switch is in progress. This action cancels the switch, however some devices might get switched later as a result of active commands running on Symantec Endpoint Protection Manager.
You can stop a running migration by closing the migration dialog box. However, the command to start the SEP client migration remains active for 30 days. Therefore, the offline clients that come online are migrated anyway.
You cannot reverse the migration. Instead, if you do not want to manage these clients by using the cloud console, you must reinstall them by reinstalling a client installation package on SEPM.
The devices from Symantec Endpoint Protection Manager that you mark for deletion but that are not yet deleted migrate [CDM-72029]
After you enroll the Symantec Endpoint Protection Manager in the cloud and the devices are synched, you can delete them. Before you delete a device or a device group, you mark it for delete.
Before the deletion process occurs, the devices display a
Device Status
Marked for deletion
However, if you start the migration before the cloud deletes the devices, the devices unintentionally migrate.
To work around this issue, wait several hours until the devices are deleted, and then start the migration process.