Migrating Users to New iPhones with Intune: A Comprehensive Guide

With the increasing reliance on iPhones in the modern workplace, migrating users to new devices can be a daunting task for IT departments. The sheer volume of devices, coupled with the need to maintain data security and user productivity, presents a significant challenge. Fortunately, Microsoft Intune offers a comprehensive solution to streamline and secure this process. This guide provides a detailed plan and best practices for migrating users to new iPhones using Intune, ensuring a smooth, efficient, and secure transition.

Prerequisites for Migration

Before embarking on the migration journey, it's crucial to lay the groundwork by ensuring the following prerequisites are in place:

Configuration Review

In addition to the technical prerequisites, it's essential to review existing configurations for compatibility with Intune. This includes evaluating email clients, collaboration tools, and any other applications or settings that might be affected by the migration to Intune management6.

Migration Methods for iOS Devices in Intune

Intune provides a range of methods for enrolling and migrating iOS devices, each tailored to different scenarios and organizational needs:

• Automated Device Enrollment (ADE): ADE, formerly known as Apple Device Enrollment Program (DEP), is the gold standard for seamless iPhone deployments. It allows for zero-touch deployment, where devices purchased through ABM are automatically enrolled in your Intune environment during the initial setup. This simplifies the process significantly for both users and IT administrators7.

• ADE offers different modes, including User Affinity and Userless, each with its own implications for how devices are associated with users and managed. User Affinity mode links the device to a specific user, while Userless mode allows devices to be shared or used by multiple users without requiring individual user assignment7.

• Apple Configurator: For devices not purchased through ABM, Apple Configurator provides a way to prepare and enroll devices in bulk. This method involves using a Mac computer with the Apple Configurator app to supervise and configure devices before they are handed to users. Apple Configurator can also be used to add existing devices to ABM, but this requires resetting the devices to factory settings8.

• User-initiated enrollment: In bring-your-own-device (BYOD) scenarios, where users enroll their personal iPhones for access to corporate resources, user-initiated enrollment is the preferred method. Users can enroll their devices themselves through the Company Portal app or a web browser8.

Steps Involved in Migrating Users to New iPhones

With the prerequisites in place and the migration method chosen, the next step is to execute the migration process. Here's a breakdown of the key steps involved:

1. Prepare the new iPhones: If using ADE, ensure the devices are assigned to your ABM account and linked to your Intune environment. For other enrollment methods, prepare the devices according to the chosen method (e.g., using Apple Configurator)7.

2. Back up data on old iPhones: Instruct users to back up their data from their old iPhones using iCloud or iTunes. This ensures data preservation during the transition. It's important to note that the content of backups may vary depending on the enrollment method used for the old iPhones (User Enrollment, Device Enrollment, or Automated Device Enrollment)9. Also, consider the time elapsed since the last backup and the potential implications of restoring to an older state11.

3. Retire old iPhones from Intune: Remove the old iPhones from Intune management to prevent conflicts and ensure a clean migration. This can be done through the Intune portal12.

4. Enroll new iPhones in Intune: Guide users through the enrollment process on their new iPhones. This may involve using the Company Portal app, Apple Configurator, or Setup Assistant, depending on the chosen enrollment method2. To enhance the enrollment experience, consider using Guided Access mode, which keeps the device in single app mode until the Company Portal app is installed. This ensures users complete the enrollment process without distractions7.

5. Restore data to new iPhones: Once enrolled, users can restore their data from their backups to their new iPhones10. In addition to restoring from iCloud or iTunes backups, users can also use iCloud to transfer data directly from their old iPhone to their new one11.

6. Deploy and configure apps: Deploy the necessary applications to the new iPhones using Intune. This can be done through app assignments, app configuration policies, and app protection policies2.

7. Enforce compliance policies: Ensure the new iPhones comply with organizational security and configuration standards by enforcing compliance policies5.

