In a prior blog post, we talked about a client of ours that was moving from Workspace ONE to InTune, and we mentioned the use of EBF’s On-Boarder tool as a way to prevent users from having to factory reset their devices. The EBF tool has been such a success that we wanted to highlight specifically how it works and what it does. Since we typically use the tool for migrations to InTune, that’ll be our focus today.
The tool is extremely easy to get started, and offers a simple trial that allows testing of up to 20 devices. Once the account is set up, you just need to create a migration.
The EBF On-Boarder requires connectivity into the source and destination MDMs. For WorkspaceONE, that entails setting up a console admin with specific rights and assigning a REST API key for that user to use. For InTune, the account must have certain admin roles, and a global admin must accept the app integration.
All that information is then input into migration wizard. In the last step, you can choose which devices to migrate, either by selecting the target organization or assignment group in Workspace ONE. You can further filter this list with a CSV upload either explicitly whitelisting or blacklisting devices.
Once the migration is created, all you have to do is send the invitations to the devices. These can be emails, push notifications, or both. The invitation includes a link the user will tap to begin the migration process.
From the user’s perspective, while there are a number of steps, they’re pretty straightforward and easy to follow. The On-Boarder will go through a process of removing the device from the existing MDM without triggering a factory reset, then it will have the user enroll into InTune. The key thing about this process is that it retains the Supervised status of DEP/ADE devices. EBF has a great video that shows the whole process from start to finish:
TIPS & TRICKS
For many of our clients’ users, iOS devices don’t have iCloud accounts and are not set up to download apps directly from the App Store, so to avoid issues when the On-Boarder redirects the user to the InTune Company Portal record in the App Store we typically push the app via the old MDM and disable the “remove on unenroll” setting. With this setup, instead of users having to download and install the Company Portal, they simply see an “open” button in the App Store. This also helps to smooth the user experience considerably as they don’t have to locate the Company Portal on their device’s home screen.
One other thing to be aware of is your organization’s MFA configuration. If Authenticator is pushed as a managed app and is removed when the device is retired from the old MDM, users will need to re-setup the app by visiting https://aka.ms/mfasetup. They’ll also need to make sure they have a backup authentication like text or phone call in case they need to authenticate before the Authenticator app is re-setup. It may be helpful, at least during the migration, to modify your Azure AD policies to exempt InTune enrollment from MFA requirements.
IS IT WORTH IT?
While the On-Boarder isn’t cheap at $7.50 per device, many of our clients find the time savings and risk reduction for users who might have personal data on their device is well worth it. Because of how the MDM profiles work on a supervised device, you can’t back it up, factory reset, then restore while moving to a new MDM. The backup is in case something blows up and you have to revert to the old MDM config. To get things like photos and contacts to carry over, the user has to have an iCloud account and enable settings to sync that data to the cloud. For some users, this may mean they have to upgrade the storage to a paid level. Especially for non-technical users, the EBF On-Boarder removes the need for this process and can save a lot of trouble.
If you’re a Microsoft365 shop with over 300 users, you’re probably using E3/E5 licenses, which include InTune. While InTune isn’t the right fit for every environment, there could be opportunities to cut license costs by moving your fleet over. Acuity can help with migrations like this – just get in touch with us.