Thread Info
Options

Migrating Devices Using Postman from One Sophos Central Account to Another

Priyansh Bhatt

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Migrating devices between Sophos Central accounts can seem daunting, but using Postman, a popular API testing tool, simplifies the process significantly. This guide will walk you through the steps in an easy-to-understand manner, ensuring everyone can follow along.


Why Use Postman for Migration?

Postman offers the following benefits:

  1. Efficiency: Execute migration commands quickly
  2. Transparency: View request and response details to understand the process better.
  3. Reusability: Save and reuse requests for future migrations.

Prerequisites

Before starting the migration process, ensure you have:

  1. Access to both the source and target Sophos Central accounts. You must have the super-admin role to migrate computers.
  2. Client ID and Client Secret for both accounts. These credentials enable secure API communication. You need to have Service Principal Super Admin credentials.
  3. Postman installed on your computer. Download it from Postman’s official website.
  4. Feature “Device Migration” turned on in your source and target Sophos Central accounts.
  5. To complete the migration, offline computers must be online within this period. If a computer stays offline for more than 14 days, the migration fails, and the Sophos Central administrator must manually re-queue it for migration.

Step-by-Step Guide

Step 1: Turn on device migration

  • To turn on migration, do as follows:
    Sign in to the Sophos Central account you want to migrate computers from.
  • Go to My Products > General Settings > Device Migration.

  • Turn On “Allow Device Migration”

  • Set a time limit for migrations. We recommend that you allow migrations for a limited period.
  • Sign into the Sophos Central account to which you want to migrate computers. This is your receiving account. Turn on device migration and set a time limit.

Step 2: Generate Client ID and Client Secret for Source and Target Sophos Central Accounts.

  • Log in to your Sophos Central Admin account.
  • Navigate to Global Settings > API Credential Management.
  • Select “Add Credential”
  • Provide a name for the token, e.g., "Device Migration".
  • Copy the Client ID and Client Secret Store them securely, as the secret won’t be shown again
  • You can refer to the image below for your reference. The client ID will be hidden for security reasons.

Step 3: Authenticate and Obtain an Access Token for Source and Target accounts.

  1. Via Postman.
  • Open Postman and create a new POST request
  • In the request URL field, enter:

https://id.sophos.com/api/v2/oauth2/token

  • Go to the Body tab and select x-www-form-urlencoded.

Add the following key-value pairs:

           grant_type: client_credentials
           client_id: (Your Client ID from Step 2)
           client_secret: (Your Client Secret from Step 2)
           scope: token

  • Click “Send”
  • Copy the access_token from the response for use in subsequent steps. Kindly note that the access_token will expire in 1 hour/3600 seconds. So, please save the access_token for the Source and Target accounts for their use in the next steps.

The output should look like this:



       2.Via cURL command:

  • Copy cURL command:

            curl -XPOST -H "Content-Type:application/x-www-form-urlencoded"

            -d
            "grant_type=client_credentials&client_id=&client_secret=&scope=token”

            https://id.sophos.com/api/v2/oauth2/token

  • Paste your client ID and client secret in the above command. Once your cURL is ready, copy it, open Postman, click on Import and paste the command.
  • The output will look like the above one.

Step 4: Identify the Tenant IDs

1. Via Postman:

  • Create a GET request in Postman.
  • Enter the following URL:

https://api.central.sophos.com/whoami/v1

  • Add the following header:

Authorization: Bearer <access_token> (Replace <access_token> with the token obtained in Step 3.)

  • Click Send.
  • Note the ID in the response—this is your Tenant ID.
  • Note the dataRegion. It might look like this: “https://api-in01.central.sophos.com”

Repeat the process for both source and target accounts to retrieve their Tenant IDs.

