Apple MDM Migration: Seamlessly Move to Intune

If you’ve ever gone through an Apple MDM migration, you know the pain. Factory resets, re-enrollment headaches, and downtime that frustrates users. At WWDC 2025, Apple finally solved this problem.

With the release of macOS and iOS/iPadOS 26, you can now migrate devices natively through Apple Business Manager (ABM) and Apple School Manager (ASM), without wiping or disrupting users.

By eliminating the need for resets, Apple has made it possible to move Macs, iPhones, and iPads directly from a third-party MDM to Intune in a seamless flow. That means less complexity for you, tighter security policies, and faster alignment with modern management practices.

Until now, migrating Apple devices between MDMs was a messy process. An Apple MDM migration meant wiping every device, resetting it, and forcing users through re-enrollment. For admins, that was hours of prep and cleanup. For users, it meant downtime and disruption.

With macOS and iOS/iPadOS 26, that’s no longer the case. Apple has introduced native MDM migration through Apple Business Manager (ABM) and Apple School Manager (ASM). You can now:

• Move devices directly into Microsoft Intune without a factory reset.
• Keep devices fully functional during migration, no downtime required.
• Guide users through a streamlined, built-in enrollment process.

This completely changes how you plan your management strategy, making Intune adoption faster, smoother, and far less disruptive.

Apple has removed the need for factory resets, but that doesn’t mean you can skip planning. A successful Apple MDM migration depends on preparation, testing, and aligning Intune with your existing security and compliance requirements. Here’s a structured approach:

1. Inventory Eligible Devices

Start by pulling a complete inventory of all Apple devices currently enrolled in your existing MDM. Pay attention to:

• OS version requirements: macOS 15+ and iOS/iPadOS 26 are required for native migration. Older devices will still need traditional wipe-and-enroll.
• Supervised vs. unsupervised status: Devices enrolled through Apple Business Manager (ABM) or Apple School Manager (ASM) support the smoothest migration. User-enrolled devices may need extra handling.
• Ownership models: Differentiate corporate-owned from BYOD devices, as the migration paths will differ.

2. Map and Document Current Configurations

Before you migrate, fully document the profiles, policies, and apps in your current MDM. This should include:

• Configuration profiles: Wi-Fi, VPN, certificates, restrictions, and any payloads currently in use.
• Compliance baselines: Password policies, encryption enforcement, OS version requirements.
• Application management: Which apps are deployed as managed, how updates are controlled, and whether app data is restricted.
• Custom scripts (on macOS): Any automation you’re currently relying on, such as onboarding scripts or remediation actions.

This documentation isn’t just for migration, it’s your reference point to ensure policy parity when rebuilding in Intune.

3. Prepare Intune and ABM/ASM Integration

Native migration requires that your Apple devices are already associated with Apple Business Manager or Apple School Manager. In Intune, you’ll need to:

• Configure the Apple MDM Push certificate.
• Link Intune to ABM/ASM using a server token.
• Assign devices in ABM/ASM to the new Intune MDM server.
• Confirm that Intune enrollment profiles are in place for both iOS/iPadOS and macOS.

This step effectively tells Apple where devices should “land” once they leave the old MDM.

4. Rebuild Profiles and Policies in Intune

Resist the urge to replicate your old setup one-for-one. Migration is the perfect time to modernize:

• Use Intune device compliance policies instead of static configuration profiles wherever possible.
• Take advantage of Conditional Access in Entra ID to enforce security at the identity layer.
• Move toward app protection policies (APP) for scenarios where corporate and personal data need separation, especially on iOS/iPadOS.
• For macOS, consider replacing older custom scripts with Intune shell script deployments or leveraging the Settings Catalog for built-in controls.

5. Communicate and Train End Users

While the migration flow is non-disruptive, users should still know what’s happening. Provide guidance on:

• What they’ll see during enrollment (system prompts, notifications).
• How corporate apps will be reinstalled or updated.
• Expected timelines and what to do if they encounter errors.

Proactive communication reduces helpdesk tickets and keeps the migration on track.

