Over the past few years, the mobile device management (MDM) field has exploded into a multi-billion dollar IT business. Suddenly, organizations of all sizes are keenly aware of the management implications of owning Apple devices, and are now looking to have those devices meet the same standards as Windows devices. With the tech industry constantly evolving, and an organization’s needs always changing, there’s a good chance you won’t stay with one single MDM vendor forever. And when you move, the process can be a painful and soul-crushing process. It’s called vendor lock-in. What are some things to look out for? How can you work around limitations between providers? Do you really need to wipe all of the devices in your environments?
Here are 10 specific questions to ask yourself when moving to a new MDM vendor. These are critical to consider in order to save time—and your sanity—during what is all too often rightfully perceived as a huge undertaking.
1. Logistically, how am I going to get user devices enrolled into my new solution?
Many environments now leverage the Apple Device Enrollment Program (DEP) and MDM to automatically enroll and configure new devices without requiring hands-on support from IT. When using DEP, you will need to log into the portal and move each device to the new solution. Keep in mind that this process can take a good bit of time. And, while these changes propagate through Apple servers fairly quickly, the process isn’t instant and can require patience.
2. For unsupervised devices, do I plan on using Apple Configurator to migrate devices between MDM vendors?
Apple Configurator can back up devices, restore devices, add manual profiles (such as those that join a wireless network), and add enrollment profiles on devices (files that join a device into an MDM vendor). And, for fans of scripting, the Apple Configurator 2 release introduced the ability to script Apple Configurator. In short, Apple Configurator is a must for practically any migration!
3. Do I need to wipe the devices?
iOS devices can be “supervised.” When supervised, administrators of an MDM solution control more settings and can leverage Apple services, such as the Volume Purchase Program (VPP) for businesses or Apple School Manager for schools. Supervision is enabled through Apple Configurator or using DEP along with an MDM solution. Moving a device between MDM vendors or from a supervised to an unsupervised state usually means wiping the device. This is a labor intensive and expensive process, often taking half an hour to an hour per device. However, these migrations can be performed in parallel.
4. Do I have to unenroll devices from an old MDM server to enroll devices into the new MDM server?
Moving to a new MDM vendor usually requires moving to a server with the same vendor. This process ensures access to certificates that are used to secure communications between an iOS device, Apple and an MDM server. If you can get certificates migrated and get device data into the new service, you would likely then need to redirect the names of the servers, using a 307 DNS redirect. All of these steps seems unlikely unless you use the same vendor (e.g. migrating from Jamf Now to Jamf Pro).
5. Do I put data on devices with my MDM solution?
Pushing profiles to devices using an MDM solution means that you are often pushing email accounts and apps to a device. When a mail profile is removed from a device, all mail downloaded to the account that was installed based on the settings in that profile is also removed to the device. This means that each Apple device will resynchronize mail with Microsoft Exchange and Internet Message Access Protocol (IMAP) servers, once the new account is applied to the device(s). Users of IMAP and Exchange should not lose data, as the data is on the server, but this will cause a potential annoyance to end users and often additional network traffic as all mail is cached to all devices again. The same is true of apps that allow people to access data, such as Dropbox and Box.
6. Do I push apps to devices using VPP?
VPP uses a token to establish communication, and therefore synchronize apps between an MDM server and Apple. When you install a token on some MDM servers, the server then takes over the apps for the VPP account, potentially removing all apps from other MDM servers. This is an option (whether exposed to administrators of MDM servers or not) that an MDM has. If you’re not ready for the possibility that an MDM server removes apps from devices that might still be enrolled in an old MDM vendor, you may be in for a surprise.
7. Do I need my new MDM vendor to support the same features as my old MDM vendor?
Not all MDM vendors have the same features. Look at all of the options you use and make sure that they’re supported by the new solution. This includes each option in a management profile, such as specific passcode enforcement policies, as well as each feature. For example, does the solution support iPad-only apps? Does the solution support business-to-business apps? Obviously, if you don’t use these features you won’t need them; however, make sure to look at every single feature you use, and find a viable alternative if the feature you need isn’t supported on the new solution.
8. Do I use directory services and APIs?
The devil is often in the really technical details. Are you using a directory service like Microsoft’s Active Directory to host credentials and network information that your server communicates with? If so, you need to configure that, and any other areas of your ecosystem, on the new MDM service. Do you have scripts that communicate with an API on an MDM solution? If so, you’ll need to make sure that scripts can be rewritten and then do so. Before you do a bunch of work, make sure that you aren’t complicating the architecture, and review the most time intensive aspects of redoing your work for the new environment. This will save you time in the long run.
9. Is my MDM solution more than just an MDM solution?
Many MDM solutions also have apps that synchronize files (documents, media, etc.), between a server or cloud account, and client computers. If you are using one of these and move to an MDM vendor that doesn’t have the ability to host and synchronize data, then you will want to have a viable alternative for that service, such as Box, Dropbox or Google Drive.
10. Do I think everything is going to go as planned?
Rarely do these migrations go exactly as planned. Prepare for as many scenarios as possible, but be ready for the possibility that there will be problems with the migration. And make sure that when you encounter these problems, you have plenty of time to update your project plan.
While moving from one MDM provider to another may seem like an overwhelming task, you’re not alone on your journey. JAMF Software provides Migration Services to help you accomplish your goals and ensure you’re checking each box—and answering each question—along the way.
Unburden yourself with the responsibility of making this transition on your own.