Workflow for migrating DEP macs to new MDM

rstasel
Valued Contributor

Hi All,

I'm curious if anyone has a good workflow for moving DEP enrolled Macs to a new MDM. Because you have to wipe the machine, I'm looking for some way to easily backup users, reimage, enroll, then restore users back (basically a mac equivalent of USMT).

Related... I've seen there's the ability to disable SIP, remove the profiles, re-enable SIP, then reenroll. But I'm not sure if that actually works for migrating to new MDM. I've only ever done it to fix a broken enrollment.

Basically, we're moving from on-prem to the cloud, but not migrating. We're starting fresh in our cloud instance, and how we migrate machines short of just attrition (as machines are replaced, they're enrolled in cloud instance).

Thanks!

1 REPLY 1

mm2270
Legendary Contributor III

I'll start off by saying I've never done what you're being tasked with, so take this with a grain of salt, but the following workflow may work for you.

The first thing is, you obviously will have to move these devices over to be added to your cloud Jamf instance in Apple Business/School Manager, since any kind of automated device enrollment workflow would require that. They'd also have to be scoped to a Prestage Enrollment in the cloud Jamf console once they appear there. You'll need to Unassign and Assign these Macs in ABM/ASM

Once you confirm these have been moved to point to the correct server, unenroll the device from the Jamf console, clicking on the Remove MDM Profile button which you should see under the Management tab. Note that you can automate this process from the Mac itself using an API call. That can be hashed out in another post, but I did want to mention that since it could possibly streamline the steps a little. But for the sake of "testing" I would probably just try manually clicking that button to tell the device to remove its MDM profile.

Once it's unenrolled, try using the following command in Terminal to see if it will see that its pointed to the new server and will go through an enrollment as if it were being "DEP" enrolled

sudo profiles renew -type enrollment

If (big IF) the Mac recognizes it's supposed to point to your Jamf cloud instance for enrollment, this would bring up a Notification Center prompt to go through device enrollment. Click it and it will prompt to allow the MDM profile to be installed in the Profiles preference pane. Once that's done, the rest of any scoped profiles should get pulled down. Remember that there should be no MDM installed profiles up to that point since you removed the MDM profile (and all related ones) in a previous step.

You can confirm that it worked correctly by examining the "MDM Profile" in the Profiles preference pane. It should show the server URL in there under the Mobile Device Management section, which should be your new cloud instance, and also should not be removable. (the "–" button should be grayed out)

If the above steps work, it would prevent the need to wipe and reload, which is a drastic step to take considering these are 'in use' Macs you're talking about. Hopefully it will work. Again, I've never tried this as I've never had the need, but I think it should work.