8. Enable Conditional Access: Protect corporate resources by enabling Conditional Access policies that require device compliance and user authentication8. Intune offers various Conditional Access grant controls, such as:

9. Require device to be marked as compliant: This ensures that only devices meeting your compliance policies can access corporate resources.

10. Require approved client app: This restricts access to corporate data to only approved applications, enhancing data security.

11. Require app protection policy: This enforces app protection policies on managed apps, even on unmanaged devices, providing an extra layer of data protection.

12. When configuring Conditional Access policies, it's crucial to exclude a break-glass account to prevent accidental lockout and ensure that administrators can always access resources4.

13. Verify migration success: Confirm that users can access corporate resources and apps on their new iPhones. Monitor device compliance and address any issues that arise12.

Best Practices for Migration

To ensure a smooth and successful migration, consider the following best practices:

• Plan and communicate effectively: Develop a detailed migration plan with clear timelines and communicate it effectively to users. This minimizes disruption and ensures a smooth transition. Establish clear cut-off dates for each migration phase or for the overall migration, and communicate these dates clearly to users. This helps manage expectations and ensures a timely completion of the migration6.

• Use automated enrollment: Leverage ADE to simplify the enrollment process and reduce manual effort7.

• Prioritize security: Enforce strong passcode policies, device encryption, and compliance policies to protect corporate data on iPhones4.

• Configure device restrictions: Use device restriction policies to control features and functionalities on iPhones, such as camera access, app installation, and data sharing5.

• Deploy essential apps: Prioritize the deployment of essential apps to ensure users can access critical tools and resources immediately after migration2.

• Provide user support: Offer comprehensive user support throughout the migration process. This includes providing clear instructions, troubleshooting guides, and help desk assistance4.

• Conduct pre-migration testing: Before migrating all users, conduct thorough pre-migration testing with a pilot group of users. This helps validate enrollment success rates, user productivity, data security, and app accessibility, allowing you to identify and address potential issues early on12.

• Monitor and optimize: Continuously monitor device performance, compliance, and app usage after migration. Optimize configurations and policies as needed to enhance security and user experience13.

Troubleshooting Common Issues

While Intune simplifies the migration process, some common issues may arise:

• Enrollment failures: These can occur due to various reasons, such as:

• Incorrect enrollment profiles

• Network connectivity problems

• Issues with the Apple MDM push certificate Troubleshooting steps may involve verifying configurations, checking network connectivity, and reviewing Intune logs14.

• Data restoration problems: Issues with data restoration can arise from:

• Corrupted backups

• Insufficient iCloud storage

• Conflicts with the old MDM profile, especially if the previous EMM vendor locked the management profile on the device. Solutions may include ensuring backups are valid, increasing iCloud storage, or removing the old MDM profile before restoring11.

• App deployment errors: App deployment errors can occur due to:

• Licensing issues

• App compatibility problems

• Incorrect app configurations Troubleshooting steps may involve verifying app licenses, checking app compatibility with iOS versions, and reviewing app configuration policies10.

• Compliance policy violations: If devices violate compliance policies, investigate the cause and remediate the issue. This may involve updating device settings, installing security updates, or addressing configuration problems8.

Troubleshooting Intune iPhone migrations can be tricky, but here's a breakdown of common issues and how to fix them:

1. Enrollment Failures

• Cause: Incorrect enrollment profiles, network connectivity problems, issues with the Apple MDM push certificate 1.

• Solution: Verify the enrollment profile settings in Intune, ensure the device has a stable network connection, and check the validity and configuration of the Apple MDM push certificate.

2. Data Restoration Problems

• Cause: Corrupted backups, insufficient iCloud storage, conflicts with the old MDM profile 2.

• Solution: Ensure backups are not corrupted and that there's enough iCloud storage. If the old device was managed by another MDM, ensure its profile is removed before restoring to avoid conflicts. Consider using iCloud sync instead of full device backups to avoid restoring old management states 2.

3. App Deployment Errors

• Cause: Licensing issues, app compatibility problems, incorrect app configurations 1.

