An Apple mobile device management (MDM) solution can be your ticket to saving time, improving efficiency, and maintaining a secure fleet. But what happens when your MDM just isn’t cutting it? That’s when it’s time to look for a better tool. On the surface, migrating between MDM solutions can seem daunting, so many sysadmins put it off. But with a little planning, you can seamlessly transition and start taking advantage of the powerful, flexible features your business needs.
We’ll walk you through the concepts you should understand before embarking on your MDM migration journey. Then, we’ll break down the simple, two-step process to make the switch.
Underlying concepts
To understand the MDM migration process, you should first be familiar with user-approved MDM enrollment and device supervision since they will shape which enrollment method you choose.
User-approved MDM enrollment (UAMDM)
User-approved enrollment is Apple’s way of ensuring that the end user was involved in and approved the MDM enrollment process. Some MDM features require enabling UAMDM to function.
For a device to be user enrolled, it must enroll with MDM using a method with user interaction. The following methods of enrollment qualify:
Automated Device Enrollment (ADE) via Apple Business Manager (ABM): Formerly known as DEP, ADE can enable UAMDM if the Setup Assistant stage asks the user to manually create a local user account.
Enrollment by link: The user manually installs the MDM profile.
In contrast, the following methods do not enable UAMDM since they do not involve user interaction:
Installing the profile via script
Enrolling a device via ADE with a setup that does not require that the user create an account during the Setup Assistant
Installing the profile on a device via Munki, as part of a remotely deployed package, or something similar
What happens if UAMDM is not enabled?
As it stands, the two most notable features that require UAMDM are the Privacy Preferences profile and the Kernel Extension profile (KEXT allowlisting). Both of these profiles require enabling UAMDM in order to function.
Additionally, Bootstrap Token escrow requires UAMDM. Devices must also be associated with an ABM account for the escrow operations to function, though the devices do not necessarily need to have enrolled using ADE.
It’s still possible to manually enable UAMDM if not enabled via the automated enrollment process. This requires the user to go to System Preferences > Profiles and click Approve on the MDM profile.
Device supervision
The concept of supervised mode has existed for years on iOS. On iOS, supervision is a device state that allows MDM more control over the device. Apple introduced the concept of supervision to macOS with Catalina (10.15). Since supervision is a newer concept for macOS, its functionality is still pretty limited. As of today, Activation Lock is the only feature that requires supervision on macOS.
It’s hard to say what supervision will enable in the future for macOS. If possible, it’s worth enabling supervision to future-proof your fleet.
Supervision state between erases
In iOS, a device’s supervision status doesn’t correlate with its MDM enrollment status. If an iOS device is placed into supervised mode, it remains in that mode — even after device wipes — unless the mode is purposefully disabled with software, like Apple Configurator, or a nonsupervised backup is restored on the device.
MacOS supervision differs from that of iOS. In our testing, we found that only Macs enrolled in MDM via Automated Device Enrollment show up as supervised. Macs enrolled manually in MDM do not have supervision enabled even if they previously enrolled via ADE.
Step 1: Remove the original MDM profile
Once enrolled in MDM via ADE, Apple devices prevent users from manually removing the MDM profile by default. Macs running macOS 10.15 or later have nonremovable MDM enforced via ADE. This is the only way Apple allows admins to prevent manual removal of an MDM profile.
Admins often prefer nonremovable MDM profiles. It makes sense: Admins don’t want users to remove management profiles from corporate devices. However, with a nonremovable MDM profile, admins must account for the extra steps required to remove the profile when migrating MDMs. Apple locks down the MDM profile when installed with ADE so it can’t be removed through Terminal or any other backdoor methods. The only way to remove it is via a command sent from the MDM or when wiping a device.
Apple also restricts multiple MDM profiles on a device. Therefore, you can’t install one MDM profile on top of another. When you migrate macOS devices to a new MDM, you’ll need to send a command from the original MDM to remove the management profile from the devices. Then, you can proceed to migrate those devices and install the new MDM. That is unless you choose to wipe the devices, in which case the original MDM profile is removed during the wipe.
Step 2: Migrate existing devices to SimpleMDM
Now that you’re familiar with the concepts above, let’s look more closely at the process of migrating macOS devices from one MDM to another. The following example assumes the plan is to migrate your existing macOS devices to SimpleMDM.
The first step is to configure your SimpleMDM account:
Connect your Apple Business Manager account for both Automated Device Enrollment and Apps and Books.
Add the apps you need.
Create the device groups.
Apply the configurations.
Test everything thoroughly to ensure it works as expected.
Once you are set up and confident in the results of your testing, the next step is to migrate your devices over in Apple Business Manager:
Unassign the serial numbers from the original MDM server.
Reassign them to the server linked to SimpleMDM.
This won’t affect any existing devices. It just means that any devices wiped in the future will enroll in SimpleMDM instead of the previous MDM.
The steps that follow depend on whether you want to wipe devices.
Migrate existing devices without wiping
To install a SimpleMDM profile on a device, you first need to remove the current MDM profile (if one exists). Any device enrolled in MDM via ADE won’t allow the user to manually remove the profile. This means that a device admin needs to unenroll it through the current MDM.
Once unenrolled from the original MDM, retrieve a Group Enrollment code from SimpleMDM, and use it to manually install the profile. This requires the user (or admin) to navigate to the URL, download the profile, and then confirm its installation. For best results, log in under a local admin account before enrolling the device.
The downside of manually enrolling a device in MDM is that Apple will allow the user to manually remove the MDM profile. This method also doesn’t enable supervision. To prevent the user from removing the MDM profile and to enable supervision, you typically must wipe the device, which triggers ADE.
Migrate existing devices with Automated Device Enrollment (ADE) without wiping
MacOS provides an unsupported, undocumented method for enrolling a device using ADE without wiping it first. By running a command, macOS contacts Apple’s ADE servers, checks for a configuration, and enrolls the device in MDM if it is configured to do so. Since this is an undocumented and unsupported method by Apple, your mileage may vary.
The proper command to use depends upon the version of macOS.
OS version | Command |
---|---|
10.13+ |
|
10.12.4–10.12.6 |
|
10.12–10.12.3 |
|
10.11 and earlier |
|
Migrate existing devices with Automated Device Enrollment (ADE)
ADE is generally the most effective enrollment method, but it requires wiping the device. Currently, it’s the only way to ensure that supervision and UAMDM are enabled and the SimpleMDM profile is unremovable.
As mentioned above, configure your SimpleMDM account and test its functionality prior to initiating ADE. Once you are happy with your configuration and have reassigned devices to the SimpleMDM server in Apple Business Manager, simply erase the devices. After the wipe and subsequent reboot, proceed through the OS installation and Setup Assistant screens. Make sure to connect the devices to the internet (Wi-Fi or ethernet) when prompted. The enrollment then automatically takes place during setup.
Enroll new devices
Automated Device Enrollment (ADE) is generally the best method for enrolling brand-new devices.
Just because you’ve already enrolled devices into your old MDM solution doesn’t mean you’re stuck with it. As long as you understand a few basic tenets of Apple MDM, the migration process can be remarkably easy.
Want to see if the grass is really greener? Take advantage of a free 30-day trial of SimpleMDM.