Ivanti Blog: Posts by

Apple Business Manager Device Migration: What You Need to Know

Fri, 12 Sep 2025 17:27:33 Z

With Apple’s OS 26 release, IT admins using Apple Business Manager (ABM) or Apple School Manager (ASM) have a great new tool in their toolbelt: device migration. This makes switching devices between MDM platforms much easier, with minimal disruption for end users.

Here, we’ll unpack what you need to know, and how ABM device migration makes it incredibly easy to switch to Ivanti Neurons for MDM.

Key ABM device migration features

Apple’s new ABM device migration features make it easier to move devices between different MDM solutions, without manual steps or interrupting users.

No manual re-enrollment. You can transfer devices from one MDM server to another, or from one vendor’s MDM to another (including Ivanti Neurons for MDM), without erasing or manually re-enrolling devices. All existing user data and device configurations will automatically be applied during migration. The end user will be able to complete the re-enrollment with two guided clicks: one for restarting the device and one for re-enrollment into the new MDM.

Enrollment deadlines. This is the newest feature introduced by Apple in ABM and ASM. You can set and enforce deadlines for moving devices to the new MDM instance. If a device isn’t enrolled in time, it will be locked and the user will be asked to finish enrollment. With this deadline you will be able to trigger the automated process for re-enrollment in the new MDM. It will prompt the end user with screens to complete the re-enrollment seamlessly.

End user experience. The end user experience won't notice any changes during migration, except if the enrollment deadline has passed. Once the migration is complete, the user will get a prompt to restart the device. After the device restarts, the end user will get a prompt to re-enrol the device in the new management solution, which takes one click.

API-driven. The process can also be managed through the ABM or ASM portal using Apple’s new APIs (which you need to activate). This means that customers that use an API infrastructure can bulk assign or unassign devices with the new Apple ABM APIs without having to access the ABM console.

ABM device migration use cases

When would you use this feature? Here are a few key use cases.

Cloud migration

ABM device migration allows you to move from on-premises MDM to cloud-based MDM without re-enrolling devices. For Ivanti customers, this feature makes it easy to move to Ivanti Neurons for MDM from Ivanti Endpoint Manager (for MacOS) or Ivanti Endpoint Manager Mobile (for all Apple devices).

Switching MDM providers

ABM device migration simplifies switching from another MDM provider to Ivanti Neurons for MDM, or consolidating all type of devices (Android, Windows, Apple,) on a single platform from MDMs that only manage Apple devices, such as Jamf or Kandji.

School district device realignment

Educational institutions can realign devices between departments or campuses while maintaining all Apple management and assignment settings.

Mergers, acquisitions or reorganisations

If you’re combining or separating IT infrastructure due to M&A or reorganisation, you can move devices to new MDM environments with minimal user disruption.

Setting up ABM device migration: a step-by-step guide

Before you begin

There are two important considerations before you begin:

Device migration only works on devices running iOS 26, iPadOS 26 or macOS26 (or later). Make sure your devices are updated first.
You don’t need to make any changes on the MDM server side to support device migration, but target MDM servers should be prepared to receive new device assignments and enrollment requests.

Device Migration via the ABM console

Sign in to Apple Business Manager and navigate to Devices. From here, use the search bar to find the target devices by serial number, order number or other identifiers. Then, select the devices you wish to set a migration deadline for.

Next, review the device details: Click on the device to open its detailed view and confirm that it is assigned to the correct MDM server. You can now set the migration deadline.

From here, click on Assign Device Management.

In the pop-up, you can choose the new MDM organisation that the device needs to be assigned to.

Next, choose the deadline.

Select the desired date and time for the deadline. This is the final date users have to migrate their device to the assigned MDM server. If users don’t follow the prompts they’ll be locked out the device. Then, click Continue.

On the device the user will receive a notification to restart their device.

After restarting, the device will request the user to enrol in the new management service.

Device migration via APIs

Setting up ABM device migration via APIs is simple, and it’s done completely in ABM (or ASM), no matter which MDM you are switching to or from.

First, log in to your Apple Business Manager or Apple School Manager account and navigate to Settings > Device Manager Settings.

Then, review and enable the required APIs to allow device migration. (If you’re not sure how, check the Apple admin guide for step-by-step help.)

