Skip to content
Supported migration paths

Prepare for migration

You must complete a few tasks before you can start migration.


You can’t migrate several customer accounts to the same Sophos Central account.

Do as follows:

  1. Check that you’re not using a feature that blocks migration:

    • Windows Mobile or Windows Phone devices
    • Corporate keyring synchronization with SafeGuard Enterprise
    • Sophos UTM integration
    • Integration with third-party Network Access Control (NAC) software
    • Duo Security integration for Android devices
    • LDAP user management, except for Active Directory
    • App Groups API integration with a third-party app reputation vendor
    • Other Sophos Mobile REST APIs
  2. Check that all devices have a supported operating system.

    See the Requirements section in the Sophos Mobile release notes.

  3. Check that your firewall allows inbound connections from Sophos Central.

    See IP addresses for AD and SCEP connections.

  4. Check that the following is up to date:

    1. If you’re using an on-premise Sophos Mobile server, upgrade it to the latest version and patch level.
    2. If you’re managing iPhones or iPads, check that your certificate for the Apple Push Notification service (APNs) hasn’t expired.

      When your APNs certificate has expired, the Sophos Mobile Admin dashboard shows a notification.

    3. If you’re using the standalone EAS proxy, upgrade it to the latest version.

      When the EAS proxy is out of date, the Sophos Mobile Admin dashboard shows a notification.

  5. Set up your Sophos Central account.

    1. Create an administrator account that has the Super admin role.
    2. Activate your Sophos Mobile license.
    3. Configure global settings as required.

    For details on these and the following tasks, see Sophos Central Admin help.

  6. Optional: In Sophos Central, set up synchronization with your Active Directory server.

    See Set up synchronization with Active Directory.

  7. Check that the user groups you use in your Self Service Portal configurations are available in Sophos Central.

  8. Optional: If you’ve already added users to Sophos Central, invite them to Sophos Central Self Service Portal.

    See Set up Sophos Central Self Service Portal access.

  9. If you’re using federated authentication with Azure Active Directory, do as follows:

    1. In Sophos Mobile, turn off federated authentication and turn on a different user management mode, for example internal user management.
    2. In Sophos Central, configure federated authentication.
  10. Download a migration token from Sophos Central.

    1. Sign in to Sophos Mobile Admin.

      Go to Mobile

    2. On the menu sidebar, under SETTINGS, select Setup > Sophos setup, and then select the Import tab.

    3. Click Download.

    Download a migration token from Sophos Central

    A file containing the migration token is downloaded to your computer.

  11. If applicable, turn off Sophos Mobile auto-enrollment:

    • Revoke the Android Enterprise QR code.
    • Revoke the Android zero-touch configuration.
    • Revoke the Samsung Knox Mobile Enrollment (KME) configuration.
    • Revoke the Google Workspace connection code for Sophos Chrome Security.
    • Revoke the third-party connection code for Sophos Intercept X for Mobile.
    • Turn off iOS auto-enrollment with Apple Configurator in the device group settings.


    We recommend that you record your settings before you turn off a configuration. This helps you to reproduce the settings in Sophos Central after migration.

  12. If applicable, turn off TeamViewer integration.

  13. In Sophos Mobile, unenroll and delete inactive devices that don’t synchronize anymore.
  14. Update the Sophos Mobile apps.

    The Sophos Mobile apps on Android devices, iPhones, and iPads are:

    • Sophos Mobile Control
    • Sophos Intercept X for Mobile
    • Sophos Secure Workspace
    • Sophos Secure Email

    The Sophos Mobile app (or extension) on Chrome devices is Sophos Chrome Security.

    We recommend that you follow the procedure in Update Sophos Mobile apps.

If you’re using the Sophos Mobile EAS proxy, you must prepare it before starting the migration.

If you’re not using the Sophos Mobile EAS proxy, skip to Run the migration assistant.