“Should I stay or should I go?” is a question that keeps sysadmins (and The Clash) up at night. If you’re facing limitations with your current MDM, understanding what it takes to switch can help inform this decision. Before jumping into the specifics of how to migrate macOS devices from one MDM to another, it is worth familiarizing oneself with the four following options that may impact your deployment.
1. User approved MDM enrollment (UAMDM)
User approved enrollment is a concept separate from supervision. It is Apple’s way of ensuring that the user of the device has been involved in the MDM enrollment process and has approved it. Some MDM features require enabling UAMDM in order to function.
For a device to be considered user enrolled, it must enroll with MDM using an enrollment method that involves some form of user interaction. The following methods of enrollment are adequate:
Automated enrollment via Apple Business Manager (DEP enrollment), where the user manually creates a local user account during the Setup Assistant stage.
The user manually installs the MDM profile (enrollment by link).
Either of these methods will enable UAMDM during enrollment.
What won’t enable UAMDM?
Installing the profile via script.
Enrolling a device with automated enrollment with a setup that does not have the user create an account during Setup Assistant.
Installing the profile on a device via Munki, as part of a remotely deployed package, or similar.
Any other type of enrollment that doesn’t require the user to manually interact during the installation of the profile.
What happens if UAMDM is not enabled?
As it stands, the two most notable features that require UAMDM are the Privacy Preferences profile and the Kernel Extension profile (KEXT whitelisting). Both of these profiles require enabling UAMDM in order to function.
Additionally, UAMDM is required for Bootstrap Token escrow. Devices also must be associated with an Apple Business Manager account for the escrow operations to function, though the devices do not necessarily need to have enrolled using Automated Enrollment.
It is still possible to manually enable UAMDM if not enabled via the automated enrollment process. This requires the user to go to System Preferences > Profiles and click ‘Approve’ on the MDM profile.
2. Supervision (for macOS)
The concept of ‘Supervised Mode’ has existed for years on iOS. On iOS, supervision is a device state that allows MDM more control over devices. Apple introduced the concept of supervision to macOS with Catalina (10.15). As supervision is a newer concept for macOS, the functionality tied to it currently is still small. As of today, activation lock is the only feature that requires supervision on macOS.
It is hard to say what supervision will enable in the future for macOS. If possible, it is worth enabling supervision in order to future proof your fleet.
Supervision state between erases
In iOS, a device’s supervision status doesn’t correlate with its MDM enrollment status. If an iOS device is placed into supervised mode, it will remain in that mode, even after device wipes, unless the mode is purposefully disabled with software like Apple Configurator or a non-supervised backup is restored on the device.
macOS supervision differs from that of iOS. In our testing, we found that only Macs enrolled in MDM via automated enrollment (DEP enrollment) show up as ‘supervised’. Macs enrolled manually in MDM do not have supervision enabled, even if they previously enrolled via automated enrollment (DEP enrollment).
3. Non-removable MDM
When devices enroll in MDM via automated enrollment (DEP enrollment), Apple prevents users from manually removing the MDM profile by default. Macs running macOS 10.15 or later have non-removable MDM enforced via automated enrollment. This is the only way Apple allows admins to prevent manual removal of an MDM profile.
Non-removable MDM profiles are often preferred by admins. It makes sense: admins don’t want users to remove the management profile from a corporate-owned device. However, with a non-removable MDM profile, admins must account for the extra steps required to remove this profile when migrating MDMs. Apple locks down the MDM profile when installed with automated enrollment so it can’t be removed through Terminal or any other backdoor ways. It can only be removed via a command sent from the MDM or when wiping a device.
Apple also restricts multiple MDM profiles on a device. Therefore, you can’t install one MDM profile on top of another. When you migrate macOS devices to a new MDM, you’ll need to send a command from the original MDM to remove the management profile from devices. Then you can proceed to migrate those devices and install the new MDM. That is unless you choose to wipe the devices, in which case the original MDM profile will be removed during the wipe.
4. Migrate existing devices to SimpleMDM
Now that you’re familiar with the concepts above, let’s look more closely at the process to migrate macOS devices from one MDM to another. The following example assumes the plan is to migrate your existing macOS devices to SimpleMDM.
There are various processes to migrate macOS devices that we have outlined below. The best approach ultimately depends on your organization. The biggest question to answer is: do you want to wipe your devices or not? We will address the impact of this decision below.
Regardless of your scenario, the first recommended step is to configure your SimpleMDM account: connect your Apple Business Manager account for both automated enrollment (DEP) and Apps and Books (VPP), add the apps you need, create the device groups, and apply the configurations. Then, test everything thoroughly to ensure it works as expected.
Once you are set up and confident in the results of your testing, the next step is to migrate your devices over in Apple Business Manager. Un-assign the serial numbers from the original MDM server, then re-assign them to the server linked to SimpleMDM. This won’t affect any existing devices. It just means that any devices wiped in the future will enroll in SimpleMDM instead of the previous MDM.
The steps that come after this will depend on whether you want to wipe devices.
Migrate existing devices without wiping
To install a SimpleMDM profile on a device, you’ll first need to remove the current MDM profile (if one exists). Any devices enrolled in MDM via automated enrollment (DEP enrollment) won’t allow a user to manually remove the profile. This means that a device admin will need to unenroll them through the current MDM.
Once unenrolled from the original MDM, retrieve a Group Enrollment code from SimpleMDM and use it to manually install the profile. This requires the user (or admin) to navigate to the URL and download the profile, then confirm its installation. For best results, log in under a local admin account before enrolling the device.
The downside of manually enrolling a device in MDM is that Apple will allow the user to manually remove the MDM profile. This method will also not enable supervision. To prevent the user from removing the MDM profile and to enable supervision, you typically must wipe the device which triggers automated enrollment, detailed in the Automated Enrollment section below.
Migrate existing devices with automated enrollment (DEP) without wiping
macOS does provide an unsupported, undocumented method for enrolling a device using Automated Enrollment without wiping it first. By running a command, macOS contacts Apple’s Automated Enrollment servers, checks for a configuration, and enrolls the device in MDM if it is configured to do so. Since this is an undocumented and unsupported method by Apple, your mileage may vary.
The proper command to use depends upon the version of macOS.
10.13+: /usr/bin/profiles renew -type enrollment
10.12.4-10.12.6: /usr/bin/profiles -N
10.12-10.12.3: /usr/libexec/mdmclient dep nag
10.11 and earlier: /usr/libexec/mdmclient cloudconfig
Migrate existing devices with automated enrollment (DEP)
Automated enrollment is generally the most effective method of enrollment, but requires wiping the device. Currently, it’s the only way to ensure that the SimpleMDM profile is unremovable and that supervision and UAMDM are enabled.
As mentioned above, configure your SimpleMDM account and test its functionality prior to initiating automated enrollment. Once you are happy with your configuration and have re-assigned devices to the SimpleMDM server in Apple Business Manager, simply erase the devices. After the reboot following the wipe, proceed through the OS installation and Setup Assistant screens. Make sure to connect the devices to the internet (WIFI or ethernet) when prompted. The enrollment will then take place automatically during setup.
Enrolling new devices
Automated enrollment (DEP) is the recommended method for enrolling brand new devices.
SimpleMDM is a mobile device management solution that helps IT teams securely update, monitor, and license Apple devices in a matter of minutes — all while staying on top of Apple updates automatically.
Related articles