The output will look like this:

  1. Via cURL command:
  • Copy the cURL command below:

         curl -XGET -H "Authorization: Bearer "
         https://api.central.sophos.com/whoami/v1

  • Paste the access_token with the token obtained in Step 3 on the right side of “Bearer”
  • Once your cURL is ready, copy it and open Postman, click on Import, and paste the command.
  • The output will look like the above one.

NOTE: Please follow the same procedure as Step 3 to obtain the access token for the target client and the same procedure as Step 4 to identify the tenant ID. Otherwise, you might be unable to migrate the devices from your Source account to your Target account.

Step 5: List Endpoints in the Source Account

  1. Via Postman:
  • Create another GET request in Postman.
  • Enter the following URL:

https://api-[dataRegion of Source Account].central.sophos.com/endpoint/v1/endpoints. [Please copy and paste the dataRegion for the Source Account you obtained from step 4]

  • Add these headers:

-  Authorization: Bearer <access_token> (Replace <access_token> for the Source Account with the token obtained in Step 3)

- X-Tenant-ID: <source_tenant_id>

  • Click “Send
  • The response will display a list of devices (endpoints) in the source account. Note their ID values for the devices you want to migrate.

The output will look like this:

  1. Via cURL command:
  • Copy cURL Command Below


        "curl -XGET -H "Authorization: Bearer "

        -H "X-Tenant-ID: "

         ">api-[dataRegionofSourceAccount].central.sophos.com/.../endpoints"

  • Paste the access_token with the token obtained in Step 3, on Bearer's right side.
  • Paste the source tenant ID you obtained in Step 4.
  • Please copy and paste the dataRegion you obtained from Step 4.
  • Once your cURL is ready, copy it, open Postman, click on Import, and paste the command.
  • The output will look like the above one.
  • You can also add the below query to collect the ID and the hostname of all the devices. And the output of this query will look like this.
    https://api-xxxx.central.sophos.com/endpoint/v1/endpoints?fields=id,hostname”

{"items":[{"id":"077be780-62f5-487a-b24d-210a1db6c89e","hostname":"XXXXX"},{"id":"390d02c5-ab55-4347-8a75-04f7cf69efd9","hostname":"XXXXX"},{"id":"39b5197c-2b50-4c17-b869-daf141e893b9","hostname":"XXXXX"},{"id":"4dadbe50-9ebe-4f3c-aa71-f5c94ba82bbd","hostname":"XXXXX"},{"id":"5d0154e4-9ddf-4fb8-80ac-c9e6d2af1f4b","hostname":"XXXXX"},{"id":"bfaf8902-568a-4fbd-a8a0-87dc94b4f26c","hostname":"XXXXX"},{"id":"d62fd6de-4fba-417f-a420-d8bdbb267a65","hostname":"XXXXX"},{"id":"deca4969-cddd-4a7b-a117-e4452ff50c08","hostname":"XXXXX"},{"id":"fbd5ee16-d0b5-4a27-b8bc-5619e43e1a69","hostname":"XXXXX"}],"pages":{"size":50,"maxSize":500}}

Step 6: Create the Migration Job

  1. Via Postman:
  • Create a POST request in Postman.
  • Enter the following URL:

https://api-[dataRegion of Target Client].central.sophos.com/endpoint/v1/migrations

  • Add these headers:
  • - Authorization: Bearer <access_token> [access_token you obtained for the Target client by following the Step 3]
    -X-Tenant-ID: <target_tenant_id> [target_tenant_id obtained from the Step 4
  • Go to the Body tab and select raw with JSON
  • Add the following JSON:

       {

       "fromTenant": "<source_tenant_id>", (source_tenant_id obtained from the Step 3)

       "endpoints": ["<endpoint_id1>", "<endpoint_id2>"]

       }

  • Replace <source_tenant_id> and <endpoint_idX> with the appropriate values.
  • Click Send. Note the id and token values in the response for use in the next step.

