You can migrate computers from one Sophos Central account to another for your customers. You might want to move devices between existing accounts for the same customer or to a new account for the same customer.
To migrate computers you need to do as follows:
- Turn on device migration for the Sophos Central accounts. See Turn on device migration.
- Use the Endpoint API to migrate the computers. See Migrate computers using Endpoint API.
- Review the migration results in Sophos Central. See Review the migration results.
To migrate computers you must be an administrator for both accounts. You need to have the Partner Admin role. See Administrators.
You also need API credentials for both accounts. You need to have Service Principal Super Admin credentials. API Credentials Management.
To migrate computers you use our Endpoint API. Check the following:
- You know how our APIs work. See How our APIs work.
- You have set up our APIs and have the tools to work with them. See Getting started as a tenant.
For more information on the Endpoint API see Endpoint API.
Turn on device migration
If you turn on migration it applies to all customers that the template is assigned to. We recommend that you review the customers the template applies to if you want to use an existing template.
If you clone a template check that the other global settings and base policies are correct for your customers.
You need to make sure that the customer accounts you're moving devices between are assigned to your template.
The customer account you're moving devices from is your sending account. The customer account you're moving devices to is your receiving account.
To turn on migration, do as follows:
- Go to Settings & Policies > Global Templates.
Select a template. You can then edit or clone it.
Click Customers and either add your customers or check that the template is assigned to them.
Click Global Settings and then click Device Migration.
Turn on Allow device migration.
Set a time limit for migrations.
We recommend that you allow migrations for a limited time period.
Click Push to customers and then click Push to confirm.
You need to push the template to your customers. Changes take effect after you have pushed the template.
All assigned customers have their base policies and global settings locked in Sophos Central Admin.
Migrate computers using Endpoint API
To migrate computers between Sophos Central accounts you use our Endpoint API. These instructions summarize the steps you need to do using the API commands. For detailed information on how to use the commands see Endpoint API.
To migrate computers, do as follows:
For the Sophos Central account you want to move computers to, do as follows:
In your Receiver enviroment, create a receiving job for the endpoints.
You will get an access token when you do this. You need this to create the sending job for the other Sophos Central account. You also need the ID for the receiving job.
For the Sophos Central account you want to move computers from, do as follows:
- Get a list of endpoints you want to migrate.
In your Sender environment, create a sending job with the list of endpoints, the access token and the ID from the receiving job you set up for the other Sophos Central account.
This starts the migration.
You can check the progress of the migration in the API. You can get more detailed information in Sophos Central.
Review the migration results
You can use the event and audit logs in your Sophos Central accounts to check the migration has been successful. You can also check the receiving Sophos Central account for the migrated devices.
In your sending account check your audit log. You should see a "Send endpoints to another tenant" event.
You also need to check your computers. Go to the Events tab for each computer. For each computer that did migrate you should see "Device registered with new account
<AccountID>. It's now managed by that account".
For each computer that didn't migrate you should see "Device failed to register with new account
<AccountID>. It continues to be managed by this account".
In your receiving account check your audit log. You should see an "Allow endpoints to migrate to this tenant" event.
You also need to check your computers. Go to Overview > Devices and then click Computers. You should see your migrated computers. Click on a computer to check it. For each migrated computer, you should see that it has been registered, a user assigned to it and that it has been updated.