6. Pilot Before Rollout

Choose a small, representative pilot group that includes different device types (Mac, iPhone, iPad), OS versions, and user roles. Test for:

• Profile conflicts – ensure legacy restrictions don’t overlap or cause issues with Intune.
• App behavior – confirm that managed apps reinstall and retain data where expected.
• Conditional Access alignment – validate that devices remain compliant and users retain access to Microsoft 365 services.

Once the pilot succeeds, scale up in phases, monitoring Intune’s device compliance reports closely as you go.

A structured migration plan not only ensures devices move smoothly into Intune but also gives you the chance to modernize your Apple management strategy around Microsoft’s security stack.

The technical lift of moving devices into Intune is only part of the job. The real value of an Apple MDM migration comes from aligning Intune’s configuration with your security, compliance, and user experience requirements. Skipping this step can leave you with gaps, or worse, with an environment that looks modern but isn’t hardened properly.

Device Compliance Policies

Start by translating your legacy passcode, encryption, and OS version requirements into Intune compliance policies. These policies work in tandem with Conditional Access to block access to Microsoft 365 resources if a device falls out of compliance. For example:

• Enforce FileVault on macOS and device encryption on iOS.
• Require minimum OS versions to ensure devices support the latest security controls.
• Apply lock screen/passcode requirements to reduce risk of unauthorized access.

Conditional Access Integration

Once compliance baselines are in place, tie them to Entra Conditional Access policies. This ensures only healthy, compliant Apple devices can access Exchange Online, SharePoint, Teams, and other sensitive resources. Key configurations to consider:

• Require compliant device for access to Microsoft 365 apps.
• Combine with risk-based sign-in policies to block access if Intune reports a non-compliant state.
• Exclude specific service accounts if needed, but always restrict by IP or certificate to minimize exposure.

Endpoint Security Profiles

With devices now in Intune, you should replace old MDM restrictions with Endpoint Security profiles. These include:

• Firewall settings for macOS.
• Antivirus and Defender for Endpoint integration.
• Disk encryption enforcement.
• Device control (e.g., blocking external drives).

For macOS, leverage the Intune Settings Catalog for fine-grained controls that weren’t previously possible with some third-party MDMs.

Application Deployment and Management

Unlike traditional MDMs, Intune gives you a direct path to manage applications through the Microsoft ecosystem:

• Use Volume Purchase Program (VPP) tokens in ABM/ASM to push App Store apps as managed.
• Deploy line-of-business (LOB) apps directly from Intune.
• Use App Protection Policies (APP) for BYOD scenarios, keeping corporate data safe without taking over the entire device.

Even with Apple’s new native migration flow, there are still best practices that can make or break your rollout. Treat your Apple MDM migration as more than a technical step, it’s a chance to set the tone for long-term device management success.

1. Pilot with Purpose

Don’t just grab a handful of test devices at random. Build a representative pilot group:

• Mix of macOS and iOS/iPadOS devices.
• Users across different roles (frontline, knowledge workers, execs).
• Devices with varied app deployments and security requirements.

A broad pilot group will surface real-world issues—like conflicting profiles, legacy apps, or missing certificates—before you scale migration.

2. Time the Migration Strategically

Avoid peak business cycles or high-travel periods. Even though devices won’t require a reset, users may still experience app reinstallations or new compliance prompts. Running migration during quieter windows reduces support overhead.

3. Clean Up Old Policies First

Before assigning Intune profiles, strip down redundant or legacy configs in your old MDM. This prevents profile conflicts and ensures devices don’t carry over baggage. If a policy doesn’t align with your Zero Trust security baseline, leave it behind.

4. Validate Security Dependencies

Check integrations that rely on device trust:

• VPN or Wi-Fi certificates – confirm they’re reissued correctly under Intune.
• Defender for Endpoint onboarding – validate telemetry flows to the Microsoft 365 Defender portal.
• Conditional Access dependencies – ensure apps that enforce device compliance (Outlook, Teams, OneDrive) behave correctly once the device transitions.