Once the APIs are enabled, you can simply follow Apple’s migration workflow to select devices and designate the new target MDM server. Optionally, you can set an enrollment deadline for migrated devices.

Additional ABM device migration resources

If you need more detailed information, you can refer to:

Apple WWDC25 Announcement of Enterprise IT Enhancements

Fri, 18 Jul 2025 14:15:25 Z

At WWDC25, Apple announced a set of updates to simplify IT management for enterprises. These updates, spread across macOS 26, iOS 26, iPadOS 26, tvOS 26 and visionOS 26, introduce practical tools to improve device, application and user management.

This article outlines the specific capabilities and how they can be applied effectively in enterprise environments.

Enhanced Apple Business Manager for flexible device management

Apple Business Manager (ABM) improvements in iOS 26, iPadOS 26 and macOS 26 bring enhanced flexibility to enterprise IT operations. Being able to migrate devices between Mobile Device Management (MDM) solutions means that businesses can react to evolving technological requirements or vendor changes without needing to reconfigure devices manually. For example, an organisation switching to one of Ivanti’s on-premises solutions to Ivanti Neurons for MDM can retain operational continuity by utilising the new ABM Device Migration APIs while aligning configurations with the latest policies.

Administrators can now enforce enrollment deadlines for Managed Apple Accounts, helping enterprises integrate new devices into their IT systems on schedule. This feature is particularly helpful for compliance with internal policies or regulatory requirements, ensuring devices are accounted for during deployments.

Enhanced onboarding processes with Account Driven Enrollments, supported by the Service Discovery API, simplify enrollment by enabling preconfigured settings to guide users through setup. This reduces time spent onboarding large numbers of employees or devices.

Organisations can also bolster account security with stricter access controls. By allowing only Managed Apple Accounts during device setup and login, enterprises can prevent personal accounts from compromising company data or workflows. Additionally, including warranty and AppleCare coverage details lets enterprises plan for the entire lifecycle of their devices, optimising replacement or support strategies to maintain productivity while minimising downtime.

Modernised app management with Declarative Device Management

Declarative Device Management (DDM) updates provide better tools for managing app lifecycles in enterprise environments. Administrators get granular control over app installations and updates, so you can enforce mandatory upgrades for security-critical applications or postpone non-essential updates to avoid disruptions during critical operations. Similarly, the ability to pin apps to specific versions can stabilise environments where software dependencies are tightly coupled.

Real-time reporting of app installation and update statuses offers IT teams actionable insights into compliance and troubleshooting. For instance, administrators managing thousands of devices can track which apps are outdated or whether installation errors occurred, resolving issues without delays. Furthermore, organisations managing extensive mobile fleets can restrict app downloads over cellular data to conserve bandwidth and ensure adherence to security policies, useful in industries with strict data regulations or cost-control measures.

Updates to macOS 26 let enterprises scale their device operations more effectively. Declarative Application Management lets administrators deploy apps — whether they are from the App Store or custom-built solutions — across thousands of devices simultaneously, streamlining rollouts during enterprise deployments or product launches. The ability to deploy .pkg files caters to organisations relying on proprietary software or specific configurations.

VisionOS 26 also supports deploying managed applications via DDM.

Improved Safari configuration for efficiency and compliance

Safari updates bring practical configuration tools that enterprises can use to align browser settings with organisational needs. Administrators can now preconfigure bookmarks to direct employees to relevant software tools, company websites or knowledge bases upon login, reducing onboarding times and improving workforce efficiency. You can set landing pages to match company branding and guarantee employees start their browsing sessions on compliant and secure portals, which is especially useful for maintaining organisational policies.

Better audio accessory management for shared device scenarios

For shared device deployments, such as in healthcare, education or retail, Apple’s enhanced audio pairing management introduces useful controls to maintain security while enabling flexibility. Administrators can allow temporary audio accessory pairing without data syncing to iCloud, ensuring that employee or customer data is not inadvertently retained on shared devices. For added security, pairing data can be erased automatically based on predefined schedules, such as each night.

These controls are critical for shared environments where sensitive data protection and operational continuity are key. For example, hospitals using shared iPads for patient intake can ensure that data is cleared between users while still enabling seamless accessory use for each individual session.

