You may want to move an endpoint between Nebula, OneView Sites, or accounts for the following reasons:
- Move an endpoint from Nebula to another Nebula site
- Move an endpoint from Nebula into a OneView Site
- Move an endpoint from OneView to a Nebula site
- Move an endpoint between OneView Sites
These are different methods for moving endpoints:
- Reassign Endpoint(s) button on the Endpoints page of OneView will move an endpoint to another site. For more information, see Endpoint actions in OneView.
- Initiate migration on the Sites page of OneView to import a whole Nebula site. For more information, see Migrate a Nebula site to OneView.
- Run the command-line utility to re-register endpoints to a new site without uninstalling and restarting.
- Uninstall, then reinstall the Endpoint Agent, which requires a restart on Windows devices only.
Considerations & Constraints
This applies to bullet points 3 and 4 above
- The following must be pre-configured in the target site:
- Policies
- Exclusions
- Groups
- Schedules
- Endpoints are automatically registered to the Default group.
- Move servers during a maintenance window to not interrupt users. Move to an appropriate Group as soon as possible.
- Quarantined items are available in the new site.
- History of Detections, Scans, Tasks, and Suspicious Activity are not moved, but remain in the old site.
- If you require data retention, use Report (exports) to save the data.
- The accounttoken can only be changed by an Administrator running the EACMD.exe utility.
Process Overview
- Obtain the target site's account token by one of the following methods:
-
OneView
- On the left navigation menu, click Manage > Sites.
- Select the new site for endpoints to be reassigned.
- The Account token displays at the top of the slide out.
-
Nebula
- On the left navigation menu, go to Download Center.
- Download and check the macOS PKG.
- The Account token appears in the macOS PKG file name e.g. __xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx___.pkg.
-
OneView
- Optionally, in the destination site, setup email notifications to track endpoint registrations.
- As a Windows Administrator, run these commands interactively* on the endpoint:
- C:\Program Files\Malwarebytes Endpoint Agent\UserAgent>EACmd.exe --changeaccounttoken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- *See scripting section, for silent scripting.
-
As a Mac Administrator, run the following commands* on the endpoint:
- SUDO '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon' AccountToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
-
SUDO launchctl stop com.malwarebytes.agent.daemon
launchctl start 'com.malwarebytes.agent.daemon - *See sample script for older Malwarebytes version.
-
Confirm the endpoint is now online and registered in the destination account.
- Delete the offline endpoint from the origin account, using the Nebula console or Excel Plugin.
- Email confirmation can be used as a trigger to perform deletion.
- For safety, ensure endpoints are not checking in before deleting from the source site.
Windows Deployment: Silent Scripting EACMD.exe
The following is an example of a Windows script for silent use.
ECHO OFF
NET SESSION > nul 2>&1 \ (@ECHO Error: Must run as Admin & TIMEOUT /T 20 & EXIT /B 1)
"%PROGRAMFILES%Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" --changeaccounttoken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Notes
- The above commands may be run manually, or scripted for use with Active Directory GPO, Remote Management and Monitoring (RMM) tools or other methods.
- When testing, temporarily turn on email notifications for Endpoint Registered within each Nebula site to see when an endpoint is changed. Otherwise, have the endpoints list on view and click refresh.
Example log entry
The following is an extract of log entries from a successful change, important items are bolded. To locate full logs, navigate to: "%programdata%\Malwarebytes Endpoint Agent\logs\EndpointAgent.txt"
INFO ChangeAccountTokenCommand Change account token request received. Begin change token to xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
INFO EAEngine Removing all config settings except AccountToken,NebulaUri,Proxy.Server,Proxy.Port,..
INFO SafeAppConfig No settings were found to be cleaned
INFO ChangeAccountTokenCommand Verify account token changed successfully
INFO EAEngine Account token returned from engine: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
INFO ChangeAccountTokenCommand Change was successful, issue service restart command
INFO RestartSupervisor Requesting a restart of service, 1
INFO EngineController Calling restart for Account token changed
INFO ServiceMonitorManager Service Monitor is already running
INFO EngineController Writing out restart service bat file
INFO EngineController Writing restart service bat file to C:\WINDOWS\TEMP\restartservice_2021_10_12_041244PM.bat
INFO EngineController Starting restart service bat file C:\WINDOWS\TEMP\restartservice_2021_10_12_041244PM.bat
INFO EAService Service Stopped....
INFO MBCloudEA.Program Process start
macOS Scripting
The following is an example script which may be run from a software deployment or remote monitoring and management solution.
#!/bin/bash
#
echo '----------------------------------------------------------------------------------------'
echo 'Changing AccountToken and restarting agent, to register to a new OneView or Nebula Site '
echo 'Input: sudo setenv MWB_accounttoken aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa '
echo ' Using an environment variable is compatible with RMM scripting '
echo 'Version 1.2 2020-12-07'
echo '----------------------------------------------------------------------------------------'
# If script is not running as root e.g manual testing, then prefix all commands with SUDO
SUDO=''
if (( $EUID != 0 )) ; then
echo 'Info : Not running as PID 0 root, therefore prefixing commands with sudo'
SUDO='sudo'
# Retrieve MWB_accounttoken from root environment and set into a local value
MWB_accounttoken=$(sudo launchctl getenv MWB_accounttoken)
fi
if [ $MWB_accounttoken ] ; then
echo "Info : Environment variable \$MWB_accounttoken is $MWB_accounttoken"
else
echo "Error : Blank value. Must set environment variable prior to running this script."
echo " Or, edit this script to hardcode it"
echo " sudo setenv MWB_accounttoken aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
return 1
fi
# Check if Endpoint Agent is Version 1.5, by its pathname
if test -f '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon'; then
$SUDO '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/' AccountToken=$MWB_accounttoken
exitcode=$?
echo "Info : $exitcode exitcode from change accounttoken"
echo "Info : Restarting Endpoint Management Agent"
$SUDO launchctl unload '/Library/LaunchDaemons/com.malwarebytes.EndpointAgent.plist'
echo "Info : $? exitcode from unload com.malwarebytes.EndpointAgent.plist"
$SUDO launchctl load '/Library/LaunchDaemons/com.malwarebytes.EndpointAgent.plist'
echo "Info : $? exitcode from load com.malwarebytes.EndpointAgent.plist"
exit $exitcode
fi
# Check if Endpoint Agent is Version 1.6....., by its pathname
# engine/daemon version 1.6.481 or higher
if test -f '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon'; then
$SUDO '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon' AccountToken=$MWB_accounttoken
exitcode=$?
echo "Info : $exitcode exitcode from change accounttoken"
sleep 5
echo "Info : Restarting Endpoint Management Agent"
$SUDO launchctl stop com.malwarebytes.agent.daemon
echo "Info : $? exitcode from stop com.malwarebytes.agent.daemon"
sleep 5
$SUDO launchctl start 'com.malwarebytes.agent.daemon'
echo "Info : $? exitcode from start com.malwarebytes.agent.daemon"
# exit $exitcode
return $exitcode
fi