How to migrate into Jamf with Apple Business Manager Migration

Migrations of yesteryear

As a sales engineer at Jamf, I've had hundreds of conversations with IT admins across every industry and skill level.

No matter how experienced or capable they are, there's nothing more terrifying than the thought of having to factory reset their entire iOS fleet.

I get it. I've had my share of those conversations too, in a past life. There was typically some level of coaxing or handholding involved, but no matter what, it always required the user to spend a ton of time to get their apps, settings and data back to where they once were.

But wait . . . it gets better.

When user data, experience and productivity come into play, it adds a whole new layer of complexity to the decisions admins and organizational leaders face when considering a move to a new mobile device management (MDM) tool.

And when the choices were:

1. Erase device & lock in management
2. No erase & risk the device becoming unmanaged
3. Wait for __________ (next refresh cycle; more time to dedicate; Option D?)

...there was no right or wrong answer — especially when restoring user data wasn't an option.

What's an admin to do?!?! Where's the easy button?!

If you're a seasoned admin, you probably just chuckled to yourself: "There is no easy button in IT."

Well today, thanks to Apple's new migration capabilities and Jamf's support, there is.

Welcome to the new era of device migrations.

Apple's new tooling within Apple Business Manager (ABM) and Apple School Manager (ASM) for migrating devices from one MDM to another feels more like a miracle than a new feature.

After years of wiping devices, re-enrolling users and hand-holding teammates you barely knew, you can finally move your Apple fleet running OS26 without ruining anyone's day.

No factory reset. No Zoom calls. No tears. But before you click that "migrate" button, there are a few things to think about from an IT Admin perspective.

What about apps, you ask?

There's a very good chance your devices have a few apps pushed through the Apple Volume Purchase Program (VPP) and you've likely pushed out one or two configuration profiles.

Skeptical?

If you audibly scoffed at that, you're in good company with thousands of other orgs who have developed workflow after workflow to get their devices to the state they're in today — an easy button might sound too good to be true. But…

If you've ever dreamed of the day when you could:

• Migrate devices into Jamf seamlessly
• Preserve user data and apps
• Enforce meaningful deadlines
• Give users clear, intuitive guidance
• Keep profiles locked and compliant
• Do it all without disruption

That day is here.

But, like everything in IT, we need to plan, test and then ship.

So let's map out what success actually looks like for this new era of MDM migrations.

Requirements and limitations

To use this new feature within Apple Business Manager (ABM) or Apple School Manager (ASM) — collectively referred to as AxM — we need to first make sure we can check all the boxes:

• Devices are updated to iOS 26, iPadOS 26, or macOS 26
• Devices must be corporate-owned and in AxM
• iOS devices must have been enrolled into their current MDM using Automated Device Enrollment (ADE)
• Macs are added with ADE or with profile-based enrollment

Check out Apple's support page for specific requirements like Shared iPad or Apple Configurator.

For any devices that do not meet the requirements, we can help. Check out the FAQ section below for more information.

For Apple admins

• The AxM user needs to be an administrator, device enrollment manager or site manager (with Apple School Manager)
• You must have Jamf Pro 11.22 or later installed

Overview of the process

Now, let's take a peek at what this new flow entails.

1. Inventory devices
2. Verify device eligibility
3. Evaluate current configurations
4. Prepare your new environment
5. Test migration
6. Verify user workflow and experience
7. Post-migration validation

Phase one: plan and prep

There's that word again: Plan.

Let's reframe. You just bought a new house and you are super excited to move in. But first, you need to pack up all the stuff you want to take with you. Check the attic, basement, all the cabinets — and make sure you don't leave anything important behind.

Document current environment

1. Take inventory: Document all devices in inventory to determine eligibility: types, OS versions, current MDM enrollment method and ownership (org-owned or user-owned). It also doesn't hurt to snag serials or another unique identifier in case you need to exclude devices from this migration.
   Note: Some MDMs support exporting such data into a .csv, which makes this part much easier. I suggest checking if yours can do this; otherwise, hopefully you were a stenographer in a past life.
2. Verify eligibility: If all of your devices meet the requirements above, congrats! Skip to step three. If some don't, separate those out. They won't migrate with this flow.
   Note: Check the FAQ section below for what to do with ineligible devices.
3. Evaluate current configurations: Don't try to replicate the infrastructure; replicate the outcome.

All Apple MDMs use the same MDM framework, because that framework is built into the OS itself, not the MDM. However, not all MDM's implement every feature and they don't necessarily implement, name, or scope them in the same way. Think Reese's vs. Butterfinger: same basic ingredients, totally different experience.

