Migrating to Jamf Pro

Learn how to plan and execute your MDM migration to Jamf Pro from an MDM that no longer suits your needs.

October 4 2024 by

Haddayr Copley-Woods

JNUC Nashville: Migrating to Jamf Pro

There comes a time in many a young Apple admin’s life when it’s time to migrate from your old MDM to the industry-leading provider with the most advanced tools and integrations: Jamf Pro.

Aiden Topp, Client Platform Engineer II at Abnormal Security, explained how he did it in this helpful JNUC presentation.

Abnormal Security is a company that uses AI to protect against attacks that exploit human behavior such as phishing, social engineering, and account takeovers. Topp realized that their MDM provider was fine when they were a small company, but no longer fit their needs as they grew.

Why migrate at all?

Originally a Kandji shop, the company decided to seek alternatives as they needed more in the following areas:

Scalability

When their Mac users grew to 550, Kandji’s blueprints were no longer viable. They grew from using around a dozen blueprints to needing blueprints for hundreds of users in multiple ways, which made for a lot of duplication and hand-editing blueprints.

Flexibility

Before Jamf Pro, Topp was tasked with blocking users from logging into iCloud. However, there was no way for Topp to do this dynamically. He could only work with the parameters that Kandji gave him, and he was forced to use a static list to compare to online users.

Integrations

His previous MDM provider had a handful of apps to natively integrate, and Abnormal Security needed more.

Cost

After the introductory rate, Kandji ramped their prices by around 40%, which made the difference in price from Jamf Pro very slim.

Why choose Jamf?

When the company looked at scalability, flexibility, integrations and cost, they determined that Jamf Pro was more scalable, more flexible, and had an entire library of integrations to choose from. 

They were also impressed with the additional services that Jamf offered, including:

How Abnormal Security accomplished their MDM migration

  1. Consolidated and mapped out existing Library Items and Blueprints
  • Topp took a close look at all of the Blueprints he had and all of the Library Items that he had in Kanji, and mapped out how they related to one another. He narrowed these down into a smaller number for simplicity.
  1. Researched and built out matching feature sets in Jamf Pro
  • To recreate what he’d already built in Kandji, Topp then researched how to use Jamf to accomplish everything that Blueprints and Library Items had covered, and built out the beginnings of his Jamf Pro instance accordingly.
  1. Moved all Macs in Apple Business Manager to the new MDM server in bulk before migration.
  2. Migrated in groups via Jamf Migrate
  • First, Topp created small pilot groups comprised of himself and other IT staff, testing them rigorously and iterating based on the results until he was happy with how the group migrated. Then, he rolled out the migration in larger groups based upon small regional groups and them moving to larger groups.

Lessons learned

While Jamf Professional Services and Jamf Migrate smoothed the way for this MDM migration, Aiden Topp has a few suggestions for those who are migrating from Kandji to Jamf Pro.

Jamf Migrate Payload Keys

Make sure you take advantage of the Jamf Migrate payload keys to customize the user experience. Abnormal Security branded the experience with their icon to reassure users that this migration was trustworthy.

Edit the timeout defaults during migration

During migration, the user must enter their password to re-escrow the FileVault recovery key. The default timeout for that process is one minute. As it sometimes takes a few minutes for profiles to come down in the framework, changing the timeout to five minutes worked out better for them. In addition, the default one minute timeout for the whole process finishing after setup meant that some users didn’t realize the process had finished. Changing that to ten minutes helped.

Wi-Fi profiles: keeping staff connected

Ensure that employees connect to an alternate Wi-Fi such as a guest Wi-Fi so they don’t lose internet access halfway through the process.

FileVault keyboard layout defaults can cause issues for international companies

International companies like Abnormal Security can take advantage of what Topp’s team learned through trial and error: FileVault seems to default to a US keyboard layout, so using a keyboard set to a different country’s defaults can cause password inputs to fail.

App Store VPP apps

One problem to look out for is that if a great deal of your company’s apps were bought through Apple’s Volume Purchasing Program, switching to a new MDM removes access. Since Volume Purchasing works by assigning licenses to a specific MDM, these licenses are removed when the connection to the MDM goes away. Topp created a script that he deployed in Kandji in advance of the migration to fix this problem. The script looked for the presence of these apps and then log them in a file stored locally. Then, after the migration, he used a “sister script” to look for the presence of those apps and reinstall them.

Jamf is here to help!

If you’re considering migrating to Jamf Pro from another MDM provider, Jamf’s Professional Services will walk you through the process. But it might help to keep a link to this blog to ensure your bases are covered.

Visit the Jamf blog for JNUC updates, sessions recaps and more!