SES clients do not move to a separate group once a new install package is used for a separate group.


Article ID: 192296


Updated On:


Endpoint Protection


Attempts to use a new install package from a separate group than the current group a machine is reporting to fail to move the machine to the group assigned to the install package.


This behavior is by design and is meant to prevent unauthorized changes.


Administrators can move machines via the SES cloud console by issuing a move command. The move command can be used to move multiple machines or single machines.

If a re-install over an already enrolled client happens, the client's existing hardware ID matches an existing device in the SES cloud database. It's by design that the device remains in its current group assignment, ignoring the default value in the installation package. The intended behavior for preexisting devices is that they will only move groups due to admin action in the cloud console.

Additional Information

For more information on comparison to the on-premise SEP client behavior and possible workarounds please see the below article.

A managed Endpoint Protection client will not change group or domain membership after some operations