How to migrate iOS devices from another MDM to Hexnode?

Migrating your devices from one MDM solution to the other can be a painful task if you don’t have proper planning. When making the switch, you need to prepare and outline an action plan for the migration process. This guide will provide necessary information to achieve a smooth transition of your iOS devices to Hexnode.

Migration steps

Here are the steps you should follow to migrate iOS devices from another solution to Hexnode UEM without disrupting the end users:

1. Remove assets from current MDM and back up required data.
2. Create DEP and VPP accounts (if your organization doesn’t have one).
3. Migrate certificates and tokens to Hexnode UEM.
4. Sync users from directory services to Hexnode UEM.
5. Disenroll devices from current MDM.
6. Enroll devices into Hexnode UEM.

Step-1: Remove assets from current MDM and back up required data

Delete the DEP and VPP accounts configured in the current MDM. Before removing assets from the current MDM, decide what all data need to be exported. If the current MDM supports data exporting, download details like device inventory and user details which may come to use during the process of enrollment with Hexnode UEM.

You’ll have to wipe all the content from the devices before enrollment. Prior to doing so, store required data to your preferred cloud storage service.

Step-2: Create DEP and VPP accounts

If your organization haven’t enrolled to Apple Business Manager this is the right time to sign up. Go to https://business.apple.com/ and enroll your organization. Device Enrollment Program and Volume Purchase Program are seamlessly integrated into Apple Business Manager.

Step-3: Migrate certificates and tokens to Hexnode UEM

APNs certificate

Create a new Apple Push Notification service certificate and add it to your Hexnode UEM portal. APNs certificate is required for Apple devices to communicate with MDM. So, this is a mandatory step.

• Download the self-signed certificate from the Hexnode UEM portal.
• Go to Apple Push Certificates Portal, upload the self-signed certificate and download the APNs certificate generated by Apple.
• Upload the APNs certificate back to the Hexnode UEM portal.

If your organization is already using DEP and VPP with the current MDM, you can continue using the services with Hexnode UEM. Move DEP and VPP tokens to Hexnode UEM. Your DEP token is a record of your organization’s devices and your VPP token keeps track of all app purchases.

DEP server token

In your DEP portal, create a new MDM server for Hexnode and move all the devices from the previous MDM server to the newly created Hexnode UEM server.

• Create a new MDM server in Apple Business Manager using the public key downloaded from your Hexnode UEM portal.
• Get the server token and upload it to your Hexnode portal to link Hexnode and DEP.
• Create a DEP profile in Hexnode which need to be applied during the DEP configuration.
• Assign your DEP devices to the Hexnode UEM server.

VPP token

Revoke all app licenses and remove any of the previous VPP tokens from the current MDM. Link your VPP account with Hexnode UEM.

• Download a new VPP token.
• Configure VPP in Hexnode by uploading this token and Save.
• Check reclaim licenses to revoke all the app licenses used with the previous MDM and use them with Hexnode UEM.

Step-4: Sync users from directory services to Hexnode UEM

You can sync the users from various directory services such as Active Directory (AD), Microsoft Entra ID and Google Workspace (G Suite) to the MDM console.

Unbind your current MDM vendor from the directory services and configure Hexnode UEM with them.

1. Active Directory
   • Configure Active Directory settings under the Admin tab to get the users synced from the AD account to the Hexnode portal.
2. Microsoft Entra ID
   • Configure Microsoft Entra ID under Admin tab to get the users synced from the Microsoft Entra ID account to the Hexnode portal.
3. Google Workspace (G Suite)
   • Configure G Suite under Admin tab to get the users and user groups synced from the Google Workspace (G Suite) account to the Hexnode portal.

Step-5: Disenroll devices from current MDM

Disenroll all devices from the current MDM. This can be done in two ways:

• Push a disenroll action from the previous MDM console.
• To manually remove management without erasing the devices, take devices one-by-one, go to Settings > General > Profile and device management and remove the MDM enrollment profile. This doesn’t work if the MDM profile was set up as non-removable.

Step-6: Enroll devices into Hexnode UEM

There are different modes of enrollment. Choose the one that’s best suited for you.

Automatic enrollment via Apple DEP

Use DEP enrollment for eligible devices. If you haven’t assigned devices to the Hexnode UEM server you have created, assign them by providing serial number, order number or uploading a CSV file containing the serial numbers of all devices. Devices will automatically enroll upon their initial set up.

Apple Configurator enrollment

Use Apple Configurator to enroll iOS devices to Hexnode UEM. The devices can also be manually added to DEP regardless of how or from where it is purchased. When you boot up the device, the MDM enrollment configuration will get automatically deployed to the device.

Bulk enrollment with CSV import

Use the device and user details downloaded in Step-1 to enroll devices in bulk.

• Bulk user import – Send enrollment instructions to users in bulk via email by uploading the user details as a CSV file.
• Pre-approved enrollment – Bulk import a list of devices based on their serial numbers via a CSV file. You can proactively assign device management policies to these devices and the policies automatically take effect upon enrollment.

Self-enrollment

Users can enroll with their AD credentials or usernames and passwords set in the portal.

Open enrollment

Users can enroll devices without authentication. Only the enrollment URL is needed.

Email/SMS enrollment

Users will receive an enrollment request via email or SMS which contains the enrollment URL, username and password.