The output will look like this:


         2. Via cURL Command:

  • Copy the cURL command below:

       curl --request POST

      'https://api-[dataRegion of Target Client Obtained from Step 3].central.sophos.com/endpoint/v1/migrations'

     --header 'Authorization: Bearer [ACCESS_TOKEN obtained for Target Client obtained from Step 3]'

     --header 'X-Tenant-ID: [TARGET TENANT ID obtained from Step 4]'

     --header 'Accept: application/json'

     --header 'Content-Type: application/json'

     --data '{"fromTenant":"[SOURCE TENANT ID obtained Step 4]","endpoints":[" any endpoint_id that you want to migrate, from Step 5"]}'

  • Once your cURL is ready, copy it, open Postman, click on Import, and paste the command

The output will look like the above one.

Step 7: Execute the Migration

  1. Via Postman:
  • Create a PUT request in Postman.
  • Enter the following URL:

            https://api-[dataRegion of Source Account].central.sophos.com/endpoint/v1/migrations/<migration_id>

  • Replace <migration_id> with the ID from Step 6
  • Add these headers:
  • - Authorization: Bearer <access_token> [access_token obtained from Step 3 for Source Account]
  • - X-Tenant-ID: <source_tenant_id> 
  • o to the Body tab and select raw with JSON
  • Add the following JSON:

         {

         "token": "<migration_token>", [token obtained from Step 6]

          "endpoints": ["<endpoint_id1>", "<endpoint_id2>"]

          }

  • Click Send to execute the migration.


The output will look like this:

           2. Via cURL Command:

  • Copy the cURL command below:

            curl --request PUT

            'https://api-[dataRegion obtained for Source Account from Step 3.central.sophos.com/endpoint/v1/migrations/[id OBTAINED FROM THE STEP 6]'

             --header 'Authorization: Bearer [SOURCE ACCESS_TOKEN OBTAINED FROM STEP 3]'

             --header 'X-Tenant-ID: [SOURCE TENANT ID OBTAINED FROM STEP 4]'

             --header 'Accept: application/json'

            --header 'Content-Type: application/json'

            --data '{"token":"TOKEN OBTAINED FROM STEP 6","endpoints":["endpoint_id that you want to migrate, from Step 5"]}'

  • Once your cURL command is ready, copy it, open Postman, click on Import, and paste the command.

Step 8: Verify the Migration Status

  1. Via Postman:
  • Create a GET request in Postman.
  • Enter the following URL:

           https://api-[dataRegion of Target Account].central.sophos.com/endpoint/v1/migrations/<migration_id>/endpoints

  • Replace <migration_id> with the ID from Step 6.
  • Add these headers:

            Authorization: Bearer <access_token> [access_token obtained from Step 3 for Target Account]

           X-Tenant-ID: <target_tenant_id>

  • Click Send. Review the migration status in response.
  • You can use the event and audit logs in your Sophos Central accounts to check the migration has been successful. You can also check the receiving Sophos Central account for the migrated devices.
  • In your sending account check your audit log. You should see a "Send endpoints to another tenant" event.

 

  • In your receiving account check your audit log. You should see an "Allow endpoints to migrate to this tenant" event.

  • You will see the below output for the successful migration on the Postman and on your receiving and target Sophos Central account:

 

  • In case of machine is offline, you might see an event such as follows:



  1. Via cURL Command:
  • Copy the cURL command below:

            curl 'https://api-[dataRegion for Target Client obtained from Step 4].central.sophos.com/endpoint/v1/migrations/migration_id obtained from Step 6/endpoints'

           --header 'Authorization: Bearer [ACCESS_TOKEN obtained for Target Client obtained from Step 3]'

          --header 'X-Tenant-ID: [TARGET TENANT ID obtained from Step 4]'

          --header 'Accept: application/json'

  • Once your cURL command is ready, copy it, open Postman, click on Import, and paste the command.


COrrect some spacing
[edited by: GlennSen at 8:06 AM (GMT -7) on 4 Apr 2025]
    Unfiltered HTML