Apple MDM Migration

Apple devices can be automatically enrolled in a device management service during setup, but reenrollment typically requires a factory reset. Apple devices now support seamless migration from one Mobile Device Management (MDM) to a new device management service through the Apple Business Manager. Administrators can set enrollment deadlines, enforce migration, and preserve apps and data during the process.

Before you begin

  • The migration process is supported for iOS 26+ and macOS 26+ devices.
  • A valid token file for Automated Device Enrollment must be available.

    For more information on token, see Adding a token to the Apple Device Enrollment Program (DEP).

  • You must have administrator access to the Apple Business Manager account with device enrollment permissions.

About this task

Administrators can assign and update device management for Apple devices by using Apple Business Manager and integrate them with IBM® MaaS360® for automated device enrollment. The steps include selecting a device management token, setting an enrollment deadline, confirming the assignment, and completing the enrollment on the device. By following this procedure, administrators ensure that devices are properly migrated in MaaS360 MDM, enabling secure management and compliance with organizational policies.

Procedure

  1. Login to Apple Business Manager.
  2. Go to Devices.
  3. On the Inventory, search for the iOS or macOS device and select the device.
    Note: To search for iOS or macOS devices to migrate, click the filter icon to the right of the search field. Under Device Management, select the MDM server where the devices are currently managed, and then click Search. Select multiple devices, or click Select All to migrate all devices.
    You can also find devices in Apple Business Manager.
    1. Select Devices and click Management Services.
    2. Select the MDM server that is tied to your ADE or DEP connection.
    3. Click the menu icon and choose Show Devices.
  4. Click Assign Device Management.
  5. From the Device Management Service drop-down list, select the token file for Automated Device Enrollment.
    Locate the token file that you downloaded from the MaaS360 portal.
  6. Click Add Deadline to set the enrollment deadline. The user receives a notification to enroll. If not enrolled by the deadline, enrollment is enforced .
  7. Click Continue.
  8. A confirmation pop-up appears. Click Confirm to change the device management service.
  9. The service assignment for device management is updated. Click Done.
  10. On the Device Overview page, review the updated device management details.
  11. From the IBM MaaS360 Portal home page, go to Devices > Enrollments > Other Enrollment Options > Apple > Apple Device Enrollment.
  12. On the Apple Device Enrollment page, click Add Token.
  13. On the Add Token page, enter a Token Name and select the Token File that was created in ABM.
  14. Click Add.
  15. On the Tokens page, review the token details.
  16. On your iOS or macOS device, a notification appears to indicate that enrollment is required.
  17. Tap Start Enrollment > Restart.
  18. After the device restarts, the Device Management screen displays the organization name that is registered with your Apple Business Manager (ABM) account.
  19. Tap Enroll this iPhone for iOS devices. For macOS device, click Enrol. The device unenrolls from the current management and begins reenrollment.
    Note: If DEP profile has authentication that is enabled, then on the device an auth prompt appears for the user to input auth details.
  20. After enrollment completes, an Enrollment Complete notification appears.
  21. On your iOS device, go to Settings > General > VPN & Device Management and tap MaaS360 MDM Profile.
    The MaaS360 MDM configuration is successfully installed on the device.
  22. On your macOS device, go to Finder > Applications > Utilities > MaaS360.
    The MaaS360 MDM configuration is successfully installed on the device.

Results

After completing the procedure, the system automatically assigns the default iOS policy to the device. However, if a pre-configured policy was previously assigned to either the All Devices group or the iOS Devices group, that policy takes precedence and is applied instead. Following migration, all iTunes, B2B, Enterprise, and VPP-licensed apps that were pre-assigned to these groups are installed on the device. Similarly, any rules that were pre-assigned to the relevant groups are enforced once migration is complete.