Platform Single Sign-On for simplified authentication

The new Platform Single Sign-On (SSO) tools in macOS 26 reduce friction during the authentication process for enterprise employees. Platform SSO can now be activated during automated device enrollment, meaning employees can immediately access managed apps, company services and their Managed Apple Accounts without additional sign-ins. This feature simplifies the device setup process for organisations onboarding large numbers of employees or contractors.

The addition of Authenticated Guest Mode benefits shared environments, such as schools or hospitals, by allowing temporary logins via organisational Identity Provider (IdP) credentials. This ensures that users can access only the resources they are authorised for, while personal data is automatically erased upon logout. This is especially beneficial in environments with transient users where data security and quick turnover are priorities.

Return to Service: streamlined device reuse

Apple’s improvements to the Return to Service workflow allow enterprises to retain managed apps during device preparation for reuse. This feature significantly reduces the time needed to prepare devices for new users in shared-use scenarios. For instance, retail organisations can erase user data while retaining critical operational apps, allowing devices to be redeployed within minutes rather than hours. Automated re-enrollment into MDM ensures that settings, restrictions and compliance policies are applied quickly and consistently.

If you have a healthcare use case, check out Return to Service features supported by Ivanti Neurons for MDM. By adding a Return to Service option on your Ivanti iOS client, your floor staff can safely repurpose devices with one click.

ManagedApp Framework for secure enterprise app configurations

The ManagedApp Framework, built on Declarative Device Management, introduces a structured approach to defining and passing configuration details to enterprise apps. This framework allows IT administrators to establish app behaviour — such as server URLs, credential parameters or connection policies — tailored to specific employees or teams.

For example, an IT department can provide custom app settings for field technicians that include preconfigured server endpoints and unique digital certificates, while offering a more limited set of configurations for interns or temporary staff. The framework integrates seamlessly with features like Single Sign-On and Managed Device Attestation for secure, scalable and compliance-ready app deployments across industries. This feature requires support both from the application and from the MDM side.

Software updates changes in iOS/iPadOS/macOS 26

Apple is deprecating legacy software update management methods in iOS, iPadOS and macOS 26, and removing support in 2027 OS versions, requiring all organisations to transition to the new Declarative Management Software Update Enforcement and Software Update settings. Ivanti fully supports these new workflows, enabling automated and proactive update management. Declarative Management Updates are supported on iOS/iPadOS 17+ and macOS 14+. To prepare, customers should update their device management policies in Ivanti, configure Software Update Enforcement and settings for their devices and ensure compliance with Apple’s updated requirements—securing a smooth transition ahead of the deadline.

Key takeaways for enterprise IT

Apple’s WWDC announcements introduce meaningful improvements for enterprise IT, from streamlined device reuse to more flexible management and security controls. Using Ivanti’s endpoint management solutions alongside these new Apple features will help organisations automate deployments, ensure compliance and support diverse user needs with greater efficiency.

Optimising Apple DDM with Ivanti’s Latest Innovations

Tue, 21 Jan 2025 20:10:27 Z

The explosion in devices—particularly Apple devices—deployed across a modern enterprise is increasing the already arduous device management burden on IT and cybersecurity teams.

According to recent research, 76% of large enterprises are using more Apple devices, and 57% of US firms say Apple adoption is outpacing other options. So, it’s become crucial for more enterprises to leverage Apple Declarative Device Management (DDM) to streamline device management, automate compliance and enhance scalability.

Apple's approach to DDM was introduced in 2021 and expanded with each OS release. It’s created a fundamental shift in device management, streamlining software updates and patching. Now, IT teams can define desired states so Apple devices can self-enforce configurations and updates locally, reducing reliance on servers and manual intervention.

Thus, updates can happen faster, errors can be minimised, and end-user experiences can be improved invisibly and proactively. Which appreciably eases IT workloads while sustaining security and operational agility.

Apple is deprecating legacy software update management in iOS, iPadOS and macOS26, and they will remove support in 2027 OS versions, which means now is the time to make the switch to DDM. Let's explore how Ivanti's MDM and UEM products will enable admins to get the most out of Apple DDM.

What is declarative device management (DDM)?

DDM is an advanced approach to managing devices, primarily in enterprise or organisational IT environments. It empowers administrators to define a device or system's desired state and allows the system to automatically enforce and maintain that state.

