Migrate managed devices to another device management service
Apple School Manager and Apple Business Manager support migrating to a new device management service. This includes the following features:
Users with the roles of Administrator, Site Manager (Apple School Manager only), and Device Enrollment Manager can set a deadline for completing enrollment, and view the pending migrations notification on the device page.
If the user doesn’t take action, the organization can enforce migration and reenrollment. This involves a restart on an iPhone or iPad, and a nondismissible full-screen prompt on a Mac.
iPhone and iPad devices have the option to preserve apps and their associated data if the new device management service delivers the apps before sending the
DeviceConfiguredcommand.After reenrollment, the new device management service creates new Activation Lock bypass codes.
Important: To provide continued service access and a seamless user experience, administrators need to ensure the new device management service applies configurations that match those of the previous device management service and use the await_device_configured key for Managed Apps, FileVault, and Activation Lock configurations.
Requirements
To migrate from one device management service to another, your devices need to meet the following requirements. If they don’t meet the requirements, they’re unable to show the deadline option, and bulk actions result in failures (which appear in the activity log).
Devices with iOS, iPadOS, or macOS 26
You need to own the device and enroll it with Automated Device Enrollment. Additionally, Mac computers that are unenrolled and reenrolled with profile-based enrollment are supported for migration.
If you enroll the device manually using Apple Configurator, it needs to be after the 30-day provisional period.
Migrating to and from the device management service within Apple Business Essentials isn’t currently supported.
Volume purchased apps
If volume purchased apps are part of the deployment, you shouldn’t set a migration deadline greater than 30 days. To properly prepare before a migration that involves volume purchased apps:
1. Remove the content token from the current device management service.
2. Upload a new content token to the destination device management service.
Depending on your current device management service, you may have the option to immediately remove the app after removing the license.
If for some reason you can’t access the current device management service, you can’t unassign the apps, so the apps remain assigned and users can use them as follows:
For up to 30 days or when the app developer performs a receipt check.
Unless the new device management service unassigns them.
Eventually, the content token expires, and the previous device management service loses access to the Apple Business Manager location. Assignments still remain.
Notifications
After the migration deadline is set, users receive notifications to confirm reenrollment, with more frequent notifications leading up to the deadline. Notifications are displayed daily, and hourly 24 hours before the deadline. For the last hour before the deadline, the user is notified at sixty, thirty, ten and one minute. If the device has no internet connectivity after unenrollment, it displays the Wi-Fi picker for the user to manually connect to proceed. If an enrollment failure occurs due to a network issue, the enrollment screen displays a “Choose Wi-Fi Network” blue link above “Enroll this [iPhone][iPad]”.
Device management service migration and Activation Lock
The migration process handles Activation Lock differently depending on several factors, as the table below shows:
Phase | Description |
|---|---|
If there’s no Activation Lock on the device before migration. | The new service can choose whether to lock the device during migration. |
If the current service has an Activation Lock on the device before migration. | The new service can choose whether to lock the device during migration. Note: In each case, the migration process removes the previous service’s Activation Lock, and any bypass codes for devices associated with that service are invalid. |
If the new service wants to apply Activation Lock during migration. | To ensure the device enters the await configuration state during migration, the service needs to assign a After the device enrolls in the new service and enters the await configuration state, the service needs to send an Activation Lock request to Apple School Manager or Apple Business Manager to lock the device before sending the |
If migration fails. | Apple School Manager or Apple Business Manager holds a lock on the device, and the Administrator can unlock it. The migration process removes any locks present before migration, and any related bypass codes are invalid. |
Preserving Managed Apps
A device management service has the ability to preserve Managed Apps on iPhone and iPad devices during migration. If an organization wants users to have the same set of Managed Apps after migration as they had before migration, then preserving apps during migration ensures no data loss and a quicker migration, because the device doesn’t need to download previously installed Managed Apps.
Apps installed from a package
Apps installed from a package using MDM are managed differently depending on whether the Managed flag was set:
If the flag was set: The app is a Managed App and is removed, but any extra files outside of the /Applications folder remain, for example, a launch agent.
If the flag wasn’t set: The app isn’t considered managed, stays on the device along with any extra files outside of the /Applications folder.
Managed Apps installed from a package using declarative device management can specify what to remove in the uninstall script associated with the package, so all items associated with the app are removed.
Phase | Description |
|---|---|
Before migration starts. | To ensure the device enters the await configuration state during migration, the service needs to assign a |
When migration starts. |
|
When the device enrolls and enters the await configuration state. | The new service does the following before sending the
Note: Only Managed App data is preserved during migration. |
When migration completes. |
Note: The new device management service needs to ensure each preserved App Store app has a valid App Store license assigned to it in Apple School Manager or Apple Business Manager. |
Mac migration considerations
On a Mac, managed users authorize the migration. If there’s no managed user, all users, including network users (who are considered managed users for purposes of migration), receive a prompt and can start the migration. After the migration is complete, and depending on the new device management service:
The user who completes the migration is now the managed user
The Mac may still not have any managed user
Mac computers also have the option for a new FileVault escrow configuration, which the new device management service installs. This automatically rotates the Personal Recovery Key using a bootstrap token (which the new service needs to support).
If the original service sets a FileVault Full Disk Encryption recovery key by installing a com.apple.security.FDERecoveryKeyEscrow profile payload, that key remains on the device after migration until the new service sends its own com.apple.security.FDERecoveryKeyEscrow profile payload.
If that happens, the device creates a new recovery key. To achieve the best security, the new service needs to install the com.apple.security.FDERecoveryKeyEscrow profile payload during the await configuration state.