Many of our Microsoft-based clients are increasingly exploring options to migrate their fleet to Intune. For most organizations (of 300+ users) who are on an E3/E5 license plan, they’re already paying for Intune, and in many cases they’ve already adopted it for their Win10 devices. While migrating to a new MDM is a very heavy lift, for some companies the prospect of reduced ongoing license fees is worth it.
One of our clients was just in this boat. They had an established Workspace ONE environment containing iOS and Android consumer devices as well as Android and Windows Mobile rugged devices. They were looking to reduce costs and wanted to look into Intune.
We had gone down this road with them before. We conducted a pilot a year or two prior and had concluded that Intune simply didn’t have the capabilities needed for their environment. The biggest issue at that time was that Intune could not perform in-place updates to mobile apps without losing app data. This was an issue for this client since one of their main line of business apps functioned offline until the user explicitly sync’ed with the server.
Intune has progressed, though. Many of the initial issues we identified have been resolved, leaving one deal-breaker for their Android fleet. This client utilizes a line of business apps that are distributed as direct APK installs on their Android Enterprise Work Managed fleet via Workspace ONE. Intune does not support this kind of install. All internal or line of business apps must be distributed via the Enterprise Play Store.
Unfortunately, for this client, many of the internal apps they use are provided by third-party developers to multiple organizations. The APKs are all the same, with the same app ID, and the Enterprise Play Store is just a walled off section of the public Play Store, so as soon as one organization puts the app in there, that app ID is claimed, per se, and can’t be put into any other Enterprise Play Store. Big problem.
What we decided to do was segment their environment by platform. They would transition their iOS devices to Intune and leave their Android devices in Workspace ONE until the app vendors could set up private distribution via their Play Store instance. They needed to keep Workspace ONE for the rugged devices anyway, so this wasn’t that big of a deal.
Next was the part that is a big deal – how do you move several thousand supervised iOS devices from one MDM to another? The brute-force route, appropriate for devices that don’t have any personal use, is to modify the MDM profile in DEP/ADE and either have the user factory reset or initiate the factory reset from Workspace ONE.
Many executives are iOS users, and losing text messages and other phone data simply wasn’t an option. You also can’t restore from backup during this process since the backup includes the MDM profile. For these users, we decided to utilize the EBF On-Boarder, a tool that can move a Supervised iOS device from one MDM to another without requiring a factory reset and without losing the device’s data. It can be a cumbersome process. There are some tricks to making it work seamlessly, and it does result in managed apps and profiles being removed during the transition, but it’s often preferable to a factory reset.
As we started to plan the project, we also decided to use the opportunity to conduct a health check on their Workspace ONE environment. This not only let us clean up old configs and improve the grouping strategies, it also ensured that we weren’t just replicating outdated or inefficient configurations into Intune. In the end, the client came away with a well-refined Workspace ONE environment and a smooth transition to Intune. As their Android line of business app situation improves later this year, we’ll be completing the migration by moving Androids over, ultimately saving them somewhere around $115K a year on Workspace ONE licensing. Mobility is complex. Our job is to simplify it.