• Solution: Verify app licenses in Intune, ensure app compatibility with the iOS version on the new iPhone, and double-check app configuration policies for any errors.

4. Compliance Policy Violations

• Cause: Devices not meeting the defined security and configuration standards 1.

• Solution: Investigate the cause of the violation. This may involve updating device settings, installing security updates, or addressing configuration problems.

5. "Device Not Registered" Error

• Cause: This can occur even if the device seems to enroll correctly 3.

• Solution: Try un-enrolling the device from the Company Portal, uninstalling the Company Portal app, deleting the device in Azure AD, updating to the latest iOS version, and re-enrolling. If the issue persists, a factory reset might be necessary.

6. Issues with Office settings

• Cause: Some Office settings in the settings catalog might not automatically enable the parent setting 1.

• Solution: Ensure that the parent setting is enabled for the relevant Office settings in the settings catalog.

7. Users signed out of managed iOS Office apps

• Cause: An issue with app protection policies (APP/MAM) can cause users to be signed out of all Office mobile apps when they sign out of a single Office app 1.

• Solution: Be aware of this potential issue and inform users that they may need to re-authenticate to Office apps. Monitor for any authentication loops and report the issue to Microsoft.

8. Inaccurate app install status

• Cause: The app install lifecycle or app install history status might be inaccurate 1.

• Solution: Be aware of this potential issue and verify app installation status directly on the device if needed.

9. Password reset issues with iOS 13+ devices

• Cause: A known issue where some iOS 13+ devices do not return the token needed for password resets 1.

• Solution: Ensure devices are updated to iOS 13.3.1 or higher. Note that updating alone might not fix already-enrolled devices.

10. Profile error enrolling iOS devices with Apple Configurator

• Cause: An invalid enrollment URL can cause a profile error when enrolling iOS devices with Apple Configurator 1.

• Solution: Verify the enrollment URL in the Apple Configurator settings and ensure it is correct.

11. Certificate-based authentication issues with certain VPN clients

• Cause:  Pulse Secure VPN client for iOS version 7.0 and Check Point Capsule Connect version 1.600 for iOS have issues with certificate-based authentication 1.

• Solution: Be aware of this issue if using these VPN clients. Consider using alternative VPN clients or authentication methods.

Remember to consult Microsoft's official documentation and support resources for the latest information and troubleshooting guidance.

URL Sorce content for troubleshooting migration

• https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-protection-policies/data-transfer-scenarios

• https://learn.microsoft.com/en-us/troubleshoot/mem/intune/known-issues

• https://www.algiz-technology.com/top-10-intune-mistakes-and-how-to-fix-them

• https://www.reddit.com/r/sysadmin/comments/1c0jjuv/looking_for_advice_regarding_iphone_transfers_and/

• https://discussions.apple.com/thread/255217326

Post-Migration Tasks

After successfully migrating users to their new iPhones, the journey doesn't end there. Here are some essential post-migration tasks to consider:

• App deployment and configuration: Continue deploying and configuring applications based on user needs and organizational requirements. Intune allows you to manage the entire application lifecycle, including the patch cycle, streamlining app management from deployment to updates4. If you are using on-premises build agents, remember to clear their cache to avoid build issues related to older TFVC or Git pointers16.

• Policy optimization: Review and optimize device configuration profiles, compliance policies, and Conditional Access policies to ensure they align with security best practices and user experience goals13.

• User feedback and support: Collect user feedback on the migration process and provide ongoing support for any issues or questions17.

• Monitoring and reporting: Monitor device compliance, app usage, and security posture through Intune reports and dashboards18.

• Continuous improvement: Continuously improve the migration process based on user feedback, monitoring data, and evolving organizational needs19.

