Upgrading to Apple Business Manager from DEP & VPP

After the deprecation of the Device Enrollment Program (DEP), now known as Automated Device Enrollment (ADE), and the Volume Purchasing Program (VPP), their functions were migrated to Apple Business Manager. However, upgrading to Apple Business Manager isn’t a straightforward process, as it requires careful planning, role mapping, and token sequencing.

Upgrading to Apple Business Manager: A practical step-by-step

Despite unifying ADE and VPP, moving to Apple Business Manager demands careful coordination to prevent enrollment or licensing disruptions. This guide will walk you through the necessary migration steps to ensure a successful upgrade without compromising operational continuity.

📌 Prerequisites:

• Draft ABM location plan with admin and content manager roles defined
• Maintenance window for pilot migrations and token rotations
• Test devices representing each platform and ownership model
• Access to existing ADE and VPP accounts and their Apple IDs
• MDM server details and token renewal procedures

Step #1: Inventory and baseline your environment’s current state

Before proceeding with any upgrade procedure, it’s important to get an accurate picture of your existing ADE and VPP configurations. Creating a baseline prevents surprises, such as missing devices, misassigned licenses, and expired tokens, during the migration period.

Export ADE information

Collect ADE server details to see how devices route into your MDM, including active servers, device groups, and enrollment profiles. This data serves as your reference to accurately replicate valid configurations in Apple Business Manager. Additionally, this surfaces outdated or unused servers that don’t require migration.

Gather the VPP purchase and licensing history

Getting a view of your full purchase and licensing history ensures the following:

• No paid apps or licenses are lost during the transition
• Assigned licenses match the correct departments or sites
• Legacy Apple IDs tied to purchases are upgraded or retired

Record token expiration dates for ADE and VPP

Knowing when ADE and VPP tokens expire allows you to schedule token rotation within a controlled window. Additionally, it helps avoid accidental expiration during the migration process while preventing MDMs from suddenly losing enrollment or license sync.

Test enrollment and app installation success

Conduct a quick validation run across a few devices to confirm that the current environment is healthy before making changes. This prevents oversight of key migration workflows, such as failed enrollment or stuck VPP app installations, that can cause the migration to fail.

Step #2: Design your Apple Business Manager structure before migrating

A well-designed ABM structure streamlines your migration process while reducing the risk of post-migration issues, such as misrouted devices, role confusion, and licensing confusion.

Align ABM locations with purchasing and distribution needs

ABM utilizes locations to separate app licenses, purchasing processes, and device sets. Defining these locations ensures app licenses match the right departments, device groups remain accurate, and each location has clear ownership and visibility.

Assign roles per location

Proper role assignment prevents unauthorized changes and enhances accountability after migration.

Assign an owner for the following roles:

ABM Role Delegation Matrix

ABM Role	Primary Responsibility	Best Assigned To
Administrator	Global ABM setup, domain federation, role delegation.	IT Director / Lead SysAdmin
Device Enrollment Manager	Managing MDM server assignments and hardware routing.	MDM Administrator
Content Manager	Purchasing app licenses (Apps and Books) and tracking volume.	IT Procurement / Helpdesk Lead

Assign default MDM servers per location

Mapping each ABM location to a default MDM server ensures that new devices are automatically routed to the correct MDM. This helps you avoid manual corrective reassignments later. Additionally, it helps enrollment workflows stay consistent during the transition process.

Confirm email domains and federated auth settings

Check if you have the correct domain configurations for Managed Apple ID creation, role assignments, and SSO or federated identity workflows. Verifying domains ensures that identity conflicts, invalid Apple IDs, or authentication failures don’t occur during migration.

Important Note on Domain Federation: When you verify and federate your organization’s domain in ABM, any employees who previously created personal Apple IDs using their corporate email address will receive a notification from Apple. They will have 60 days to choose a new personal email address, after which Apple will automatically assign them a temporary username to free up the corporate email for Managed Apple ID creation.

Step #3: Upgrade and link legacy DEP and VPP accounts

Transferring devices, app licenses, and enrollment workflows from legacy accounts requires precision. If done incorrectly, it can cause missing licenses, duplicated Apple IDs, enrollment failures, or inconsistencies between ABM and your MDM.

Upgrading DEP to Apple Business Manager

Migrate your DEP account to ABM using the original Apple ID used to create it. To do this, verify using your organization’s DUNS number to confirm ownership and ensure Apple links the correct corporate record to your ABM instance.

Convert VPP accounts to Apps and Books

Transfer VPP accounts into Apps and Books by linking them to ABM. This ensures that all historical app licenses migrate accurately, purchases remain tied to the correct department, and licensing sync continues with MDM.

To execute this, log in to ABM and navigate to Preferences > VPP Bills/Purchases. From there, you invite your legacy VPP account’s Apple ID to link with ABM. Once accepted, Apple will automatically migrate your purchased licenses into a designated ABM Location, replacing the need to ever access the legacy VPP portal again.

Plan upgrades and token renewal to minimize disruption

Conduct upgrades during off-peak hours to minimize interruptions to user activity and deployments. Additionally, create a pilot group for token renewal tests to verify that MDM synchronization continues smoothly.

💡 Note: After migrating your VPP, all workflows, such as purchasing, assignment, and license transfers, now happen solely in ABM.

Step #4: Refresh MDM and Apps and Books tokens after upgrading to Apple Business Manager

MDM servers rely on a unique server token from ABM, and locations require their own Apps and Books token. Outdated tokens or mismatches can halt device enrollments, desynchronize app licenses, or cause miscommunication between your MDM and ABM.

Recommended action plan:

1. Download new MDM server tokens from ABM for each server and upload them to your MDM.
   • Pro-Tip: Upgrading the backend infrastructure from DEP to ABM will not disrupt or unenroll devices that are currently active in the field. Active devices will continue to communicate with your MDM normally. The updated ABM assignment profiles will only apply to these existing devices if they are factory reset or re-enrolled in the future.
2. Refresh Apps and Books tokens for each ABM location to ensure all app licenses sync correctly to your MDM.
3. Stagger rotation so one integration is changed at a time to ensure service continuity.
4. Verify MDM connectivity and device sync after each token refresh.

Step #5: Re-assign devices and licenses to the correct ABM location

Migrations won’t fix old mappings, so devices and licenses may end up misplaced. After updating tokens, confirm they’re correctly assigned to the right ABM locations and MDM servers to avoid missing devices, app install failures, or licensing mismatches.

Recommended action plan:

1. Assign devices to the correct ABM locations and MDM servers to ensure all routings match your intended structure.
2. Resync device lists in your MDM and confirm that Automated Device Enrollment (ADE) applies correctly.
3. Validate if your Apps and Books licenses appear under each location and if they sync properly to your MDM.
4. Install a test app silently to validate ABM licensing sync, MDM integration behavior, and verify location-based license mapping.

Step #6: Conduct pilot rollouts when fully migrating to Apple Business Manager

Once your ABM structure, tokens, devices, and licenses are in place, the safest way to transition your environment is through phased pilot rollouts.

Migrate sites and business units gradually

Start with small pilots to confirm the functionality of ABM-to-MDM integrations, validate ADE workflows, and test silent app installs and supervision settings. Controlled rollouts quickly surface issues, helping you identify and resolve issues before scaling up the migration.

Address mismatches identified in pilot tests

Pilot tests reveal issues, such as outdated tokens, incorrect device locations, unsynchronized app licenses, and ownership mismatches. Addressing them during the pilot phase prevents repeat errors during your actual transition procedure.

Transition remaining devices in waves

Once you’ve validated and resolved issues with your pilot group, expand your transition in waves. Consider migrating using the following groups:

• ABM location
• Physical site or business unit
• MDM server or tenant

Group migrations create a predictable workload, allowing you to monitor system stability at each stage.

Step #7: Validate and close out your Apple Business Manager enrollment process

The final step of your migration process is validation, ensuring that every device, license, and MDM workflow functions correctly post-transition. Verifying the result of your migration strategy eliminates lingering issues, removes outdated accounts, and ensures that your internal processes align with your ABM-based management model.

Conduct post-migration health checks

Verify the success of your migration by checking supervision, enrollment behavior, app installs, and sync counts. This serves as your final quality check before declaring the transition complete.

Remove unused legacy ADE or VPP accounts

Leaving legacy accounts active after transitioning to ABM can cause confusion among administrators and lead to incorrect purchases or token usage, among other issues. Removing or retiring these accounts keeps your environment clean and reduces operational risks.

Update internal documentation and runbooks

Document your new processes to keep your team and clients updated regarding the new workflows. This ensures timely token rotations, correct license purchasing, and clear enrollment workflows while maintaining consistent onboarding and troubleshooting across your team.

Streamline Apple Business Manager enrollment through NinjaOne

The following NinjaOne features help you transition with confidence, maintain enrollment continuity, and prevent licensing issues before they impact users.

• VPP to ABM license migration: NinjaOne streamlines the VPP-to-ABM migration process by importing your VPP token into ABM and synchronizing licenses through its MDM platform.
• Automated Device Enrollment support: Seamlessly manage and enroll large fleets of Apple devices to NinjaOne MDM.
• Unified license management: NinjaOne’s Apps and Books integration syncs VPP and ABM licenses with real-time counts, color-coded status indicators, and support for content token transfers.
• Custom alerts: Automate status alerts for expired tokens, missing supervision, or app install failures during the migration window.

Unify ADE and VPP workflows by upgrading to Apple Business Manager

Apple Business Manager consolidates device and app management workflows under one roof. Successful ABM migrations rely on careful preparation, effective token and license handling, structured device assignments, and pilot rollouts.

By following all the steps outlined in this guide, you ensure all necessary devices, licenses, and MDM workflows transition cleanly without disrupting enrollment or app delivery.

Related topics: