Category filter
Jamf to Hexnode Migration Guide for Apple and Cross-Platform Management
A comprehensive enterprise migration framework for transitioning from Jamf Pro to Hexnode UEM. This guide helps organizations migrate Apple-centric device management environments into a unified endpoint management strategy supporting macOS, iOS, Windows, Android, and BYOD devices.
Why Organizations Are Migrating
Many enterprises initially adopt Jamf for Apple-focused management but later require broader, cross-platform capabilities. Organizations commonly migrate to Hexnode to:
- Consolidate Apple and non-Apple device management
- Reduce operational complexity
- Eliminate multiple management consoles
- Improve visibility across all endpoints
- Simplify compliance management
- Standardize automation workflows
- Support mixed-device environments
Before You Begin: Prerequisites
Before initiating the migration, ensure you have gathered the following:
- Administrative access to both Jamf and Hexnode
- Device inventory exports
- Apple Business Manager (ABM) access
- Existing policy documentation
- Script repositories
- Extension attribute inventory
- Compliance and restriction documentation
- Application deployment inventory
Understanding the Migration Strategy
Apple-First to Unified Endpoint Management Transition
Organizations migrating from Jamf typically shift their operational models:
| Existing State (Jamf) | Target State (Hexnode) |
|---|---|
| Apple-only management | Unified endpoint management |
| Separate UEM tools | Single management console |
| macOS-centric workflows | Cross-platform workflows |
| Apple-specific compliance | Unified compliance posture |
| Fragmented reporting | Centralized visibility |
Recommended Migration Model
For most enterprises, a phased coexistence approach minimizes disruption:
- Assessment & Cleanup (Jamf Environment)
- Hexnode Parallel Deployment
- Pilot Migration
- Department-wise Rollout
- Unified Policy Validation
- Jamf Decommissioning
Phase 1 – Environment Assessment
Identify all Apple management dependencies currently handled through Jamf.
1.1 Export Device Inventory
Export all managed Apple device information. Ensure you capture the following critical fields:
| Category | Details |
|---|---|
| Device identity | Serial number, UDID |
| Ownership | Corporate or BYOD |
| Platform | macOS, iPhone, iPad |
| Enrollment method | ADE, user enrollment |
| Assigned user | Email and department |
| Compliance status | Current device posture |
1.2 Review Apple Business Manager Integration
Validate your ABM integration, which is central to migration planning:
- ADE (Automated Device Enrollment) assignments
- VPP (Volume Purchase Program) token status
- Managed Apple IDs
- Device supervision status
- Enrollment synchronization
1.3 Analyze Existing Policies
Review all current Jamf policies and restrictions. Common categories include:
- Password enforcement
- FileVault management
- Gatekeeper settings
- Firewall enforcement
- Software update policies
- Restrictions
- Login window customization
- Privacy preferences policy control (PPPC)
1.4 Compliance Policy Mapping
Map your existing Jamf workflows to their Hexnode equivalents. Ensure all security baselines remain consistent post-migration.
| Jamf Configuration | Hexnode Equivalent |
|---|---|
| FileVault enforcement | Disk encryption policies |
| Password policies | Passcode policies |
| macOS restrictions | Device restrictions |
| Patch management workflows | Patch management policies |
| Compliance reporting | Compliance monitoring |
1.5 Extension Attributes Mapping
Jamf Extension Attributes often contain critical custom logic. Export all attributes, remove deprecated logic, and rebuild required workflows in Hexnode.
| Jamf Extension Attributes | Hexnode Equivalent |
|---|---|
| Custom inventory attributes | Custom device attributes |
| Script-generated reporting | Script-based inventory collection |
| Compliance extensions | Automated compliance checks |
| Custom reporting fields | Device metadata and reporting |
Important: Some extension attributes rely on Jamf-specific APIs or script paths and will require redesigning for Hexnode.
1.6 macOS Scripting Assessment
Review all existing shell scripts, post-enrollment automations, login scripts, software deployment scripts, and compliance/inventory scripts.
| Jamf Capability | Hexnode Equivalent |
|---|---|
| Shell script deployment | Script execution policies |
| Automated remediation | Automated actions |
| Post-enrollment workflows | Enrollment automation |
| Device customization | Policy-based configuration |
Action items for scripts: Categorize by business function, remove obsolete automation, validate dependencies, and test execution thoroughly in Hexnode.
Phase 2 – Unified Management Planning
Establish Hexnode alongside Jamf before executing a large-scale migration.
2.1 Parallel Deployment Strategy
A coexistence period is strongly recommended.