• Document your current configurations, restrictions, policies and scripts — focusing on the outcomes you need to carry over.
• Pay close attention to Wi-Fi, VPN, email and certificates — these are business critical and missing any of them could be detrimental to your users' productivity and your mental health.
• Note how configurations are applied: static assignment, user-based, group-based, device-type, etc. Jamf's Smart Groups can make dynamic targeting way easier.
• Document all applications currently deployed and where they came from (VPP, App Store, packages, scripts)
• Jamf supports the option to preserve managed apps during migration. This ensures no data loss and a quicker migration because the device doesn't need to download previously installed managed apps.

Prepare your new environment

We have a lot of unpacking to do, and we don't want to forget to set up all our utilities. The last thing you want is to have everyone show up and you don't have heat or water.

If you want or need any help, talk to your account rep about our Professional Services. I promise, this isn't a pitch; we just want to make sure your foundation is solid.

There are a few basic setup steps that must be taken to make a seamless migration possible. However, there are hundreds, if not thousands, of ways to customize your server for your org-specific needs. For the sake of brevity, I will address the must-haves.

1. Configure your Apple MDM push certificate
2. Integrate with AxM for automated device enrollment
3. Integrate with AxM for Volume Purchasing (VPP) app deployment
4. Create your Smart Groups
5. Rebuild your configurations and don't forget to scope them to the corresponding Smart Group. Remember to focus on the outcomes, not the infrastructure
   For Mac-specific configurations, Configuration Profiles for Mac will handle most of it. Policies can help fill the gaps.
6. For iOS:
   Configuration Profiles for Mobile will define settings and restrictions; add managed apps allows your users to keep their apps and the data after migration
7. Create your PreStage enrollment

Important notes:

• PreStage enrollments must closely match the ones already on the device.
• Don't forget to scope the PreStage settings to devices, or they will not migrate. To do this, I recommend checking the box to "Automatically assign new devices." For other options, check the FAQ section below.
• iOS PreStage Enrollment: Be sure to check this box to keep those apps installed.
• Follow MacOS PreStage enrollment instructions.

You, my friend, are done with the hard stuff. Great work.

Phase two: test and validate

Ready to teleport your devices to Jamf? I am.

For this, make sure to test each type of device you plan to migrate once you're ready for the real thing.

Test the process

Migration: admin step-by-step flow

1. Choose devices to migrate.
2. Log in to AxM and select 'Devices' in the sidebar.
3. From here, you can select one device or multiple devices to migrate.
4. Then, choose 'Assign Device Management.'
   To migrate one device, click on the ellipses at the top right of the screen to reveal the 'Assign Device Management' button.

Note: devices ineligible for migration will be greyed out. More info in the FAQ section below.

To migrate multiple devices, you can:

1. Select multiple devices by holding the command key (⌘) while clicking on additional devices
2. Use the filter located above 'All Devices' in your device list to narrow your results based on type, eligibility, etc. This is useful for creating batches.
3. Select 'All Devices' at the top of your device list to migrate all devices (not recommended for large-scale deployments).

Select your Jamf instance and choose a deadline, then select 'Continue.'

Notes:

• Choose a deadline of more than one day but less than 90 days.
• If volume-purchased apps are part of the deployment, don't set a migration deadline greater than 30 days.

Read the dialog box and select 'confirm.'

Next up: Let's take a peek at the user experience.

End-user experience

As of October 2025, the following is the expected user experience. Do yourself a favor and read the dialog boxes before clicking any buttons.

Shortly after migration initiates in AxM, the user will receive an 'enrollment required' notification, letting them know that an enrollment change is required and when it must be completed. They can either start the enrollment right away or defer it until the deadline.

When the user chooses 'Start Enrollment,' they are guided through a very simple process (four clicks, including the "exit" button) that completes the migration.

If the user taps 'Not Now,' they'll get reminder prompts that become more frequent as the deadline approaches:

• More than one day out: one reminder per day
• Less than 24 hours but more than 1 hour: one reminder per hour
• Within the final hour: reminders at 60, 30, 10 and 1 minute before the deadline

If the user doesn't initiate enrollment before the deadline, the device is rendered useless until they complete the migration.

• For macOS: the user gets a full-screen, non-dismissible prompt that doesn't allow them to do anything other than hit the enroll button.

• For iOS: the device begins the enrollment change autonomously and reboots and waits for the user to click 'Enroll.'

Note: if the device was on a Wi-Fi network that was configured by the previous MDM and not deployed in the new PreStage, the end user will be asked to connect to a new wifi network during Setup Assistant.

Post-migration validation

As a final check, it's a good idea to verify that everything is where it should be.

• Choose 'devices or computers' from the sidebar >> 'search inventory' >> 'search' (top right). Verify all devices you migrated are displayed.
• Check app installation: if you took the time to add the apps, we want to make sure they're on the devices.

To do this you can:

• Check the device itself
• In Jamf Pro, go to 'Devices,' >> 'Mobile Device Apps.' Look for the "In Use" column

2. Check that configurations were deployed. To do this, log in to Jamf Pro >> 'Devices' >> 'Configuration Profiles' and check the 'Completed' column.

