How to Migrate Devices: The voyage from Jamf Now to Jamf Pro

Has your organization started to outgrow the functionality available through Jamf Now? Looking to upgrade your MDM solution to Jamf Pro? This JNUC 2022 session offers a helpful explainer for how the migration process works.

October 4 2022 by

Tim Herr

JNUC 2022 session: The Voyage from Jamf Now to Jamf Pro

Jamf Now is our mobile device management (MDM) solution tailored to the needs of small and medium-sized businesses, offering easy-to-use management capabilities that don’t require the services of a dedicated IT team. Some organizations may find that, as they scale up and expand their workforce and device fleet, they would be better served by the more granular and flexible functionality of Jamf Pro. To take the pain out of the migration process, our Professional Services team assists with workflows and best practices for companies that want to upgrade.

Andrew Needham is an engineer on this team, and in this JNUC 2022 presentation, he walks viewers through the ins and outs of migrating computers and mobile devices from Jamf Now to Jamf Pro. There are plenty of differences between how the MDM solutions manage Apple devices, but the process doesn’t have to be too much of a challenge if you know what you’re doing. Needham stresses that you ought to become familiar with Jamf Pro before you start using it in production, and that you shouldn’t assume that this means you should migrate to Jamf Pro; every organization will have one solution that serves them best, sometimes indefinitely.

What are the differences between Jamf Now and Jamf Pro?

The most significant difference that you’ll encounter when migrating from Jamf Now to Jamf Pro is that of Blueprints vs. scoping. Device management in Jamf Now is organized around Blueprints; a Blueprint consists of a collection of apps, settings and restrictions. Once you have configured the Blueprint to your desired specifications, you can assign devices to it either at enrollment or through the Jamf Now web interface. All devices assigned to a Blueprint will inherit the bundle of settings that it carries, and a Blueprint can hold both macOS and iOS/iPadOS devices.

Jamf Pro, on the other hand, handles computers and mobile devices almost entirely separately. It also doesn’t use any kind of monolithic construct like a Blueprint to assign apps, settings and restrictions to devices. Instead, admins apply settings through the categories of targets, limitations and exclusions. Devices can be manually combined into groups, or admins can create dynamic Smart Groups defined by various scoping criteria; devices will be added or removed from Smart Groups when they start or stop meeting the criteria. This approach is more complicated to apply initially but offers a finer degree of control over how devices are configured.

Jamf Now utilizes Apple’s native MDM framework, which Jamf Pro uses in addition to the proprietary Jamf Binary. Jamf Now doesn’t natively support running shell scripts, although there are some workarounds, such as adding a script to a package; Jamf Pro offers a rich environment for automating workflows. Jamf Now also lacks an API, while Jamf Pro has an entire ecosystem through Jamf Marketplace, with plenty of integrations with popular enterprise and education software offerings.

In general, Jamf Pro is highly extensible and just scales better. Jamf Now’s Blueprints are great for simple management needs, but they can become hard to manage when you want to apply different configuration profiles or use dynamic scoping.

Getting ready for the migration to Jamf Pro

Needham says that when they encounter difficulties with customers migrating between MDM solutions, it’s almost always because they are trying to do too much at once or don’t have hardware dedicated to testing. It’s crucial to test, and you should select a pilot group of tech-savvy users before you push any change out to your entire user population. Frequent communication with end users is key to success. Documents such as planning timelines can be useful for acquiring buy-in from executives or colleagues, and they also help admins to visualize progress and make sure they’re not missing any required steps.

So why doesn’t Jamf provide the option of handling the migration for organizations in exchange for an additional fee? While Needham explains that it’s not impossible that this service will be offered in the future, there are some difficulties that cause it to be impractical at this time. Jamf Now and Jamf Pro format their databases quite differently, and programmatically mapping them to each other would be a challenge. Since the release of macOS Big Sur, we can also no longer programmatically install MDM profiles on Macs, which means that end users need to be involved in order to install Jamf Pro enrollment profiles.

When you’re almost ready to start the migration, you can begin by configuring your Jamf Pro environment. This involves taking the users from your Jamf Now instance and setting different permission levels if you need to. You can configure single sign-on (SSO) settings in Jamf Pro, allowing you to integrate with a solution like Azure or Okta for authentication. At this juncture you can also:

  • Configure settings for user-initiated enrollment and the Self Service app
  • Configure a certificate for the Apple Push Notification service (APNs)
  • Set up an Automatic Device Enrollment (ADE) token and a Volume Purchase Program (VPP) token
  • Configure your ADE token to link Apple Business Manager or Apple School Manager
  • Configure a PreStage enrollment in Jamf Pro for computers or mobile devices to make sure you have somewhere to receive information
  • Create a separate MDM server and a new VPP location in Apple Business Manager or Apple School Manager

To keep track of which users are assigned to which devices, you can use a feature in Jamf Pro called Inventory Preload. This allows you to export a table from Jamf Now and use a template to map the fields to their closest equivalents in Jamf Pro. Prior to uploading, you can create an extension attribute called Blueprint that notes which devices are assigned to which Blueprints. If you’re not ready to move away from the concept of Blueprints just yet, you can create a Smart Group in Jamf Pro that uses the contents of the Blueprint extension attribute.

Apps and configuration profiles

Needham goes on to cover the process of selecting the apps to be installed on enrolled devices, starting with those available in the App Store:

  • Document what apps you need
  • Create an additional location in Apple Business Manager or Apple School Manager
  • Transfer licenses or acquire new ones
  • Scope in Jamf Pro

For apps that are not found in the App Store, you can either use Jamf Pro’s App Installers feature or use a policy to deploy a package or script. When you’re able to use App Installers, it’s generally your easiest and best option.

When it comes to building configuration profiles, a lot of security tools will require the deployment of system extensions or PPPC payloads – in fact, this might be one of the reasons why you needed to migrate to Jamf Pro in the first place. If you have these in Jamf Now, they’ll be in the form of Custom Profiles. You should try and limit each configuration profile you’re building to one payload unless you have a good reason to do otherwise.

After you’ve finished setting up the configuration profiles, you should have a Jamf Pro environment that is ready to receive devices, and every device enrolled in Jamf Pro will get the settings and apps that it’s supposed to. Depending on what enrollment method you use, profiles will either be removable or non-removable. Needham walks viewers through how the removability of profiles is determined and provides different methods for removing them as necessary.

Device migration and what comes after

As you perform the migration, remember to keep in communication with your end users, providing them frequent updates so they understand how things are progressing. Needham mentions one client who even gamified the process to secure added buy-in from users. You should expect the 80/20 rule to apply here: 20% of your teams effort go to helping 80% of users, and the remainder will cause the bulk of your headaches. Take note of what goes right and wrong so you can learn and adapt, streamlining the process and serving your users more effectively.

After the migration is complete, you have some post-migration tasks to accomplish, most of which will be ongoing:

  • Use a script to re-issue FileVault keys
  • Monitor your inventory
  • Check in with end users
  • Work with Jamf Customer Success

The Customer Success team will be on hand to help you iron out any remaining problems and optimize your MDM capabilities as you move forward into the next stage of your IT voyage.

Register for JNUC to access this session as well as other sessions on demand.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.