Apple @ Work: How to add an existing Mac to Apple Business Manager without wiping it

Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

Apple Business Manager (and Apple School Manager) is foundational to the modern Apple IT management experience. With that said, if a Mac isn’t in it, device management is a different ballgame. You might have a fleet of Macs that were purchased through a consumer channel or inherited from a company merger. If you want them in Apple Business Manager so you can use Automated Device Enrollment, you will generally need to wipe the device. What if you don’t want to? That’s where add2abm comes into play.

About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 1000s of Macs, and 1000s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.

What about Apple Configurator?

If you use Apple Configurator to add a Mac to your organization, you are traditionally forced to erase the entire machine. This is a non-starter for a device that is already in an employee’s hands. It requires a full backup, a complete wipe of the device, and a long morning of restoring data. add2abm is a potential solution for you.

It allows you to re-trigger the Setup Assistant on a Mac that is already configured without wiping any of the data on the hard drive. It works by temporarily removing the Apple setup flag and moving local user records so the system thinks it is brand new.

This is a major unlock for IT administrators who need to enable Automated Device Enrollment on hardware already in use by an employee. The entire process is fully reversible. You run the script to hide the users, add the Mac to your server using your iPhone, and then run the script again to put everything back exactly where it belongs.

How it works

The workflow requires physical access to the device and access to macOS Recovery, but here are the steps:

1. Shut down the Mac
2. Hold Touch ID/power button to boot into macOS Recovery
3. Authenticate as volume owner
4. Connect to the internet
5. Open Utilities
6. Open Terminal
7. Execute the script to back up user records and reboot
8. Unlock the disk upon boot, if encrypted
9. Proceed in the Setup Assistant to the Country & Region step
10. Bring the iPhone running Apple Configurator in close proximity to the Mac
11. Add the computer to the MDM server of choice in ABM/ASM
12. Shut down Mac on success
13. Hold Touch ID/power button to boot into Options (macOS Recovery) once again
14. Authenticate as volume owner
15. Connect to network (if not connected)
16. Open Utilities → Terminal (or use ⌘⇧T)
17. Execute the script again to restore user records from backup and reboot
18. Unlock disk upon boot, if encrypted
19. Agree to macOS Terms and Conditions
20. Log in to the local user account
21. Run sudo profiles renew -type enrollment (local admin account context required) in Terminal to force Automated Device Enrollment workflow from your MDM

After the final reboot, you will log in to the original user account. The data on the drive remains there, but the Mac is now officially recognized in Apple Business Manager and can be assigned to your device management server.

Wrap up

This tool is a significant win for Apple IT admins who have a mix of deployment modes. It eliminates the need to wipe a device just to get it into ABM. One thing to note: ensure the device is not under Find My on an Apple account. I’d love to see an officially supported (by Apple) method, but this will eliminate the need to restore the device. Check it out on GitHub.

Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.