5. Automate Enrollment Where Possible

Leverage Apple Business Manager enrollment profiles to pre-configure settings like language, region, and account setup. This reduces user prompts and makes the migration feel invisible.

6. Track Migration Progress in Intune

Use Intune’s Device compliance and Enrollment reports to monitor success. Pay attention to devices that remain enrolled in the old MDM or fail to check in with Intune after reassignment. Resolve these quickly before scaling.

Following these practices ensures your Apple MDM migration doesn’t just succeed, it sets you up for cleaner policies, tighter compliance, and fewer helpdesk calls long after the move is complete.

Our team of Microsoft-Certified security experts can help.

Apple’s update doesn’t just make migrations easier, it changes the strategy for managing Apple devices long term. In the past, the overhead of wiping devices often forced teams to delay or avoid an Apple MDM migration altogether, leaving them stuck with legacy tools that couldn’t keep up with modern security requirements.

Now, you have an opportunity to:

• Consolidate tools – Move Macs, iPhones, and iPads into Microsoft Intune alongside your Windows devices, reducing cost and management complexity.
• Strengthen Zero Trust – Apply consistent Conditional Access and compliance policies across every endpoint, without gaps between ecosystems.
• Improve user experience – Users keep working while migration happens in the background, making security invisible instead of disruptive.
• Future-proof management – With Apple and Microsoft aligned on native migration, you’re positioned to adopt new features faster instead of relying on workarounds.

Put simply, Apple has removed the friction. If you’re licensed for Intune, there’s little reason to keep Apple endpoints siloed in a separate MDM. The sooner you plan your migration, the sooner you benefit from unified management, tighter compliance, and simplified operations.

Apple has finally taken the pain out of moving devices between management platforms. With native migration in macOS and iOS/iPadOS 26, you can complete an Apple MDM migration into Microsoft Intune without factory resets, downtime, or frustrated users. That means faster adoption of modern security, less management overhead, and a smoother path to Zero Trust.

But a migration is more than just flipping a switch. To get the full value, you need to plan carefully, rebuild policies in Intune, and align configurations with your compliance and security goals. Done right, this is an opportunity to consolidate tools, simplify operations, and harden your Apple device fleet.

At Levacloud, we specialize in helping teams execute migrations like this with confidence. From planning and configuration to rollout and optimization, we make sure your Apple devices land in Intune securely, efficiently, and without disruption to your users.

Now is the time to start your Apple MDM migration strategy, before the next cycle of renewals, re-enrollments, or audits forces your hand.

What is Apple MDM migration?

Apple MDM migration refers to the process of moving Apple devices (macOS, iOS, iPadOS) from one Mobile Device Management (MDM) solution into another, such as Microsoft Intune. With macOS and iOS/iPadOS 26, Apple now supports native migrations without factory resets or re-enrollment.

Do I need to wipe devices to migrate to Intune?

No. With Apple’s new native migration support, you no longer need to wipe or reset devices. Migration can happen seamlessly while users continue working.

What versions of macOS and iOS support Apple MDM migration?

Native MDM migration requires macOS 15 or later and iOS/iPadOS 26 or later. Older versions will still require the traditional wipe-and-re-enroll method.

Can I migrate BYOD devices into Intune?

BYOD devices that were originally user-enrolled may require additional steps. The smoothest migration path is for corporate-owned devices enrolled through Apple Business Manager (ABM) or Apple School Manager (ASM).

What happens to apps and data during Apple MDM migration?

Managed apps are reinstalled under Intune, and corporate data remains protected. Personal apps and data remain untouched, which minimizes disruption for users.

How does Apple MDM migration improve security?

Devices remain enrolled and compliant throughout the migration. Combined with Intune’s compliance policies and Entra Conditional Access, this ensures devices never slip through gaps where they’re unmanaged or unprotected.

Should I migrate all at once or in phases?

A phased approach is best. Start with a pilot group, validate configurations, then scale in stages. This minimizes risk and surfaces issues before a full rollout.