Category filter
UEM Migration Strategy: Moving 500k+ Devices Without a Wipe
Transitioning a device fleet (500,000 or more) from a legacy UEM (such as Intune, Workspace ONE, or Jamf) is a critical infrastructure operation. Historically, switching management platforms required a device wipe, leading to data loss and costly downtime. This blueprint defines the seamless transition strategy using Hexnode Gateway for desktops and Automated Cloud Handover for mobile fleets, ensuring continuous business operations.
Logical Architecture: The Hexnode Gateway
For macOS and Windows environments, Hexnode bypasses the need for factory resets and complex manual unenrollment by utilizing a device-level transition tool.
- The Hexnode Gateway Tool: Deployed digitally via your legacy UEM to remote devices. It acts as an autonomous local agent to handle the transition safely.
- The Handover (Profile Removal): The Gateway tool runs in the background and systematically removes the existing legacy MDM profile.
- The Claim (Hexnode Enrollment): Immediately after unbinding the legacy profile, the Gateway installs the Hexnode UEM profile. This secures the device under Hexnode’s policies without user interaction.
Mobile Platforms: Cloud Handover
Because mobile operating systems (iOS and Android) have strict kernel-level sandboxing, corporate-owned mobile devices rely on Vendor Redirection rather than a local gateway tool.
- Apple ADE (Automated Device Enrollment): Move your ADE server tokens to Apple Business Manager (ABM). Devices are reassigned to the Hexnode server and enroll automatically upon their initial setup.
- Android ZTE & Samsung KME: Update the Zero-Touch Enrollment portal or Knox Mobile Enrollment portal with your new Hexnode configuration.
Transitioning mobile devices into full “Device Owner” or “Supervised” mode via these cloud programs generally requires a factory reset. Always ensure user data is backed up to a cloud service prior to mobile migration.
Execution Logic: The 4-Phase Migration
Phase 1: Ecosystem Preparation
Before moving any devices, your infrastructure must be prepped to receive the fleet.
- Directory Sync: Integrate Microsoft Entra ID, Google Workspace, or Active Directory to map user hierarchies for automated assignment.
- Token Migration: Migrate Apple APNs certificates, ABM tokens, and Android Enterprise configurations to the Hexnode portal.
- Policy Staging: Pre-configure compliance rules, Wi-Fi payloads, and required apps in Hexnode to ensure immediate productivity upon enrollment.
Phase 2: Gateway Deployment
Use your legacy UEM to distribute the Hexnode Gateway application to all target macOS and Windows endpoints.
Phase 3: The Seamless Takeover
- The Hexnode Gateway executes locally, stripping the old management profile and silently applying the new Hexnode configuration.
- User data, installed applications, and local OS configurations remain 100% intact.
Phase 4: Verification & Decommissioning
- Audit Compliance: Cross-reference Hexnode enrollment reports with device exports from your legacy UEM to catch any stragglers.
- Legacy Scrubbing: Once the fleet is confirmed active and compliant in Hexnode, safely unsubscribe and decommission the legacy UEM tenant.
Scale Impact & ROI
| Metric | Traditional Migration | Hexnode Gateway Migration |
|---|---|---|
| User Data | Wiped clean | 100% Preserved |
| Deployment Method | Manual, one-by-one setup | Automated, bulk execution |
| Location Flexibility | Requires physical IT access | Fully remote and cloud-based |
| Security Status | Prolonged management gap | Immediate transition to new policies |
Implementation Checklist
- Audit existing device inventory and export legacy records.
- Sync Directory Services (Entra ID, Google Workspace, AD) in Hexnode.
- Generate a new APNs certificate and migrate Apple ADE/VPP tokens.
- Configure Android Enterprise, Samsung KME, and Android ZTE portals.
- Deploy Hexnode Gateway via the legacy UEM for desktop fleets.
- Verify endpoint compliance before decommissioning the old system.
