Reenroll devices in MDM

Users can enroll devices in an MDM solution in three ways: Automated Device Enrollment, Device Enrollment, and User Enrollment. When you migrate from one MDM solution to another, the steps are slightly different for each enrollment method.

After their new MDM solution has been configured, users can unenroll their devices from the old MDM solution. Before they unenroll, the reenrollment process should be thoroughly tested.

Automated Device Reenrollment

Automated Device Enrollment is designed for devices owned by the organization.

iPhone, iPad, and Apple TV devices: Requires that the device go through Setup Assistant, and so it must be erased before reenrollment. The MDM server assignment in Apple School Manager or Apple Business Manager should be set before the device is erased. This also erases all data on the device, so if any files on the device that are important to the user, they should be copied off the device so they can be restored later.
Apple Watch: Paired and managed Apple Watch devices are unpaired and reset when the MDM profile is removed.
Mac computers: If the Mac appears in Apple School Manager or Apple Business Manager, the following command can be issued on the Mac to reenroll in a new MDM solution:
sudo profiles renew -type enrollment
After reenrollment, the Mac is supervised.

Important: When you restore from a backup onto the same iPhone or iPad, your backup’s supervision state is restored. If you restore from a backup onto a different iPhone or iPad, your supervision state comes from Apple School Manager, Apple Business Manager, or Apple Business Essentials.

Device reenrollment with Mac computers

How you reenroll a Mac varies depending on the following factors:

Removable profile: The user can remove the profile by going to System Settings (macOS 13 or later) or System Preferences (macOS 12.0.1 or earlier), choosing Profiles, and clicking the Remove button (-) when the current MDM profile is selected.
Nonremovable profile: The profile must be removed by MDM, or the Mac must be erased. After the profile is removed or the device is erased, the device can be manually enrolled in the new MDM solution.

Note: If the Mac is using macOS 11 or later, it’s supervised when manually enrolled into MDM.

Device reenrollment with iPhone, iPad, and Apple Vision Pro

For iPhone, iPad, and Apple Vision Pro reenrollment, if the MDM profile is marked as removable by the end user, the user can remove the profile by navigating to Settings > General > VPN & Device Management, selecting the MDM profile, and tapping Remove Management. If the device is supervised, supervision is retained when reenrolling the device into MDM.
Note: Paired and managed Apple Watch devices are unpaired and reset when the MDM profile is removed.
Nonremovable profile: The profile must be removed by MDM, or the device must be erased. After the profile is removed or the device is erased, the device can be manually enrolled in the new MDM solution.

Important: When you unenroll devices from your current MDM solution, all Managed Apps and their data may be removed from the device. (MDM administrators can set the option to remove Managed Apps when the device is unenrolled.) To prevent data loss, make sure data from Managed Apps is backed up so it can be restored later. See the Apple Support article Back up and restore documents and data from Managed Apps.

Device reenrollment with Apple TV

For Apple TV reenrollment, after the MDM profile is removed, the device can be manually enrolled in the new MDM solution. To manually reenroll in tvOS 15 or later, navigate to Settings > General > Privacy, hover over Share Apple TV Analytics, press Play/Pause, then enter the URL of the enrollment profile.

User reenrollment

Devices enrolled by the user don’t have to be erased.

Helpful?

Apple Platform Deployment