The DDM model shifts away from traditional imperative management, where configurations and actions are centrally scripted and managed by IT administrators. That approach requires direct instructions to achieve the desired outcome on each device.

Key features and benefits of DDM

What are DDM’s advantages over a traditional device management model?

Administrators can specify the desired state or behaviour of a device, focusing on "what" it should look like instead of "how" to achieve that state. For example, rather than scripting individual commands for configuring security settings, an admin can simply declare the required settings and the system will enforce them.
Devices autonomously monitor their configurations to ensure compliance with a predefined state. If a device deviates, it automatically corrects itself to restore compliance without manual intervention.
DDM proves highly effective in large-scale settings since it minimises the need for repetitive and manual configuration tasks.
DDM minimises the complexity of management workflows and ensures consistency across devices.
DDMs employ modern management protocols for faster and more reliable updates to device configurations and policies.
DDM is commonly implemented in cloud-based mobile device management (MDM) solutions, leveraging the cloud for synchronisation, monitoring and enforcement, although it can also be implemented in on-prem solutions.
DDM reduces manual effort by automating configuration and enforcement processes.
Ensures consistency and compliance across devices, reducing the risk of human error.
Dynamic updates means quicker application of policies and settings versus traditional methods.
Changes are implemented seamlessly without disrupting the user experience.

An example DDM use case

In a hypothetical example, an IT administrator declares that all employee devices within the enterprise environment must:

Have a specific version of the operating system.

Enable encryption.

Restrict access to certain applications.

Using DDM, these requirements are automatically applied, continuously enforced and remediated if there’s any deviation.

Software updates and OS patching via Apple DDM

Utilising Apple Declarative Device Management for software updates and operating system (OS) patching seriously improves these processes, making them more proactive, efficient and seamless. It simplifies administration, cuts down on delays and guarantees a fleet of devices is always secure and up-to-date.

Software update benefits

Centralised control with distributed execution

Administrators set configurations centrally but rely on the device's local capabilities for execution.

Proactive local enforcement

Updates are enforced at the device level, eliminating the need for constant server intervention. Admins set a desired OS version and deadline, and the device autonomously ensures compliance.
The device monitors itself, applying updates without the need for constant server communication.

Automation

Admins can configure specific versions and deadlines and update schedules (e.g., after work hours), automating the process while minimising end-user disruption.
For example, a critical security patch can be scheduled for a particular time, ensuring all devices are updated without user intervention.
If a device is powered off and misses the update deadline declarative management reschedules the update automatically for a later time.

User notification and experience

Notifications begin 14 days before the deadline, reminding users to update at their convenience. On the deadline, the device automatically reboots and instals updates if necessary.
Admins can customise these notifications or suppress early reminders (e.g., for retail or healthcare environments).
Admins can configure the level of user interaction allowed by Apple DDM, such as permitting manual updates before the enforced deadline or limiting user deferrals.

Faster updates with reduced network dependency

Unlike traditional MDM, where the server continuously checks device status, DDM reduces latency by shifting the compliance mechanism to the endpoint.

Enhanced status reporting

Devices proactively report the status of updates to the server including whether an update is in progress, completed successfully or failed. In case of failure, detailed error logs are available.

OS patching benefits

Predicates for context-aware updates

DDM allows conditional rules (predicates) for updates, such as only applying a patch when a device is charging or has a battery above 80%.
These conditions are evaluated locally on the device, making updates context-sensitive and efficient.

Seamless transition to new OS versions

DDM automatically manages the transition to new OS releases or security patches without requiring manual admin oversight at each step.

Local action without internet

Devices can enforce configurations and patches even when offline, applying updates based on preloaded criteria and activating changes when conditions permit (e.g., when connected to power or during off-hours).

Another practical use case

In an organisation with 1,000+ iPhones and MacBooks, a zero-day vulnerability requires immediate patching. The solution?

The admin declares a patch deadline and target version using Apple DDM.

Devices enforce the update based on local predicates, ensuring the patch is applied under optimal conditions (e.g., during low battery drain times).

Users receive notifications prior to the update so they’re informed without interrupting workflows.

Ivanti’s declarative management support

Ivanti’s declarative management support builds on Apple’s Declarative Device Management (DDM) framework to offer a seamless, proactive and efficient approach to managing Apple devices. What are some of its key components?

Integration with Apple’s DDM framework

Ivanti utilises Apple’s DDM as an enhancement to the existing Mobile Device Management (MDM) protocol – not a complete replacement but an additional layer designed to:

Automate device responses: Allow devices to enforce configurations and policies locally, reducing reliance on the server for continuous checks.
Enable real-time proactivity: Devices can autonomously apply updates or configurations when predefined conditions (predicates) are met.

Software update enforcement

Ivanti's platform supports Apple’s declarative software update management, which introduces:

Enforcement settings: Administrators can specify OS versions, deadlines and update schedules.
Proactive local actions: Devices monitor themselves and apply updates without requiring manual input or waiting for server-side triggers.
Improved communication: Devices report their update progress, success or failure directly to the Ivanti management server, providing admins with real-time visibility.

Predicate management

A standout feature of Ivanti’s support is its handling of predicates – logical conditions that devices evaluate before applying configurations or updates. For example:

A policy applies only if the device’s battery is above 80%.
A configuration activates when the device is charging.

Simplified predicate management in Ivanti’s console

Ivanti provides a dedicated interface for creating, managing and reusing predicates across configurations.
These predicates can be easily applied to declarative configurations, streamlining complex workflows.

User experience and notifications

Ivanti enhances the user experience by leveraging Apple’s notification capabilities:

Notifications can start 14 days before the update deadline, with options to tailor their frequency and content.
Critical updates can override user deferrals by enforcing reboots and updates at the scheduled deadline.

Past-due handling

If a device misses the deadline (e.g., turned off), Ivanti reschedules updates automatically ensuring compliance.

Supported configurations

Ivanti ensures backward compatibility and a smooth transition to declarative management by supporting both legacy MDM and newer DDM configurations.
Existing policies and workflows continue without disruption.
Declarative configurations (e.g., predicates and local enforcement) are gradually integrated and highlighted within the platform.

Related: Watch the webinar Mastering Apple Device Management with Ivanti

Ivanti’s guidance for updating and patching Apple devices with declarative device management

Ivanti’s approach to supporting Apple DDM leverages the proactive capabilities of Apple's declarative management framework, combining it with a user-friendly interface, automation and support for complex enterprise workflows. This comprehensive guidance enhances enterprise device management efficiency and security.

Enforcing updates and patches

Automated scheduling lets admins enforce updates by specifying the target OS version along with a specific date and time for the update to occur. This eliminates the need for manual updates and ensures compliance with organisational policies.
Devices enforce update enforcement locally, applying updates based on preconfigured conditions without relying on continuous server communication.

Managing user notifications

Notifications are sent to end users starting 14 days before the update deadline, providing transparency and encouraging users to update at their convenience.
For specific use cases such as retail or healthcare, flexible notification configurations let admins suppress early notifications and opt for last-minute alerts to minimise disruption.

Improving compliance and visibility

Devices proactively report their update status to the Ivanti server, reporting whether updates are in progress, completed successfully or failed. Administrators also gain access to detailed error logs to troubleshoot issues.
If a device misses the deadline (e.g., if it is powered off), the device automatically reschedules the update for the next available hour.

Using predicates for conditional updates

Administrators can define predicate logic for when updates should be applied.
Since conditions are evaluated locally, updates can happen even when the device is offline.
Ivanti provides tools for creating, managing and reusing predicates across configurations, making conditional updates simpler and easier to implement.

Enhancing user experience

End users get clear communication about the update schedule, including the enforced deadline. They have the option to instal updates manually before the deadline to avoid automatic enforcement.
Updates can be scheduled during off-hours to minimise disruption of the user's daily activities.

Streamlining patch management

Ivanti supports declarative patch management -Apple system updates.
Administrators can enforce updates, including critical security patches, ensuring devices remain secure and compliant.

Related: Read our Knowledge Base article on How to enforce Apple Software Updates with Neurons for MDM and EPMM

A standout approach to supporting Apple DDM

Ivanti's approach to Apple Declarative Device Management stands out because it extends an organisation’s automation, local enforcement and proactive capabilities.

Administrators benefit from user-friendly tools, customizable notifications and detailed status reporting, while end-user disruption is minimised through scheduled updates and seamless workflows. With Ivanti, Apple DDM becomes even more efficient, secure and scalable for the organisations that rely on it.

Related: A Guide to Apple Declarative Device Management for Enterprises

WWDC23: What IT Admins Need to Know to Manage Apple Devices

Tue, 25 Jul 2023 19:51:36 Z

Apple’s annual developer conference, WWDC, is a firehose of information for anyone who manages Apple devices.

New operating systems (notably iOS 17, iPadOS 17, macOS 14 and watchOS 10) and new products (15-inch MacBook Air and Apple Vision Pro) might have dominated the headlines, but WWDC23 also brought a host of no less consequential new capabilities for enterprise device management.

So what should IT admins pay attention to in the lead up to this fall’s OS updates?

A big step forward in declarative device management

Apple introduced declarative management in 2021 as an extended functionality to the MDM protocol, and this year they continued the trend of releasing configurations that can coexist on MDM and declarative management at the same time as part of a gradual transition. Apple has announced a transition path from today’s MDM protocol to declarative management, which will make the changeover seamless for end users.

What’s new this year is that Apple is also releasing features that can only be supported via declarative management – passkeys and Apple Watch management. Ivanti’s UEM products will support declarative device management, and therefore these new features, in the next few quarters.

Simpler device enrollment – for IT and for end users

Getting rid of manual processes is a clear theme for the device enrollment enhancements released this year.

Return to service, a new capability for bringing devices back into management, lets IT admins send a command to erase and then re-enroll a device automatically – a process that until now was manual. This feature is particularly useful for devices without dedicated users that need to be remotely reconfigured without manual intervention, for example an iPad that needs to be reset after a patient is discharged from a hospital.

Account-driven device enrollment (an enhancement to account-driven user enrollment, which is already available) enrolls devices automatically when users sign in with their work or school account, rather than requiring the user to install a profile manually. Eliminating this extra step can streamline device onboarding.

On the topic of device enrollment, Setup Assistant also saw enhancements worth paying attention to: the ability to restrict enrollment to devices that meet minimum OS requirements, and the ability to configure FileVault during setup. These features let companies ship devices directly from the supplier to the end user without needing a manual setup to ensure basic security features are in compliance.

Easy end user authentication for a better end user experience

Updates to Managed Apple IDs give organizations access to a range of improved authentication features that make it easier for end users to access their devices and services. Managed Apple IDs now include support for iCloud Keychain, Apple Wallet, and access management controls that enable organizations to restrict access to specific services and dictate the management state of a device when a user signs in. Additionally, passkeys can now be synced across managed devices for an even more secure authentication experience.

Platform single sign-on (SSO) now lets you create local user accounts on a shared Mac using credentials from the Identity Provider (IdP).

Finally, Managed Device Attestation is now available on macOS and offers strong assurances about the security posture and properties of a device.

Useful updates to device and application connectivity

For an alternative to VPN, you can now use a new built-in relay to secure traffic using an HTTP/3 or HTTP/2 tunnel. The configuration is domain-based and can be applied to managed apps, domains, or the entire device.

Apple has also expanded 802.1X support for Ethernet, which previously was only supported for macOS, allowing you to connect an iPhone, iPad or Apple TV to a restricted network that requires authentication without needing to rely on WiFi.

Finally – private network and network slicing support

Long-awaited support for private 5G and LTE networks is finally here for iOS 17 and iPadOS 17.

Administrators can activate private SIMs automatically when a device enters a geofence in order to prioritize cellular over Wi-Fi.

And with 5G network slicing, mobile network operators can customize traffic through a 5G standalone network with specific quality-of-service requirements for network latency, throughput and packet loss.

Discovering new use cases for wearables in the workplace?

Apple Watch is newly supported as a managed device. An Apple Watch that is paired to a Supervised iPhone can now be enrolled and managed with watchOS 10 – with the very important requirement that declarative management configuration must be enabled.

Planning ahead for this fall’s OS updates

Ivanti is actively testing the betas of iOS 17 and macOS 14 to make sure you can take advantage of these new features for a better end-user experience and streamlined IT processes.

Look out for communication on compatibility as we plan for day zero support for Ivanti products.