By: Adrian Moore | Sr. PM – Microsoft Endpoint Manager - Intune
The following article helps IT Pros and mobile device administrators understand some of the finer details regarding iOS device migration from an existing MDM platform to Intune when using Apple’s Automated Device Enrolment program (ADE), formally known as the Device Enrolment Program (DEP). We receive a lot of questions on how best to approach the issue of factory resets and how to handle the Apple Business Manager (ABM) side of things. We hope this article helps with some of the decisions you will face when deciding the best path forward for your organization.
As you migrate your mobile device management to Microsoft Intune, arguably one of the most important parts of the transition will be the impact to your users. Before considering how you will migrate your devices to Intune, it is important to understand your device landscape and how your employees are using their devices. This information will largely drive your migration path.
Based on our experience working with customers, the following are the most common points that will help you decide how you will migrate, and what the user experience will be during the migration:
In this scenario, the devices will need to be moved to a new (Intune) MDM server in Apple Business Manager to be able to pick up an Intune ADE profile.
Devices must be factory reset to properly enrol in Intune and remain in a fully supported state with Microsoft and Apple.
Devices with personal data on them will need to be backed up by the user to their iCloud account if they wish to retain it, however this does require you to backup corporate data to a consumer cloud service that is not controlled by your organization.
Devices must be unenrolled from the current MDM platform before the final backup is taken.
If users decide to use the restore option in the Apple Setup Assistant, once the restore is complete they will have to visit the App Store to install the Intune Company Portal.
It is not possible to “lock” a management profile to a device enrolled in this manner (however, the device does retain its “supervised” state).
The device will not show as being enrolled against an ADE profile in Intune, which means any configuration applied based on that logic will not be applied to the device.
NOTE: If you ever need to re-enrol your ADE device, you must first add the IMEI number of that device as a corporate identifier. You might need to re-enrol your ADE device if you are troubleshooting an issue, like the device not receiving policy. In this case, you would:
Failing to do this will mean the device will be marked as “Personal” and not “Corporate”.
Now let us look at an example scenario that we commonly see when working with our customers.
Contoso has iOS ADE devices currently enrolled in an MDM platform. They allow their staff to use their personal Apple IDs on their devices and store personal data on them. Most of their users do this, and back-up their content to iCloud. Staff understand that devices may, from time to time, need to be factory reset and may be wiped if lost or stolen. Contoso IT wants the migration to Intune to be done as quickly as possible, so they are only managing two MDM platforms for a short time. They want minimal IT interaction when it comes to users enrolling their devices. Contoso has users in regions where ADE is not supported by Apple.
In this example, the migration flow for ADE devices could look like this:
This procedure ensures that the data on the device is backed up without the old management profile and the device has been enrolled correctly with the new Intune-based ADE profile. Many of our customers add the user to a Conditional Access group after step #3, which blocks access to corporate resources until the user enrols and their device is compliant.
In the same example, the migration flow for non-ADE devices would look like this:
IT Pro Action: Unenroll the device from the current MDM.
User Action: Backup the device to iCloud.
User Action: Download Company Portal from the App Store.
User Action: Enrol device through Company Portal app.
User Action: Once enrolled, add Apple ID and restore any required data.
NOTE: The Intune service synchronizes with Apple at the following frequencies*:
As you can see from the examples, the migration path will largely be determined by the way the devices are being used by your employees, so it is important to do some analysis before deciding the best path forward for your organization.
For further resources on this subject, please see the links below.
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community Page, or leave a comment below.
Blog post updates:
11/25/20: Updated the migration flow example for ADE devices.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.