Top

Navigation

Migrating Mac from Meraki Systems Manager to UltimateMDM

Par le 6 décembre 2023 dans Articles techniques, Articles techniques Mac

UltimateMDM is the one you’ve chosen, or the one your Apple consultant has recommended. Our legacy or free instances of Meraki Systems Manager will no longer be available after February 7, 2024. If the product meets your needs, you can just order your licenses. If not, you must perform your MDM Switching as soon as possible.

Meraki Systems Manager does not make it easy to remove a locked Remote management profile. You’ll find below the instructions delivered in the Integration Guide of MOM release 5.16 for this specific case. Please note that updating the locked Remote management profile to the unlocked Remote management profile can take time, which is important to bear in mind if you have thousands of Macs in your fleet.

If the Remote management profile is not locked or if the Mac was enrolled using Device Enrollment, the interactions described below are not required and the migration is seamless. MOM will deal with the problem as it arises.

MOM can be distributed by any Apple partner as a new service. Licenses are not tied to a specific MDM. If the targeted MDM is not currently supported, we’ll need to coordinate.

Context of the edge case

  • Migration planned from Meraki Systems Manager to UltimateMDM with AutoLauncher mode
  • Device executing any version of macOS 11 and later
  • Device enrolled in Meraki Systems Manager with a locked Remote Management profile
  • Device assigned to an Automated Device Enrollment Profile :
    • linked to Meraki Systems Manager
    • Removable : No
  • Logged in user is a standard account or an admin account

Known macOS limitations :

  • the unenrollment must be performed from the same user session as the one used for the enrollment if the associated user account still exists on the device
  • calls to AxM are rate limited to once every 23 hours with macOS 12.3.x, and to 10 times every 23 hours with macOS 13 and later ; these limits should be reached when fine-tuning the workflow, but not in production ; when the limitations are reached, wait for 24 hours or use a different test device.

This is the chronology of the required interactions between the IT Support and the End User.

• IT Support

  • In Meraki SM :
    • Settings : Custom configuration profile that plans a migration from Meraki Systems Manager to UltimateMDM – Tag : mom
    • Apps : MOM Content and MOM Core packages – Tag : mom
    • Devices : Device selected > Tag > mom (Command > Sync apps can help to during testings)
  • Webhook message received : « Workflow of type migration started »

• End User

  • MOM started
• End User

  • User chooses to execute the migration now (postpone possible if planned)
• End User

  • Message displayed : « The Remote Management Profile of this device is locked. The workflow will be paused until the unenrollment is done. Please follow the displayed instructions. »
  • Dialog displayed : « Please contact the IT Support. Once confirmed that an Automated Device Enrollment Profile that plans a removable Remote Management Profile is assigned to the device, click on Continue. »
  • User contacts the IT Support

• IT Support

  • Webhook message received : « Device pending unenrollment from Meraki Systems Manager »
  • In Meraki SM :
    • Apple Automated Device Enrollment :
      • Device assigned to an Automated Device Enrollment Profile :
        • still linked to Meraki Systems Manager
        • Removable : Yes
      • Full sync
  • IT Support confirms to the user that he can click on « Continue »

• End User

  • User clicks on « Continue »
 

• End User

  • Dialog displayed : « After clicking the Continue button, a device enrollment notification is going to be displayed in the upper right corner of the screen. Please click inside this notification and proceed to the update of the management configuration. »
  • User clicks on « Continue »
• End User

  • macOS notification displayed : « Device Enrolment – Update company name configuration. »
  • User clicks inside the notification
• End User

  • Profiles System Setting (macOS 13 or later) / Profiles System Preference (macOS 12 or earlier) is automatically opened
  • macOS dialog displayed : « Update Device Enrolment? – Update management configuration for company name. »
  • User clicks on « Update »
  • Depending of how fast the update action is done, reminder dialog may be displayed : « The Remote Management Profile of this device is still locked. After clicking the Continue button, a device enrollment notification is going to be displayed in the upper right corner of the screen. Please click inside this notification and proceed to the update of the management configuration. »
  • User clicks on « Continue »
  • Once the device enrollment update is done, the Remote Management Profile becomes removable
  • MOM deletes locally the unlocked Remote Management Profile

Note : It has been observed that the Remote Management Profile may not become immediately removable ; in this situation, the update process may be triggered several times until the unenrollment can take place.

• IT Support

  • Webhook message received : « Device unenrolled from Meraki Systems Manager »
• End User

  • Message displayed : « The MDM enrollment provisioning of this device must be managed by the IT Support. Please follow the displayed instructions. »
  • Dialog displayed : « Once IT support has confirmed that the device has been provisioned for enrollment with the new MDM, click on Continue. »
• End User

  • Message displayed if the « Continue » button is clicked before the next step is done : « The MDM enrollment provisioning is still associated to Meraki Systems Manager. Once IT support has confirmed that the device has been provisioned for enrollment with the new MDM, click on Continue. »

• IT Support

  • Webhook message received : « Device pending provisioning to enroll in UltimateMDM »
  • In AxM : device assigned to UltimateMDM
  • In UltimateMDM : device assigned to an Automated Device Enrollment Profile
  • IT Support confirms to the user that he can click on « Continue »

• End User

  • User clicks on « Continue »
• End User

  • With macOS 14 or later, a Remote Management pane is displayed in full screen mode. With macOS 13 or earlier, a device enrollment notification is displayed in the upper right corner of the screen. The workflow is paused until the enrollment is done.
• End User

  • The device is enrolled in UltimateMDM and the workflow continues.

 

 

Les commentaires sont fermés.