Enrolling SEPM to SES - Hybrid Deployment
search cancel

Enrolling SEPM to SES - Hybrid Deployment


Article ID: 260983


Updated On:


Endpoint Protection Endpoint Protection Cloud


One of your sites is now migrating their devices to SES and you will be enrolling your SEPM in SES.

You want to know if the devices registered in SEPM will have a different group inside SES once you have enrolled the SEPM.


Two sites and each site with two SEPM servers.

Version 14.3 RU3 +




Once you enroll your SEPM to SES, the SEPM Tree groups will be synchronized in your SES cloud account, along with devices under these groups.

Further details about the enrollment process can be found in this user guide Migrating to the cloud console

In case you have multiple regions, and each region has its own independent SEPM deployment/ SEPM sites, then you will need to create separate domains, one domain per independent SEPM deployment.

The enrollment process happens under specific domain under your account, and every and each administrator or user with permission to administer Device and Device Group Management will be able to see these groups and devices.

There will not be any merge, each domain is an isolated container, meaning each SEPM deployment synchronize its own groups tree with the ICDm domain.


A domain is a structural container in the cloud console that you use to organize and manage your resources, including groups, devices, policies, and reports. All data between each domain is completely separate. This separation prevents administrators in one domain from viewing or managing data in other domains.

For further reading check this page What are domains?

In case you have a SEPM deployment that has two sites and each site has two SEPM servers, all sites are expected to have the same groups tree and amount of clients, therefore, it does not matter how many SEPM servers or sites you have in your SEPM deployment.


Not supported enrollment scenarios:

  • Enrolling multiple SEPM deployment domains with multiple ICDm domains

In case, you have multiple domains in one SEPM server, you will be able to  synchronize the first SEPM domain with your ICDm domain, and if you will try to synchronize other SEPM domains under the same SEPM server with ICDm domain, it will not work by design, meaning one SEPM deployment can synchronize with ICDm.

You will get below error as a result of attempting this:

  • Enrolling multiple SEPM Deployments to the same ICDm Domain


In case if the SEPM Domain GUID is matching the already registered SEPM to ICDM, the groups tree will be merged with the existing synchronized tree in ICDm side, however, if a user tries to register a totally different SEPM deployment to an ICDm account with already synchronized SEPM, this will fail and below error will appear in SEPM UI.


Additional Information

Checklist for enrolling Symantec Endpoint Protection Manager domains and Symantec Endpoint Protection clients