- Pilot coexistence: Best for initial validation.
- Department-based rollout: Best for structured enterprise migration.
- Platform-based transition: Best for gradual UEM consolidation.
2.2 Identity Integration
Configure and validate your identity providers (Entra ID, Okta, Google Workspace, Active Directory) in Hexnode. Verify SSO workflows, user provisioning, group synchronization, and RBAC mappings.
2.3 Certificate and Token Planning
Review APNs certificates, VPP tokens, SCEP configurations, PKI infrastructure, Wi-Fi certificates, and VPN certificates.
Important: Expired Apple-related certificates are one of the most common migration blockers. Ensure all are up to date before proceeding.
Phase 3 – Migration Execution
Actively migrate devices from Jamf to Hexnode.
3.1 ADE (Automated Device Enrollment) Migration
- Assign devices to the Hexnode MDM server in Apple Business Manager.
- Remove old MDM profiles.
- Re-enroll devices.
- Reapply configuration profiles.
- Validate supervision status, ADE synchronization, and Activation Lock handling.
3.2 macOS Device Migration
- Remove the Jamf management profile.
- Enroll the device into Hexnode.
- Reapply restrictions, policies, and redeploy applications.
- Validate FileVault status, Wi-Fi/VPN connectivity, PPPC configurations, and compliance reporting.
3.3 iPhone and iPad Migration
- Reassign ADE ownership.
- Remove the old MDM profile.
- Re-enroll through Hexnode.
- Reassign VPP applications.
- Validate supervised restrictions.
3.4 Application Migration
Export your current catalog (VPP apps, PKGs, internal apps, SaaS launchers) and remove unused software. Validate installation methods, recreate deployment groups in Hexnode, and reapply managed app configurations.
Phase 4 – Validation and Optimization
- Compliance Validation: Check FileVault enforcement, password compliance, firewall status, and patch compliance.
- Reporting Validation: Verify inventory reporting, compliance dashboards, and device health monitoring.
- User Experience Testing: Validate enrollment experience, login workflows, VPN connectivity, and self-service functionality.
- Unified Management Validation: Ensure macOS, iOS/iPadOS, Windows, Android, and BYOD endpoints are effectively managed centrally.
Phase 5 – Jamf Decommissioning
Begin the controlled retirement of Jamf dependencies only after validation is fully complete.
- Disable Legacy Policies: Gradually retire Jamf policies, restrictions, patch workflows, and scripts.
- Remove Legacy Certificates: Retire old APNs certificates, VPP tokens, and SCEP/Wi-Fi configurations.
- Archive Historical Reporting: Export audit logs, archive compliance history, preserve inventory records, and retain licensing documentation before shutting down the Jamf instance.
Rollback Planning & Risk Management
Recommended Rollback Options
Always prepare a rollback strategy before production rollout.
| Migration Phase | Rollback Strategy |
|---|---|
| Pilot migration | Re-enrollment in Jamf |
| Department rollout | Scoped coexistence rollback |
| Production rollout | Parallel management recovery |
Downtime Expectations & User Impact
Users may experience application reauthentication, VPN reprovisioning, or device restart requirements.
| Platform | Typical User Impact |
|---|---|
| macOS | Low to medium |
| iPhone/iPad | Low |
| BYOD Apple devices | Medium |
Common Migration Failure Scenarios
- ADE Synchronization Delays: Caused by ABM sync latency. Prevention: Allow adequate sync time before testing enrollment.
- FileVault Reporting Mismatch: Caused by unvalidated encryption workflows. Prevention: Test reporting heavily during the pilot phase.
- Script Execution Failure: Caused by Jamf-specific dependencies. Prevention: Validate and rewrite scripts for Hexnode in advance.
- VPP Application Assignment Issues: Caused by licensing reassignment inconsistencies. Prevention: Validate VPP sync during pilot testing.
Risk Matrix
| Risk | Severity | Likelihood | Mitigation |
|---|---|---|---|
| ADE enrollment disruption | High | Medium | Pilot testing |
| FileVault reporting failure | Medium | Medium | Compliance validation |
| Script compatibility issues | Medium | High | Script testing |
| Inventory reporting gaps | Medium | Medium | Extension attribute audit |
| User disruption | Medium | Medium | Staggered rollout |
Recommended Enterprise Migration Strategy
For a successful transition in mixed-device enterprises:
- Start with Apple pilot groups.
- Simplify legacy Jamf workflows before moving them.
- Validate unified policy management.
- Introduce non-Apple device management gradually.
- Maintain coexistence temporarily.
- Delay Jamf decommissioning until a final audit is complete.
