Main Menu
Get Started Free

No Touch Migration of Zebra Devices from your MDM to Intune

Table of Contents
    Add a header to begin generating the table of contents
    Scroll to Top
    Why Microsoft Intune?

    Microsoft Intune has become popular with companies for a number of reasons:

    • Integration with Microsoft Ecosystem
      Many organizations already use Microsoft products and services such as Office 365, Azure, and EntraID. Intune integrates seamlessly with these services, providing a cohesive management experience for IT administrators to manage devices.

    • Unified Management Platform
      Microsoft Endpoint Manager provides a unified platform for managing devices across different operating systems, including Android Enterprise. This approach streamlines device management, making it easier for IT administrators to oversee all devices from a single console.

    • Security Features
      Security is a top priority for organizations, especially when it comes to managing mobile devices. Microsoft Endpoint Manager offers robust security features such as conditional access policies, device compliance checks, encryption management, and remote wipe capabilities. These features help organizations protect sensitive data and ensure compliance with security policies.
    What MDMs Can I Seamlessly Migrate From?

    This process has been tested for WorkspaceONE and SOTI, but could also apply to other MDMs as well. The main requirement is that the MDM/EMM can deliver Zebra StageNow XML and apply it to the device.

    Fundamentals


    Why is this hard? 

      • This requires a brief “outage” of the device as it switches EMMs.  Devices must first be unenrolled for their current EMM before moving over to Intune.During this brief time, they aren’t receiving your policies, and are unable to be remote controlled. The devices are vulnerable until they enroll in Intune and start receiving new policies.

    What is Zebra’s Persistent storage?

        • Critical data, including configuration settings, application data, and Wi-Fi connection information is stored in the Persistent Storage area. This ensures that essential operational data remains unaffected by system resets, reboots or power cycles.
        • In this guide, we will leverage this feature to store a WiFi connection and enrollment data for Intune so that it can be applied after un-enrollment. 

    What is the difference between Enterprise Reset and a Factory Reset?

      • To leverage Persistent Storage, we must be sure to only trigger an Enterprise Reset on the device. This differs from a Factory Reset which wipes the device’s internal storage and returns it to its original factory settings (including all data stored in persistent storage).

    Will this work on Non-Zebra Devices?

      • This same process applies to Honeywell devices as well since they support the concept of persistent storage and Android intents. 

    What is StageNow?

      • A tool designed to streamline the staging and provisioning process for Zebra mobile devices.  You can set an order of operations to be executed on the device including things like adding WIFi networks, installing applications, and triggering commands.  We will use this tool to create the enrollment script from Reset. 

    What is a pre-shared Key network and why do I need one for this process?

      • StageNow supports many WiFI connection types. For this process we recommend using a pre-shared key to avoid also managing device certificates in Persistent Storage.  This network can be temporary and only used for enrollment.  After the device is back under management of Intune, then you can apply the appropriate WiFi connection.
    Outline of the Process


    1. Test Locally / Offline

    To begin, we recommend setting up a test device without the complexities of the legacy EMM involved.  Follow these steps below to prove that the re-enrollment (migration) process will work:

    1. Factory Reset your Zebra device

    2. Create the StageNow Profile based on this guide from Zebra: https://supportcommunity.zebra.com/s/article/000020868?language=en_US

    3. IMPORTANT: Add an additional PersistMgr step at the end of the four steps listed in the guide

    4. Complete steps 1-4 in the guide listed.

    5. Prior to step 5, you will select the checkbox “Persist if Error?” on the PersistMgr screen

    6. Continue by completing the StageNow profile and creating barcodes

    7. Test the Enrollment process by scanning the barcodes locally via the StageNow application that is pre-installed on your Zebra device.

    8. You should see your device connect to WiFi, download the Intune app, and complete enrollment automatically.

    9. To ensure that this process will persist after a reset, open the Settings app on the device and search for “Reset”.  You will see an option at the bottom of the list to Enterprise Reset



    10. Click through the screen to confirm and Erase Data.  After about 3 minutes, you should see your device automatically enroll in Intune again!

    11. To confirm successful enrollment in Intune, check both the Intune Portal and the Intune application on your Zebra device.

    2. Test with Device Enrolled in EMM

    The next test will introduce an existing Device Owner scenario which will account for your existing deployed devices under management of WorkspaceONE.

    1. Enroll a Zebra device into your WorkspaceONE environment.
      Note: this can also be one of your existing lab devices configured with the standard operating environment. In general our recommendation is to start testing with limited constraints (minimal profiles, restriction policies, etc.) and add those in as testing successfully progresses.

    2. Open the StageNow application on the Zebra devices and scan the same barcodes previously used.

    3. ScanNow should show an error because a Device Owner is already set.  This is expected because Android Enterprise only allows a single Device Owner. However, since the “Persist if Error” option was selected when generating these barcodes then we can continue.