That's it. All done.

Phase three: go time

You made it! Now go bring the rest of your devices along the journey.

Summary

Apple's new migration flow makes moving your devices over to a new management and security platform, like Jamf, simple. With this newfound ease and ability to migrate, you might find yourself asking…

Why Jamf?

Jamf was built for Apple. Not adapted. Not "Apple compatible." We've been here since MDM was barely a thing, and our platform still leads the pack because we make managing Apple devices actually feel quite Apple-like.

Some quick highlights:

• True Zero-Touch Deployment: Purchase, ship and take a vacation: everything from account creation to role-specific apps and configurations deploy without an admin ever laying eyes on the device.
• Powerful automation: Spend more time AFK and let our Smart Groups remediate security events and apply policies, scripts and configurations automatically in your time of need to keep your users safe.
• Reliability: When you click the buttons, things actually happen and they happen fast - not tomorrow, not in eight hours; we are talking minutes here.
• Integration friendly: This isn't a one man show; we have hundreds of cross-industry partners to help ensure that our platform works the way you need it to.
• Compliance is easy: No spinning in circles trying to map your configurations to compliance benchmarks. We baked them into Jamf for easy deployment, monitoring and even more with Compliance Editor.
• Community and support: If you ever get stuck, Jamf Nation and our support engineers have your back (and usually an answer).
• Incredible user experience: We don't hand you a sledgehammer when all you need is a toothpick. With Jamf, you can fine-tune settings and enforce security without crushing your users' experience. Imagine being the hero instead of the villain!

Thanks for going on this journey with me. Be excited! Life is about to get a whole lot easier, but if you do ever find yourself in the midst of a struggle, don't hesitate to reach out. We love to help and are excited to explore the next mountain you want to climb.

And remember: Plan it. Test it. Execute it. Then take the credit.

Be the hero! You earned it.

FAQs

Q: What other options are available if this migration path does not work for our organization?

A: If this new migration path isn't suitable for your organization, whether due to devices not meeting requirements or the desire to provide a more customized experience, contact your Jamf representative and ask about Jamf Migrate.

Q. What is Jamf Migrate and how can it help me?

A: Jamf Migrate is part of a workflow delivered by our crew over in Professional Services that enables organizations to migrate devices in a way that works best for them. While it was initially created to ease the pain of the pre-OS 26 migration woes, Jamf Migrate will continue to help organizations in a number of ways, such as:

• Customize branding and user notifications including messaging and frequency
• Build pre- and post-install scripts so you can verify devices are in a ready state
• Implement migrations for devices on macOS 12 or later and iOS 14 or later
• Empower end users to migrate on demand or enforce a migration automatically

If you want to take a deeper dive into Jamf Migrate, check out this blog by my Professional Services teammates.

Q: What if my devices can't update to OS 26?

A: Don't lose hope — you still have options. If a device refresh is on the horizon, it may be worth waiting for that to happen and avoiding any unnecessary headaches. However, if you don't want to wait, consider using Jamf Migrate for a better experience for both admins and users.

Q: What if my devices are not in AxM? Can I get them in there?

A: Ad hoc AxM enrollment requires the device to be wiped. In this scenario, I would suggest using Apple Configurator to move the device into AxM and assign it directly to Jamf so it's ready for enrollment. Migration is not necessary.

Q: What if I have devices in AxM but weren't enrolled via ADE?

A: For iOS/iPadOS: devices would need to be erased and enrolled with ADE to get them into the required state for migration. At this point, you could skip this migration flow and just reassign devices in AxM to Jamf and be sure to assign it to a PreStage before erasing.

Q: Why is my device greyed out in AxM?

A: Devices that are not eligible for migration will be greyed out. This typically happens if you're not meeting the OS requirements (e.g., the '26' versions for Mac and iOS), but can also occur if the device went through Return to Service with app preservation. In this case, the device will need to be erased before re-enrolling.

Q: My Mac was encrypted and the key is stored in the old server. What happens?

A: Starting with macOS 26, things work a little differently. When a new FileVault Personal Recovery Key (PRK) escrow profile is installed, macOS now automatically creates a new PRK using the bootstrap token — no user action needed. In older versions, someone had to manually trigger that. If your FileVault profile is set to install during PreStage, the new PRK will be generated and escrowed as soon as the computer completes its first inventory update with Jamf Pro.

Q: Can migration occur without user interaction?

A: No. User interaction is a requirement to complete the migration.

Q: Will the MDM be removable after the migration?

A: If you have set the relevant flag in your PreStage enrollment, then users cannot remove the MDM profile.

Resources

• Migrate managed devices to another device management service
• Migrate devices to a new management service in Apple Business Manager
• Migrating iOS and iPadOS devices from another MDM server to Jamf Pro