Conclusion

Migrating users to new iPhones with Intune can be a seamless and efficient process with proper planning, configuration, and execution. By following the detailed plan and best practices outlined in this guide, organizations can ensure a smooth transition for users while maintaining a secure and productive mobile environment. Intune simplifies device enrollment, enhances security through robust policies and Conditional Access, and streamlines app management throughout the entire lifecycle. This not only improves the user experience but also leads to potential cost savings and efficiency gains for the organization.

Works cited

1. Migrate Corporate Apple's ADE/DEP devices between MDM Servers - Hubert Maslowski, accessed on February 2, 2025, https://hmaslowski.com/all-my-posts/f/migrate-corporate-apple-adedep-devices-between-mdm-server?blogcategory=Citrix

2. The Ultimate Guide to Managing Apple Devices in Microsoft Intune - YouTube, accessed on February 2, 2025, https://www.youtube.com/watch?v=nDL-B9LPk8k

3. Transferring Intune iOS devices from one user to another - Microsoft Q&A, accessed on February 2, 2025, https://learn.microsoft.com/en-us/answers/questions/676637/transferring-intune-ios-devices-from-one-user-to-a

4. How to secure devices in Intune | Top Tips - - T-Minus 365, accessed on February 2, 2025, https://tminus365.com/how-to-secure-devices-in-intune-top-tips/

5. Deployment guide to manage iOS/iPadOS devices in Microsoft Intune, accessed on February 2, 2025, https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-platform-ios-ipados

6. Navigating the Migration to Microsoft Intune with Netwoven, accessed on February 2, 2025, https://netwoven.com/cloud-infrastructure-and-security/navigating-migration-to-microsoft-intune/

7. iOS Device Management via Microsoft Intune using Apple Business Manager (ABM)/Apple School manager(ASM)- Full Guide - EverythingAboutIntune, accessed on February 2, 2025, https://everythingaboutintune.com/2024/03/ios-device-management-via-microsoft-intune-using-apple-business-manager-abm-apple-school-managerasm-full-guide/

8. Intune iOS/iPadOS Management In a Nutshell - Argon Systems, accessed on February 2, 2025, https://argonsys.com/microsoft-cloud/library/intune-ios-ipados-management-in-a-nutshell/

9. Back up and restore managed devices - Apple Support, accessed on February 2, 2025, https://support.apple.com/guide/deployment/back-up-and-restore-managed-devices-depd44f045b4/web

10. iPhone migration : r/Intune - Reddit, accessed on February 2, 2025, https://www.reddit.com/r/Intune/comments/yf17j8/iphone_migration/

11. Back up and restore iOS/iPadOS - Microsoft Intune, accessed on February 2, 2025, https://learn.microsoft.com/en-us/mem/intune/enrollment/backup-restore-ios

12. Migration guide: Set up or move to Microsoft Intune, accessed on February 2, 2025, https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-intune-setup

13. The Comprehensive Application Migration Checklist | 2025 - LitExtension, accessed on February 2, 2025, https://litextension.com/blog/application-migration-checklist/

14. Intune Migration Troubleshooting: Part 2 - YouTube, accessed on February 2, 2025, https://www.youtube.com/watch?v=3gXVI0fzuV8

15. MDM migration to Microsoft Intune - Apple Communities, accessed on February 2, 2025, https://discussions.apple.com/thread/254963593

16. Complete post migration tasks - Azure DevOps | Microsoft Learn, accessed on February 2, 2025, https://learn.microsoft.com/en-us/azure/devops/migrate/migration-post-migration?view=azure-devops

17. Application migration: a step-by-step guide - Deviniti, accessed on February 2, 2025, https://deviniti.com/blog/software-engineering/application-migration-step-by-step-guide/

18. Cloud Performance Optimization Post-Migration: 10 Best Practices - Coherence, accessed on February 2, 2025, https://www.withcoherence.com/articles/cloud-performance-optimization-post-migration-10-best-practices

19. Ultimate 19-Step Application Migration Checklist - Faddom, accessed on February 2, 2025, https://faddom.com/ultimate-19-step-application-migration-checklist/