Category filter

How to migrate iOS devices from another MDM to Hexnode?

Executing a smooth iOS migration requires a clear action plan to ensure user data remains safe and devices stay compliant. This guide organizes the transition into four logical phases: Preparation, Ecosystem Configuration, User Integration, and Execution.

Phase 1: Preparation & Backup

Before initiating the migration, ensure you have a fallback plan.

Audit & Export: If your current device management platform supports it, export device inventory and user details to assist with the Hexnode setup.
Data Backup: You will likely need to wipe devices (especially ADE). Ensure required data is stored in your preferred cloud storage service.
Asset Removal: Delete the ADE and VPP tokens configured in the current device management platform to free them up for Hexnode.

Phase 2: Ecosystem Configuration

Set up the Apple ecosystem connections required for management.

1. Apple Business

If your organization hasn’t enrolled, go to https://business.apple.com/ and sign up. The Automated Device Enrollment and Volume Purchase Programare seamlessly integrated here.

Note:

Apple will review your information, so approval may take time.

2. APNs Certificate (Mandatory)

A new APNs certificate is required for Apple devices to communicate with Hexnode.

Download the self-signed certificate from Hexnode.
Go to the Apple Push Certificates Portal, upload the request, and download the APNs certificate generated by Apple.
Upload the APNs certificate back to the Hexnode UEM portal.

3. Migrate Tokens

ADE Server Token:
- Create a new MDM server in Apple Business using the public key from Hexnode.
- Upload the server token to your Hexnode portal to link the services.
- Create an ADE profile in Hexnode to configure the setup assistant.
- Assign your ADE devices to the Hexnode UEM server in the Apple Business portal.
VPP Token:
- Revoke all app licenses from the previous device management platform.
- Download a new VPP token from Apple Business.
- Configure VPP in Hexnode by uploading this token and saving.
- Check “reclaim licenses” to revoke old licenses and reuse them with Hexnode.

Phase 3: User Integration

Sync users from your directory services to the UEM console. Unbind the old provider and configure Hexnode with:

Active Directory: Configure Active Directory settings under the admin tab.
Microsoft Entra ID: Configure Microsoft Entra ID settings under the admin tab.
Google Workspace: Configure Google Workspace settings to sync users and groups.

Phase 4: Execution (Disenroll & Enroll)

Once the infrastructure is ready, move the devices.

Step 1: Disenroll from current device management platform

Remote: Push a disenroll action from the previous device management platform.
Manual: Go to Settings > General > Profile & Device Management on the device and remove the profile.

Step 2: Enroll into Hexnode UEM

Choose the enrollment method that fits your deployment.

Note:

Devices need to be fully erased if you are planning to enroll them via Apple ADE.

A. Automated Device Enrollment (ADE)

Use ADE enrollment for eligible devices.

Requirement: Devices must be fully erased.
Process: Assign devices to Hexnode in Apple Business. Devices will automatically enroll upon their initial setup.

B. Apple Configurator

Use Apple Configurator to enroll iOS devices manually.

Benefit: Devices can be manually added to ADE regardless of purchase source.
Warning: Make sure that Activation Lock is disabled when you’re letting users wipe their own devices.

C. Bulk Enrollment (CSV)

Use the details exported in Phase 1.

User Import: Send enrollment instructions to users in bulk via email by uploading user details as a CSV file.
Pre-Approved: Bulk import a list of devices based on serial numbers. You can proactively assign policies that take effect immediately.

D. User-Initiated Enrollment

Self-Enrollment: Users can enroll with their AD credentials or usernames/passwords set in the portal.
Open Enrollment: Users can enroll devices without authentication ; only the enrollment URL is needed.
Invites: Users will receive an enrollment request via email or SMS containing the credentials.

Migration Without Device Wipe

The following section details the standard operating procedure for migrating organization-owned Apple devices to a new device management platform server without initiating a factory reset.

1. Eligibility Requirements

To perform a migration without a factory reset, a device must meet the following strict conditions:

Supported Operating Systems:
- iOS 26/iPadOS 26
Ownership: The device must be organization-owned.
Enrollment Type: The device must be enrolled in the current device management platform using Automated Device Enrollment (ADE).

2. Administrator Workflow & Enforcement

Administrators manage the migration process via Apple Business.

Authorized Roles: Administrator, Device Enrollment Manager, and Site Manager.
Server Reassignment Workflow: To initiate the migration, administrators must reassign the devices to the new device management platform server (Hexnode) using the following steps:
1. Log in to the Apple Business or ASM portal.
2. Go to the Devices section in the top navigation menu, and select the desired device from the Inventory.
3. Click the Assign Device Management button.
4. Select the device management service (Hexnode) from the dropdown list to confirm the assignment.
Deadline Configuration: Authorized roles can set a migration deadline and monitor pending migrations directly from the device page.

Notification Protocol: Once a deadline is set, users receive on-device system notifications prompting them to begin migration. The frequency of these reminders increases automatically as the deadline approaches.
Enforcement Mechanisms: If a user fails to migrate before the deadline, the organization can enforce mandatory re-enrollment:
- iPhone & iPad: Enforcement triggers an automatic device restart.

3. System Behavior & Post-Migration Status

Data & App Preservation (iOS/iPadOS): Apps and associated data are preserved during migration if the new device management service delivers identical apps. This minimizes disruption and maintains business continuity.
Activation Lock Management: Upon successful re-enrollment, the new device management server assumes full control of the Activation Lock. The operating system invalidates existing bypass codes and generates new ones, which are then escrowed by the new device management platform (Hexnode) to maintain uninterrupted administrative control.

4. Additional Conditions

Migration without a factory reset is subject to the following edge cases and restrictions:

Apple Configurator: For devices manually enrolled via Apple Configurator, migration is only supported after the mandatory 30-day provisional enrollment period expires.
Return to Service: Migration is strictly not supported for devices enrolled via ADE utilizing the flag is_return_to_service=true.
Apple Business Essentials: Migrating to or from the Apple Business Essentials device management service is not supported.
Shared iPad: Device management service migration is not available on Shared iPads.

5. End-User Workflows

5.1 iOS and iPadOS Migration Steps

Prompt: An alert appears prompting the user to migrate the device.
Initiate: User clicks Start Enrollment.
Settings Routing: The user is automatically navigated to the Settings App and receives a prompt to restart the device.
Restart: User clicks Restart.
Remote Management: Post restart, the user is navigated to the Remote Management screen.
Confirm Enrollment: User clicks Enroll this iPhone (or Enroll this iPad).
Execution: The system automatically disenrolls the device from the existing device management service and enrolls it into Hexnode.

6. Outcome

Upon successful completion of the migration process, the device will be enrolled as supervised and successfully added to Hexnode’s device management server.

Need more help?

Raise a Ticket

Ask Community

Chat With us