    4. Test Persistence by running an Enterprise Reset locally on the device.

    3. Test Over-the-Air with EMM

    The final test will bring everything together and automate the process from Workspace ONE. At this point it would be appropriate to test with a device that mirrors your production environment configuration and restrictions.  Will will first upload the Intune enrollment XML and then Enterprise Reset XML.

    1. Open the StageNow application on your Windows machine where the barcodes were generated.

    2. On the final step (Publish), select the Export for MDM option.

    3. Name and save the .XML file locally on your workstation.

    4. Open the Workspace ONE portal and login.

    5. Navigate to Devices > Provisioning > Components > Files/Actions

    6. Select Add Files/Actions and then Android

    7. Name the File/Action and upload the .XML from step 3 to the Files tab.

    8. Input /sdcard/Download/ as the download location

    9. On the Manifest tab, choose “Apply Custom Settings” and the select the .XML uploaded

    10. Click Save

    11. Add one more File/Action by selecting Add Files/Actions and then Android

    12. Name the File/Action and upload the Enterprise Reset .XML (available here)*

    13. On the Manifest tab, select “Apply Custom Settings” and the select the .XML uploaded

    14. Click Save

    15. You will need to create two Products in Workspace ONE to assign and deliver these Files/Actions

    16. Create the first Product to deliver the Intune Migration .XML first

    17. Assign this to your test Smart Group

    18. Once the Product processes and completes, you will see the Product status show as failed on the device (again, as expected).

    19. Then, create the second Product to deliver the Enterprise Reset .XML

    20. Assign this to your test Smart Group

    21. This should successfully wipe your device and result in the enrollment to Intune based on the persistence storage.

      *Note: Deleting the device from WS1 causes a factory reset which is why  you need to push an Enterprise Reset command instead. 
    What’s Next?
    1. Build fallback barcodes for any devices that get orphaned in the process.  These barcodes can be configured to first Factory Reset a device and then enroll into Intune all via barcode scan to keep it easy for the technician or manager performing the process.

    2. Scale your migration process across your devices by targeting pilot stores and then ramping up in volume as confidence in the process increases.

    Appendix:

    Building your Intune Migration StageNow Package

    https://supportcommunity.zebra.com/s/article/000020868?language=en_US

    Deploying the Migration Package with Airwatch

    For a detailed walkthrough of the process, please see video recording here:

    https://youtu.be/1VDT4huK9Vc

    Deploying the Migration Package with SOTI

    You can use the same output .XML / .JS as described above, but instead upload that to SOTI Package Manager and add a post-install script. See this guide from SOTI for more details on how to send StageNow commands to Zebra devices:

    https://www.soti.net/motorola/Configuring_Motorola_Android_Devices_via_MX_XML_Using_MobiControl.pdf

    Deploying the Migration Package with an AE MDM

    If your EMM does not support sending files, intents, or Zebra commands to devices then you still have an option available. BlueFletch Playbook can be deployed from the Google Play Store and will be able to process the enrollment and persistence commands on your Zebra device. Please see this link for more information: https://bluefletch.com/enterprise-mobile-security/enterprise-installer/

    Other Frequently Asked Questions
    • Can we use ZTE for the re-enrollment into Intune?

      Yes, but this requires a network connection.  So if you have WiFi only devices then ZTE will require manually adding a network connection to each device. However, you could use Persistent Storage to apply the WiFi network and wait until ZTE recognizes the device and kicks in.  However, in our testing we’ve seen this take 5-10 minutes.

       

    • The package shows as failed when I deploy it from my MDM, how do i know if it actually laid down into persistent storage?

      You can query the persistent storage contents by running these commands: https://techdocs.zebra.com/mx/persistmgr/#queries

    • What happens if a device gets orphaned during the migration process?

      Best practice would be to setup barcodes that can be easily scanned to trigger the same enrollment

    • What Version of Android will this process work on?

      Android 9-11

    • Can I migrate the other way? e.g. Go from Intune to SOTI?

      Yes, but you will need the ability to deliver the commands to Zebra device with a tool like BlueFletch Playbook.

    • Is BlueFletch liable if I try this and I mess up something? 

      No, please thoroughly test this process in your own environment with your own constraints.

    • Will this process work for cert based networks?

      Not recommended.
    Research notes

    https://supportcommunity.zebra.com/s/article/000020868?language=en_US

    https://techdocs.zebra.com/stagenow/5-7/profiles/enrollmdm/

    https://communities.vmware.com/t5/Workspace-ONE-Discussions/Using-persistent-manager-and-reset-enterprise-on-Zebra-devices/td-p/2890482

    https://techdocs.zebra.com/mx/persistmgr/

    Picture of Patrick McGlynn
    Patrick McGlynn
    Subscribe to the Podcast
    COMPANY
    SOLUTIONS
    RESOURCES
    Youtube Linkedin X-twitter-square Instagram

    © 2024 BlueFletch