Migrate managed devices to another device management service
Apple School Manager and Apple Business Manager support migrating to a new device management service. This includes the following features:
Users with the roles of Administrator, Site Manager (Apple School Manager only), and Device Enrollment Manager can set a deadline for completing enrollment, and view the pending migrations notification on the device page.
If the user doesn’t take action, the organization can enforce migration and reenrollment. This involves a restart on an iPhone or iPad, and a nondismissible full-screen prompt on a Mac.
iPhone and iPad devices have the option to preserve apps and their associated data if the new device management service delivers the apps before sending the
DeviceConfiguredcommand.After reenrollment, the new device management service creates Activation Lock bypass codes.
Important: To provide continued service access and a seamless user experience, administrators need to ensure the new device management service applies configurations that match those of the previous device management service and use the await_device_configured key for Managed Apps, FileVault, and Activation Lock configurations.
Requirements
To migrate from one device management service to another, your devices need to meet the following requirements. If they don’t meet the requirements, they’re unable to show the deadline option, and bulk actions result in failures (which appear in the activity log).
Devices with iOS, iPadOS, or macOS 26.
You need to own the device and enroll it with Automated Device Enrollment. Additionally, macOS 26 supports migration for Mac computers that unenroll and reenroll with profile-based enrollment.
If you enroll the device manually using Apple Configurator, it needs to be after the 30-day provisional period.
Migrating to and from the device management service within Apple Business Essentials isn’t currently supported.
Volume purchased apps
If volume purchased apps are part of the deployment, don’t set a migration deadline greater than 30 days. To properly prepare before a migration that involves volume purchased apps:
1. Remove the content token from the current device management service.
2. Upload a new content token to the destination device management service.
Depending on your current device management service, you may have the option to immediately remove the app after removing the license.
If you can’t access the current device management service, you can’t unassign the apps, so the apps remain assigned and users can use them as follows:
For up to 30 days or when the app developer performs a receipt check.
Until the new device management service unassigns them.
Eventually, the content token expires, and the previous device management service loses access to the Apple Business Manager location. Assignments still remain.
Notifications
After setting the migration deadline, users receive notifications to confirm reenrollment, with more frequent notifications leading up to the deadline. Notifications display daily, and hourly 24 hours before the deadline. For the last hour before the deadline, the user receives notifications at sixty-, thirty-, ten-, and one-minute intervals. If the device has no internet connectivity after unenrollment, it displays the Wi-Fi picker for the user to manually connect to proceed. If an enrollment failure occurs due to a network issue, the enrollment screen displays a Choose Wi-Fi Network link above “Enroll this [iPhone][iPad]”.
Device management service migration and Activation Lock
The migration process handles Activation Lock differently depending on several factors, as the table below shows:
Phase | Description |
|---|---|
If there’s no Activation Lock on the device before migration. | The new service can choose whether to lock the device during migration. |
If the current service has an Activation Lock on the device before migration. | The new service can choose whether to lock the device during migration. Note: In each case, the migration process removes the previous service’s Activation Lock, and any bypass codes for devices associated with that service are invalid. |
If the new service wants to apply Activation Lock during migration. | To ensure the device enters the await configuration state during migration, the service needs to assign a After the device enrolls in the new service and enters the await configuration state, the service needs to send an Activation Lock request to Apple School Manager or Apple Business Manager to lock the device before sending the |
If migration fails. | Apple School Manager or Apple Business Manager holds a lock on the device, and the Administrator can unlock it. The migration process removes any locks present before migration, and any related bypass codes are invalid. |
Preserving Managed Apps
A device management service has the ability to preserve Managed Apps on iPhone and iPad devices during migration. If an organization wants users to have the same set of Managed Apps after migration as they had before migration, preserving apps during migration ensures no data loss and a quicker migration because the device doesn’t need to download previously installed Managed Apps.
Managed Apps that install from a package
The operating systems manage apps that install from a device management service differently, depending on whether the Managed flag is set:
If the flag is set: The app is a Managed App and the operating system removes it, but any extra files outside the /Applications folder remain, for example, a launch agent.
If the flag isn’t set: The app isn’t considered managed, and stays on the device along with any extra files outside the /Applications folder.
Managed Apps that install from a package using declarative device management can specify what to remove in the uninstall script associated with the package, so the device management service removes all items associated with the app.
Phase | Description |
|---|---|
Before migration starts. | To ensure the device enters the await configuration state during migration, the service needs to assign a |
When migration starts. |
|
When the device enrolls and enters the await configuration state. | The new service does the following before sending the
Note: The operating system preserves only Managed App data during migration. |
When migration completes. |
Note: The new device management service needs to ensure each preserved App Store app has a valid App Store license assigned to it in Apple School Manager or Apple Business Manager. |
Mac migration considerations
On a Mac, managed users authorize the migration. If there’s no managed user, all users receive a prompt and can start the migration. After the migration is complete, and depending on the new device management service:
The user who completes the migration is the managed user
The Mac may still not have any managed user
Mac computers also have the option for another FileVault escrow configuration, which the new device management service installs. This automatically rotates the Personal Recovery Key using a bootstrap token (which the new service needs to support).
If the original service sets a FileVault Full Disk Encryption recovery key by installing a com.apple.security.FDERecoveryKeyEscrow profile payload, that key remains on the device after migration until the new service sends its own com.apple.security.FDERecoveryKeyEscrow profile payload.
If that happens, the device creates another recovery key. To achieve the best security, the new service needs to install the com.apple.security.FDERecoveryKeyEscrow profile payload during the await configuration state.