The following Knowledge Article intends to help Administrators to understand some important parts regarding an iOS device migration from a former Mobile Device Management solution to Matrix42 Silverback, especially when the Device Enrollment Program is already in use. From time to time, we receive questions about best practices, especially when it comes to factory resets and how to deal with everything in combination with the Apple Business Manager. Let’s start with some important parts to understand, when a transition takes in place, which will mainly impact your users
iOS and iPadOS are handled as one in this knowledge article.
Possible Migration Scenarios
- You have already the Apple Business Manager in place and devices are enrolled into your former Mobile Device Management Solution
- After connecting devices during the Out-of-the-Box experience to the internet, devices will immediately check with the Apple Cloud Service if they are belonging to an organization. The list of devices which are currently connected to the Device Program Enrollment can be found either in the devices section of your Apple Business Manager or in the corresponding section in your former Mobile Device Management Solution.
- To prevent that after any factory wipe, the devices are trying to connect during the OOBE to your former Mobile Device Management solution, you need to move the devices to your new Silverback Server in the Apple Business Manager. The Apple Business Manager supports a bulk and single device migration by using the Edit Device Management option
- When devices are migrated to the new Silverback Server in the Apple Business Manager, devices can be factory wiped. In this case utilize your former Mobile Device Management solution to execute a bulk factory wipe action. Afterwards users can start from the OOBE and enroll their devices to Silverback.
- You have already the Apple Business Manager in place and devices are enrolled into your former Mobile Device Management Solution, but you won’t factory wipe devices
- Please note upfront: To get the full capabilities for managed devices that are part of the Device Enrollment Program, it is recommended to perform the factory wipe method.
- Another option would be to simply perform a profile deletion (also know as enterprise wipe, retire, or delete business data) with your current Mobile Device Management solution. Additionally, and depending on your Device Enrollment Program configuration, users might be able to remove the profile manually from their devices by using the iOS settings application. This option is only possible if you allowed in your current configuration to remove profiles manually. This setting is called in Silverback “Profile Removable” and should be named in a similar way in your current solution.
- After removing the profiles via Enterprise Wipe or with the manual way, your users can easily start their enrollment process with Silverback by visiting the Silverback Self Service and perform the device enrollment to Silverback by themselves. Additionally, you can utilize the Bulk Enrollment option to provide your users an E-Mail Notification with the Enrollment QR-Code. In this case your users need just to scan the QR-Code with the camera and perform the OS driven enrollment flow. Please note that the Bulk Enrollment option should only be considered if Active Directory Authentication is not enabled in the Device Enrollment Program settings of Silverback.
- On top, please be aware that in this scenario the new installed Silverback MDM Profile will always be removable by your users, as in this case the Device Enrollment Program settings does not take effect. This means it is not possible to ensure that devices will remain managed, as users can remove the profile manually. Only when devices are gets factory wiped and re-provisioned through the OOBE, the “Profile Removable” will be activated on the devices.
Fast facts about Backup and Restore
After understanding these key points, we can focus on a different topic which is related to Backup topics. We want to provide you some key facts about using Backup Mechanisms.
- iOS Backup is first a consumer feature, and it may be that your desired expectation about keeping everything on the device and switching to another Mobile Device Management solution does not match.
- Every Backup that contains an existing Mobile Device Management Profile on the device might lead to an undesired restore process. If users perform a backup while the devices are still enrolled in your former solution, the management profile will also be backup, and, subsequently, re-applied to the device at the point of restore.
- For Devices with personal data on it, users can back up their devices to their iCloud account after the device is unenrolled from the previous Mobile Device Management solution. Ensure you don’t have restricted the devices with your current solution to take iCloud Backups. This setting is named in Silverback “Allow iCloud Backup” in the Restriction Profile.
- With Quick Start users can set up a new iOS device quickly using information from their current devices, but if the backup should be restored on a new iPhone which is enrolled in Apple School Manager or Apple Business Manager, users can't use Quick Start to transfer data from your current iPhone as the process will not be successful.
Success and Failure Stories
After understanding the Backup key points, we can review now some use cases with success and failure:
- Usecase 1: User onwed for 2 years a non-DEP iPhone 6s and receives now a new DEP linked iPhone X. The MDM solution remains the same.
What will not work?
User performs a backup of the old device with iTunes while it is in enrolled into your Mobile Device Management solution. The new device will be started, and the Mobile Device Management Profile will be installed during the OOBE. Afterwards the user restores the device from the old backup, where the old profile was installed. This will lead to the “Profile must be installed interactively” issue and devices requires a hard reset, which not all users can executed independently.
What will work?
User performs a backup of the old device with iTunes while it is in enrolled into your Mobile Device Management solution. The new device will be started and during the OOBE, the iTunes Backup will be restored from the PC or MacBook. For this scenario the “Restore Setup” Item should not be configured as hidden in the Device Enrollment Program section. Additionally , you need to ensure to set the Allow Restore from Backup option as enabled in the Admin section of your Silverback Management Console. If this option is disabled, Silverback will instantly send the Delete Business Data to the new devices and the device will be in an unmanaged state. In this case Administrators receives a Backup Violation E-Mail notification.
The Backup Violation action can also be caused by performing an iOS update with iTunes, during the backup and restore process.
- Usecase 2: User owns a private non-Managed device and wants to migrate data with the Quick Start option to a DEP linked device.
As the Non-Managed device is running and the new DEP device will start, the Set Up New Phone Wizard will appear, and the user scans the pattern in the circle. After entering the passcode from the non-managed device on the DEP device, the data migration process will fail. After adding the credentials at the Remote Management screen, the device will not have any data from the backup.
- Usecase 3: User owns a private DEP linked device and wants to migrate data with the Quick Start option to a non-Managed device.
As the DEP linked device is running and the new non-managed device will start, the Set Up New Phone Wizard will appear, and the user scans the pattern in the circle. After entering the passcode from the non-managed device on the DEP device, the data migration process will succeed. No additional Remote Management screen will appear, and the device will have all the data from the backup.
Imagoverum has currently enrolled iOS devices in a different Mobile Device Management solution and they are allowing their users to use their personal Apple IDs with storing personal data. A lot of users are afraid of losing their pictures, call histories and chats, so they backup regularly their content to the iCloud. All Imagoverum Administrators are a bit under pressure as the time for the migration comes closer and the organization don't want to pay for two MDM solutions at the same time. In this case they decide to keep the transition as smooth as possible with minimal interaction for them. In this case they would go for the following action plan:
- Administrator: Move all relevant devices from the current Apple Business Manager MDM Server to the Silverback Server.
- Administrator: Unenroll all devices from your current MDM with an bulk action
- Users: Backup their devices to iCloud
- Users: Factory reset their devices.
- Users: Enroll the devices through the OOBE with the Remote Management Screen to Silverback.
- Users: Add the Apple ID and restore the backup
- Silverback Integration Guide for Apple Deployment Programs
- Official Apple Business Manager User Guide
- Use Quick Start to transfer data to a new iPhone, iPad, or iPod touch (search for *)
- How to back up your iPhone, iPad, and iPod touch
- Restore your iPhone, iPad, or iPod touch from a backup