Migrating Supervised iPhones Between MDMs (ABM/ADE) — Zero‑Drama Runbook

Satish Shetty Updated by Satish Shetty

Applies to: iPhone/iPad that are corporate‑owned, supervised, and listed in Apple Business Manager (ABM) with Automated Device Enrollment (ADE). Scenarios covered: AirWatch → Intune, Jamf ↔ Intune, Any MDM → Codeproof, and vice‑versa.

TL;DR: You cannot switch MDMs without an erase on supervised ABM devices. Server reassignment in ABM only takes effect on next activation. Plan a staged, factory‑reset migration with a data‑preservation path.

Key facts you must know

  • Reassignment timing: Changing the MDM server in ABM takes effect after the device is erased and re‑activated (Setup Assistant). Until then, the current MDM stays in control.
  • Unenroll behavior: If your current MDM profile is set as non‑removable (common for supervised devices), removing it may be blocked or may trigger a wipe—by design.
  • No dual MDM: iOS/iPadOS cannot be enrolled in two MDMs simultaneously.
  • Data strategy matters: Choose encrypted Finder/iTunes backup or Quick Start to preserve user data and speed the cutover.
  • Note for Codeproof customers For Any MDM → Codeproof, replace “destination MDM” with Codeproof in the steps below and ensure your Codeproof ABM Server Token and VPP (Apps & Books) token are active in the Codeproof portal.

Prerequisites checklist

  • Devices are in ABM (Apple Business Manager) and show as Supervised.
  • You have Admin access to:

o   ABM → MDM Servers (to reassign devices)

o   Destination MDM (Intune/Codeproof/Jamf) to configure ADE profiles

o   Source MDM (to coordinate wipes/retire actions if required)

  • Apple Push Certificate in destination MDM is valid ≥ 12 months.
  • Apps & Books (VPP) token is added to the destination MDM; required apps are synced and assignable.
  • Plan for Activation Lock (clear or have MDM bypass codes) and eSIM re‑provisioning with your carrier if applicable.
Phase 1 — Prepare destination MDM

1.      Create an ADE profile in the destination MDM (Supervised; MDM profile non‑removable).

2.      Sync Apps & Books (VPP) apps: Company Portal/Authenticator/Outlook, VPN, security tools, etc.

3.      Test with a pilot group (3–5 devices) end‑to‑end: backup → erase → ADE enroll → app reinstall → restore data.

Phase 2 — Reassign devices in ABM

1.      In ABM → Devices, select target serials.

2.      Edit Device Management → choose the destination MDM server.

3.      Confirm the inventory now shows the new MDM server for those serials.

Nothing changes on devices until they’re erased.

Phase 3 — Data preservation (pick one)
  • Option A: Encrypted Finder/iTunes backup (recommended)

o   On a Mac/PC, open Finder/iTunes → select Encrypt local backupBack Up Now.

o   Encryption preserves keychain, Wi‑Fi, and more; you’ll need the device passcode.

o   After migration, restore from this backup.

  • Option B: Quick Start (device‑to‑device)

o   Use Apple’s Quick Start to transfer data before activation completes on the target. ADE enrollment still applies at first activation.

  • Option C: Temporary iCloud backup

o   Enable iCloud backup for the migration window only; restore post‑enrollment; disable if you don’t want ongoing iCloud costs.

Phase 4 — Erase & re‑enroll

1.      Disable Find My (if required by your policy) and sign out of personal Apple ID as needed.

2.      Erase All Content and Settings (Settings → General → Transfer or Reset iPhone → Erase All…).

3.      Walk through Setup Assistant. The device will auto‑enroll to the destination MDM via ADE.

4.      Restore data (encrypted local backup / Quick Start / iCloud).

5.      Verify required managed apps and profiles install from the destination MDM.

Phase 5 — Post‑cutover validation
  • Confirm: device shows in destination MDM, compliance policies apply, certificates/VPN/Wi‑Fi profiles deployed.
  • Verify app access (email, SSO, VPN) and any per‑app VPN/intune app protection policies (if applicable).

User communication template (email/Slack)

Subject: Your iPhone is moving to our new device management

Hi team,

We’re upgrading our iPhone management system. Your device will be moved to our new MDM in a short appointment (~20–30 minutes). What you’ll do:

1)      Encrypted backup to a company Mac/PC (we’ll help).

2)      We’ll erase the device and walk you through setup.

3)      Your phone will auto‑enroll to the new MDM and we’ll restore your backup.

4)      Company apps will reinstall automatically.

Please bring your iPhone, passcode, and charger. If you use eSIM, bring your carrier QR or credentials. Questions? Reply here.

Thanks!

Common gotchas & how to handle them

  • Activation Lock: Remove via Apple ID, ABM, or use the MDM Activation Lock bypass (if previously escrowed). Handle before erase to avoid delays.
  • eSIM: Some carriers auto‑reprovision after restore; others require a new QR/activation. Confirm carrier process in advance.
  • Non‑removable profile: Expected on supervised devices. Don’t try to remove; proceed with erase + ADE.
  • Managed app data: Data tied to source‑MDM‑only apps usually won’t migrate. Re‑deploy equivalents from the destination MDM.
  • Certificates/VPN: Assume they won’t survive restore; let the destination MDM re‑issue them.

Variations & special cases

  • Personal/BYOD → Corporate: If devices are not supervised/ABM‑owned, consider User Enrollment as an interim step. For corporate ownership, prefer erase + ADE to establish supervision and non‑removable management.
  • Shared devices / kiosk: Build destination MDM blueprints/profiles first; test app auto‑launch, single‑app mode, and network profiles before mass cutover.

Rollout sizing suggestions

  • Waves of 20–50 devices with 1–2 “migration stations” (Mac/PC + powered USB hub).
  • Target ~30 minutes per device (backup + erase + setup + restore), overlapping tasks across stations.
  • Keep a tracking sheet with: user, serial, backup done, erased, enrolled, restored, validated.

Success checklist (per device)

☐      ABM server reassigned to destination MDM

☐      Encrypted local backup or Quick Start completed

☐      Erase performed

☐      ADE auto‑enroll to destination MDM

☐      Restore complete

☐      Apps, Wi‑Fi, VPN, mail verified

☐      Activation Lock cleared / bypass used (if needed)

☐      eSIM confirmed working

FAQ

Q: Can we avoid the erase? A: Not for supervised ABM devices when changing MDMs. Reassignment only applies on next activation.

Q: Will users lose data? A: Use encrypted local backup or Quick Start to preserve user data/settings. Managed app data may be re‑pushed by the new MDM.

Q: Can we run two MDMs side‑by‑side? A: No. iOS supports a single MDM at a time.

Q: What about iPad or Apple TV? A: Same principles: ABM reassignment + erase + ADE enrollment.

Appendix — Codeproof specifics

  • In ABM → MDM Servers, create/locate Codeproof server and upload the latest Server Token from the Codeproof Portal.
  • Add your Apps & Books (VPP) token to Codeproof and sync required apps.
  • Create a Codeproof ADE profile (Supervised, non‑removable, Show/Skip Setup panes as desired).
  • After erase, devices will auto‑enroll to Codeproof during Setup Assistant; apps/configs will deploy automatically.

Need help? Contact Codeproof Support with your planned dates, number of devices, iOS versions, and carrier/eSIM details. We’ll review your profile settings and provide a tailored runbook.

How did we do?

How to Configure Programmable Keys with Managed Configurations on Kyocera Devices

Contact