I've been facing some serious performance issues at work and stumbled upon some oddities with the SentinelOne setup in our office. I opened a ticket with our managed service provider (MSP), and their responses left me confused about whether this is how things should be run. Here's what I've found:
- Over five PCs show a status of "Fallback". I suspect this is the case for all PCs here.
- Running SentinelCTL.exe gives me blank Customer IDs.
- There are no firewall control rules visible.
- I've captured process data showing SentinelOne is performing up to 33,000 operations per second.
- My system appears to communicate with the management server, and I'm receiving software updates, but I haven't been assigned any specific policies.
- Anti-Tamper is enabled on the agents.
The MSP claims that being in fallback is normal and insisted they won't open a support ticket with SentinelOne—despite my requests and the owner of my company asking as well. They provided proof of a Customer ID showing as "N/A" and said everything was fine, but I also learned from SentinelOne that there's no record of our company or them in their system.
So, I'm all ears:
- Is this acceptable behavior from an MSP?
- Should they refuse to open a support ticket?
- Is it normal to be in fallback mode for over 15 months?
- Why would there not be a Customer ID?
- How would you all tackle this situation? I'm not hunting for technical fixes—just trying to understand if this is standard practice in the industry.
4 Answers
From my experience in managing an MSSP for a large client base, "fallback" is just a label and doesn’t really indicate a problem with your policy application. However, the lack of a Customer ID and refusal to open support tickets seem concerning. It’s odd for an MSP to be uncooperative about this. You definitely deserve clarity on your situation, especially if it affects your work performance. It sounds like you need to escalate this, especially since they’re not being transparent. Don't settle for vague answers; you have every right to ask for specifics!
As someone who works with SentinelOne, the absence of policies and a Customer ID for over 15 months isn’t normal. It's a governance issue. The MSP should at least provide you with verification of your account relationship and clarity on policies. If they push back further, that would definitely warrant bringing it up the chain.
Exactly! Documentation is key. If they refuse to provide it, definitely escalate further.
It does sound strange that your system is in fallback mode for such an extended period. Normally that should not happen. An MSP should be able to provide concrete evidence of customer details and policies; if not, it raises red flags. I would definitely push for a direct explanation and perhaps get it in writing. If they refuse, it may be time to consider whether they are the right MSP for you.
Good point! If they can’t produce valid information, maybe it’s time to look for another provider.
Honestly, that level of service sounds unacceptable. If a company has to reach out to forums to get clarity, something's seriously wrong. It might be worth documenting everything and escalating this with your management. If your MSP refuses to help you, it might be time to find a new partner who’s willing to be more collaborative.
Exactly! Sometimes it takes getting a new provider for things to improve. Good luck!
I totally agree! It’s really important to have good communication and transparency, especially from an MSP.