Device Management
Endpoint Detection & Response
Vulnerability Management
Kai
Liftoff
Prism
Migration Agent
Auto Apps
Passport
Compliance
Assignment Maps
Managed OS
Integrations
Mac
iPhone and iPad
Apple TV
Vision Pro
Financial Services
Technology
Artificial Intelligence
Marketing Agencies
Startup
Growth
Enterprise
Resources Hub
Kandji Blog
Customer Stories
Mac Admins Community
Security Details
MDM Comparison Guide
Customer Support
Product Updates
Kandji Status
Customer Login
Register a Deal
Become a Partner
Partner Portal
About Kandji
News & Press
Careers
Contact
Why Kandji?
Streamline MDM Migration with the Kandji Migration Agent
Kandji Team
Kandji's recent Demo Day focused on the Kandji Migration Agent, a powerful tool designed to streamline the process of moving Mac computers from existing MDM solutions to Kandji. In this article, we'll review topics covered in the Demo Day, including why migration has traditionally been challenging, how the Migration Agent works, and best practices for a successful migration. At the close, we'll highlight questions and answers from our expert team provided during the live Q&A.
Introducing the Kandji Migration Agent
The Kandji Migration Agent is a specialized tool that simplifies migrating Mac computers from a customer’s current MDM solution into Kandji. Custom-engineered for each customer's specific needs, it automates as much of the process as possible while guiding users through the minimal steps required by Apple's security framework.
If you're currently managing your Apple computers with another MDM solution, the Kandji Migration Agent offers a streamlined path to Kandji without the traditional headaches of migration. The tool is deployed from your existing MDM and reduces user interaction to just a few clicks, making the transition smooth for administrators and end users.
Before we dive into specific features, here are a few essential terms and definitions to help you understand how the Kandji Migration Agent works:
- MDM Migration refers to the process of moving devices from one Mobile Device Management solution to another, which requires removing the old MDM profile before installing the new one.
- Automated Device Enrollment (ADE) is a type of MDM enrollment reserved for corporate computers registered in Apple Business Manager or Apple School Manager. It can grant a special status to the MDM profile so that it is non-removable, even by administrators.
- Manual Enrollment is used for devices not in Apple Business Manager and typically involves the user manually downloading and installing an MDM profile.
- FileVault Recovery Key is a unique key generated during the enablement of Apple’s FileVault full disk encryption. It is usually stored in an MDM solution and needs to be regenerated when moving MDMs.
Overall, the Kandji Migration Agent minimizes disruption to IT team and users by streamlining and automating much of the device migration process.
Key Features of the Migration Agent
Instead of requiring IT teams to coordinate the migration process and troubleshoot enrollment issues manually, the Migration Agent handles the technical details automatically. It detects when existing management is removed, guides users through enrollment, and ensures a smooth transition with minimal administrator intervention.
Plus, the tool is intelligent enough to determine the best enrollment method for each computer, whether it's registered in Apple Business Manager or needs manual enrollment. This ensures that devices follow the optimal path into Kandji management with a consistent user experience.
Features
- Personalized migration: The Migration Agent is fully customized to meet your specific MDM migration needs. Our engineers will work with you until every Mac computer is enrolled in Kandji.
- Seamless workflow: The Migration Agent installs via your existing MDM, waits for management removal, then guides users through Kandji enrollment with minimal interaction required.
- Intelligent enrollment detection: The tool automatically selects the best enrollment method (Automated Device Enrollment or manual enrollment) based on device eligibility, ensuring optimal management capabilities.
- Persistent enrollment prompts: If users dismiss enrollment notifications, the Migration Agent checks every five minutes and provides reminders until the process is completed.
- FileVault key regeneration: Ensures security continuity by automatically prompting users to regenerate FileVault recovery keys after enrollment.
- Non-admin user support: Modifies the authorization database to allow standard users to complete enrollment without requiring full administrator rights.
- Unlimited support: When migrating to Kandji, you'll have unlimited access to support engineers via chat and email, with guidance on best practices and troubleshooting assistance.
How Does the Migration Agent Compare to Manual Migration?
Traditional migration approaches rely on highly technical, manual processes that increase the burden on both IT administrators and users. This approach typically results in extended periods without management, inconsistent enrollment experiences, and significant troubleshooting requirements.
At Kandji, we believe you shouldn't have to choose between a smooth migration and maintaining security. Our Migration Agent is designed to support complex migration scenarios while eliminating the chaos and friction that typically come with MDM transitions.
That's what makes the Kandji Migration Agent so valuable. It empowers IT teams to move faster, reduce migration-related tickets, and maintain strong security while providing a consistent user experience.
