To consolidate on one Jamf instance, or migrate from on-prem Jamf to cloud Jamf, you either have to re-enroll your Macs manually, or find a way to migrate them.
Macs can be migrated from one Jamf to another by setting up one of these two scripts to handle the migration and using a policy in the source Jamf to run the script.
- jamf-migrate-to-user-enrolled
- jamf-migrate-to-prestage-enrolled
Both scripts will remove the existing MDM profile, then enroll the Mac in the destination Jamf. As the names indicate, the end result is a user-enrolled Mac or a prestage-enrolled Mac.
It doesn't matter if the Mac was originally prestage-enrolled or user-enrolled - both scripts can use the Jamf API to remove the MDM Profile on prestage-enrolled Macs when the profile is marked non-removable.
Both will require the end-user to enter their password in order to install the new MDM Profile. There's no way around that, Apple doesn't allow automating that part.
However the scripts will temporarily elevate the console user to Admin (if they are not already) - then demote them back to Standard when finished.
Since user interaction is required, the scripts will prompt the user with instructions - and, re-prompt in some cases (e.g to click "Install" on the profile). There are "DIALOG_" variables at the top that can be used to customize the messages for your organization.
jamf-migrate-to-user-enrolled
To use this script you will need an Enrollment Invitation in the destination Jamf, configured to not require login.
The script will use this to download the enrollment profile, to install the new MDM Profile.
- Add the script to the source Jamf
- Add a policy to run the script
- Parameter 4: Invitation ID for the no-login Enrollment Invitation (last part of the invite URL, or listed in Enrollment Invitations)
- Parameter 5: Destination Jamf server - e.g newjamf.jamfcloud.com
- Parameter 6: Source Jamf server, for using the API to remove MDM
- Parameter 7: Source Jamf api auth - "user:password" (without quotes) which has been base64-encoded
- The API account must have permissions to permissions to Create/Read/Update Computers, Flush MDM Commands, and send the Computer Unmanage command
- Scope the policy to Macs you wish to migrate. It's probably best to run it from Self Service rather than at check-in.
Edit the following variables in the script to customize the dialog messages.
The values used in the screenshots are:
When the script runs, the user is prompted with:
That dialog will disappear after 5 seconds however. Then the user is prompted with:
MacOS < 13 MacOS >= 13
At this point the MDM Profile has not been removed and the user is not elevated to Admin. However some basic inventory info from the source Jamf has been saved to a plist (including EA values, which you can customize) for use later (not done by the migration script).
And the enrollment profile has been downloaded using the invitation ID.
Once they click OK, the MDM Profile is removed, and once it's gone, the new one is installed from the enrollment profile and the user is elevated to Admin to approve it.
The script will prompt the user to install the profile periodically (time values at the top of the script) until it detects that the new profile is installed & approved.
Once the profile is installed, the user is demoted (if they were not originally Admin) and they get a message that the migration is complete:
jamf-migrate-to-prestage-enrolled
The script to migrate a Mac as prestage-enrolled requires that the Mac be reassigned to the destination Jamf first, ie in ASM/ABM. The Mac must be assigned to a Prestage Enrollment in the destination or the script will exit with an error.
- Add the script to the source Jamf
- Add a policy to run the script
- Parameter 4: Source Jamf server, for using the API to remove MDM
- Parameter 5: Source Jamf api auth - "user:password" (without quotes) which has been base64-encoded
- The API account must have permissions to permissions to Create/Read/Update Computers, Flush MDM Commands, and send the Computer Unmanage command
- Parameter 6 (optional): Destination Jamf server, for using the API to check if the computer is assigned to a prestage
- Parameter 7 (optional): Destination Jamf api auth - "user:password" (without quotes) which has been base64-encoded
- The API account needs read-only access to computers and prestages only
- Scope the policy to Macs you wish to migrate. It's probably best to run it from Self Service rather than at check-in.
Edit the following variables in the script to customize the dialog messages:
When the script runs, the user is prompted with:
That dialog will disappear after 5 seconds however. Then the user is prompted with:
MacOS < 14:
MacOS >= 14
At this point the MDM Profile has not been removed and the user is not elevated to Admin. However some basic inventory info from the source Jamf has been saved to a plist (including EA values, which you can customize) for use later (not done by the migration script).
If destination Jamf api info was provided, checks on whether the Mac exists in the destination Jamf and is assigned to a PreStage have been done.
Once they click Continue, the MDM Profile is removed, and once it's gone, the user is elevated to Admin, and the new MDM Profile is installed using "profiles renew -type enrollment".
On MacOS < 14, the user must click the Device Enrollment notification, then click Allow, and enter their password. This notification often seems to get hidden, so the script will periodically prompt (time values at the top of the script) until it detects that the new profile is installed & approved:
On MacOS >= 14, the Device Enrollment screen will open, and the user must click Enroll:
Once the profile is installed, the user is demoted (if they were not originally Admin) and they get a message that the migration is complete: