Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
4
Replies

Migrate clients to a new tenant

jleonard
Level 1
Level 1

‎02-13-2023 09:31 AM

We have a customer using MSSP for Endpoint Security. They want to manage their endpoints themselves. How can I migrate the endpoint to their own, self-managed, tenant?

0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎02-13-2023 10:19 AM

Someone from Cisco may pop up with a definitive answer, but I'm betting it will have to be an uninstall/reinstall.

0 Helpful

Roman Valenta
Cisco Employee
Cisco Employee

‎02-13-2023 11:23 AM

Hi,

I guess the real question here is what do you mean by "They want to manage their endpoints themselves..."

A: If they just want to be able to log in to the AMP portal and manage deployments, policies, look events, etc.. you can just create Admin Accounts for those individuals for that specific child ORG. Those users will still need to create SXSO accounts https://sign-on.security.cisco.com/ with their real email address that will be used to create account in AMP console. To prevent any integrity issue please make sure those emails ale created using all lower case letters, both in AMP and SXSO.  You as MSSP will be still responsible for licensing and billing for the tenant.

B: If they wanted to be on their own and buy their own license in which case I believe new ORG will have to be provisioned, and if that's the case then NEW ORG = NEW GUID = New Deployment. In other words all connector in that customer ORG will have to be removed and re-deployed with new connector that will be downloaded and associated with the new ORG UUID.

 

Unfortunately I do not know all the licensing details and if there is a way to de-couple a tenant from MSSP with out need to create new ORG, that will be good question for provisioning team to confirm this scenario. So I would recommend to contact them as they will give you the ultimate answers if scenario B: is desired.

 

Hope that helps.

 

-Roman

 

 

0 Helpful

jleonard
Level 1
Level 1
In response to Roman Valenta

‎02-13-2023 11:28 AM

Scenario B is active here. I'll see about contacting the provisioning team. I was hoping for a way to change the GUID of an installed connector. Either from the AMP portal or a  command on the endpoint.

0 Helpful

Troja007
Cisco Employee
Cisco Employee

‎02-14-2023 05:39 AM

Hello @jleonard ,
please get in contact with your Cisco representative. There have been ways to move a customer out from a MSSP console without the need to reinstall the connector, as the ORG GUID does not change.
There have been a lot of changes and improvements to our product, therefore not 100% sure if this is still possible. So therefore, please check with your Cisco representative.

Greetings,
Thorsten

0 Helpful
Customers Also Viewed These Support Documents