This becomes especially clear in a comparison between using the Migration Agent and traditional manual migration methods:
Migration Process with Kandji
Using the Kandji Migration Agent, the process can be completed in less than three minutes per user, with devices appearing in Kandji immediately. During our recent Demo Day webinar, Principal Solutions Engineer, Jim Quilty walked through the migration process outlined below:
- Preparation: Receive your custom Migration Agent package after becoming a Kandji customer
- Deployment: Deploy the Migration Agent through your existing MDM or deployment tool
- MDM Removal: Remove existing management through your current MDM's unenroll command
- Automated Enrollment: Migration Agent detects management removal and guides users through Kandji enrollment
- Completion: Devices are enrolled in Kandji and start receiving configured policies
Migration Considerations
Before starting your migration, our Solutions Engineers recommend addressing these key considerations:
- Collect important secrets—Before migration, retrieve and store FileVault recovery keys, activation lock bypass codes, and other sensitive data from your existing MDM.
- Test thoroughly - Run through the migration process with test devices to understand precisely what will happen and identify potential issues.
- Prepare documentation - Create clear instructions for your users that outline precisely what they'll see and what actions they need to take.
- Configure blueprints - Set up your Kandji blueprints before migration so that devices receive the proper configurations immediately upon enrollment.
- Address approvals—Ensure that necessary approvals for privacy controls, system extensions, and other components are ready in Kandji.
- Plan for network access - Consider how devices maintain network connectivity during the migration, especially if your current MDM deploys WiFi profiles.
To set clear expectations, it's essential to understand what the Migration Agent isn’t designed to do and where your IT team will need to step in:
- Configuration migration - The Migration Agent does not automatically migrate configurations from your previous MDM to Kandji.
- iOS device migration - The Migration Agent works exclusively with macOS devices. Contact Kandji for guidance on iPhone and iPad device migration.
- Trial availability - The Migration Agent is custom-built for each customer and becomes available after purchase, not during trial periods.
- Fully automated process - Due to Apple's security requirements, some user interaction is necessary to complete enrollment. As noted on our website, "Users must click to approve the installation of the MDM profile. This is by design from Apple.”
Common Pitfalls and How to Avoid Them
Our Solutions Engineers have supported thousands of migrations and identified these common challenges to be aware of:
- Insufficient testing - Failing to test the whole migration process before deployment to production can lead to unexpected issues that impact users.
- Network modification tools - VPNs, proxies, and network filters may interfere with the enrollment process, especially after the old MDM is removed, and those tools might require re-approval.
- WiFi profile removal - MDM-deployed WiFi profiles will be removed along with the old MDM, potentially affecting network connectivity during enrollment.
- Broken MDM communication - Devices must communicate with the old MDM to receive the unenroll command; devices with broken communication may require additional remediation.
- Inadequate user communication - Not explaining the process to users can result in delayed or incomplete enrollments.
Migration Agent Demo Q&A
- Q: What happens if the user is not an admin during migration?
A: The Migration Agent modifies the authorization database to grant specific permissions to install the MDM profile without requiring full administrator rights. - Q: Can the Migration Agent use the Jamf API to unenroll from MDM?
A: While the Migration Agent focuses on enrollment into Kandji, we provide supplemental tools for many MDMs, including Jamf, to assist with the unenrollment process. - Q: We don't use Okta or a similar IdP - can that step be skipped for automatic enrollment?
A: Yes, authentication during enrollment is optional. Any SAML provider can be used. - Q: Can you migrate Mac computers from Intune to Kandji while leaving Windows machines on Intune?
A: Yes, the Migration Agent only works with Mac computers, so Windows devices will remain unaffected and can continue to be managed by Intune. - Q: What steps need to be completed before starting a migration?
A: Kandji provides a comprehensive checklist for migration preparation, and your account team will work with you to ensure you're adequately prepared before beginning. - Q: How long does the migration process typically take?
A: According to our Migration Agent page, "The migration process takes users less than three minutes; the device appears in Kandji immediately. The longest part of migration is testing and preparation; that time frame will vary by organization. Once Migration Agent is deployed, we typically find that organizations complete migration to Kandji within a few days."
Learn More About Kandji Migration
The Kandji Migration Agent makes moving devices to Kandji more seamless, automated, secure, and easier to manage. To learn more about the Migration Agent, visit our feature page or contact your Kandji representative for additional resources and documentation.
Don't just take our word for it. Here's what our customers say about migrating to Kandji:
"Kandji made the migration from our old MDM very straightforward, and the ongoing management of our entire fleet of devices something we barely need to think about."
— Dan B., IT Manager, Mid-Market (51-1000 emp.)
What's next? The next Kandji Demo Day will focus on Kandji Passport, our solution for identity-based login that simplifies the authentication experience while strengthening security. You can register for this event and future Demo Day events here.
See Kandji in Action
Experience Apple device management and security that gives you back your time. Request a demo today to see how Kandji can transform your approach to MDM.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.