HCX is configured, and security scans are flagging the Mobility Agent as a security concern. The types of migrations in use do not use the mobility agent (Bulk Migrations Disaster Recovery, and OSAM migrations do not use the mobility agent.) It is desirous to have the mobility agents removed.

HCX 4.11

When configuring the Service Mesh, if you take the defaults, the mobility agent is deployed, as it used by the most common methods of  migrations: vMotion, Cold, and Replication Assisted vMotions (RAV) migrations.

Remove all vMotion Services:
Edit the service mesh and remove all vMotion services that use the Mobility Agent (MA) virtual host as shown below,

• Cross-cloud vMotion Migration
• Replication Assisted vMotion Migration
• HCX Assisted vMotion Migration

Update Service Mesh:

• Allow the service mesh to update the task successfully 
• Verify that the Mobility Agent host is removed from the vCenter inventory.

Note:

• Bulk Migration, Disaster Recovery, and OS Assisted Migration do not use vMotion or the MA virtual host, so they can remain enabled if in use.
• Hybrid Interconnect and Network Extension services can also stay enabled.

Mobility Agent vSphere Host for HCX Migrations

Note: Once a mobility agent has been deployed on an IX, the ESX OS id is attached to the IX as well, and cannot be removed without removing the service mesh and re-deploying without the Mobility Agent components selected. Also, the esxi os selected is based on the oldest version deployed in vCenter at the time of the mobility agents initial deployment.