Recently, I’ve had numerous requests to write a migration guide for WS1 (Workspace ONE) to Intune. Why me? Well, I was formerly the industry expert on WS1 for almost all platforms besides Android (I dabble there, but don’t do enough work there honestly).

The timing seems to be good since Omnissa just passed their first anniversary and customers continue to wait out their contracts to make the decisions that best fit their organizations. This guide won’t be covering comparisons between the two platforms like I’ve done in the past. We’re focused on highlighting each platform, the challenges with migrating, and some paths forward. In the near future, we will be releasing 2025 WS1 vs Intune blogs to address what is the right platform for you.

In this guide we will cover:

• Reasons Some Orgs Choose to Migrate Today
• Migrating Between MDMs on Windows
  • What Makes Windows Migrations Challenging
  • My WS1 to Intune Migration Tool
• Migrating Between MDMs on Apple Platforms
  • How Apple Enrollments Work
  • Some Existing Solutions Today
• Migrating Between MDMs on Android
• Translating Your WS1 Skills to Microsoft Intune

Why are Orgs Moving to Microsoft Intune?

This is an incredibly loaded question to be honest. Many people are often asking themselves: “Should I stay, or should I go?”

It’s not a simple question by any means. Let’s start with the economics of the situation. These are the different licenses that come with Microsoft Intune:

• Microsoft 365 E5
• Microsoft 365 E3
• Enterprise Mobility + Security E5
• Enterprise Mobility + Security E3
• Microsoft 365 Business Premium
• Microsoft 365 F1
• Microsoft 365 F3
• Microsoft 365 Government G5
• Microsoft 365 Government G3
• Microsoft Intune for Education

Now, if you’re not a Microsoft customer today this likely isn’t a guide that applies to you because the economics doesn’t scale. A regular Intune license costs $8 per user per month, which is more expensive on average than a Workspace ONE license. For context, about 85% of Fortune 500 companies are reported to be using the Microsoft 365 suite.

For me, this debate has been ongoing since 2015 (back when I was a Mobility Engineer in FinTech). Once MAM policies were released for Microsoft OneNote, the conversation started. “Why are we paying for both when “Intune is Free.”

That’s not the debate here, we all dealt with it if we were AirWatch Admins back in 2015 where CISOs/CIOs made the argument that it’s free even though it was included in a license that could have cost between $30-50 per user.”

At that point, we had a strong argument about ROI and how AirWatch was innovating, creating value, and the true market leader. It’s mind-blowing, but this was the MQ in 2015:

Anyways, that’s not where we are today. The value is no longer there to justify the expense for many organizations. That is the number one reason people move today.

Another reason is tool consolidation, many JAMF customers for example have started moving over in the last 6-12 months because MacOS has finally risen from the ashes of where it started to be a viable solution now for MacOS as I covered in my WS1 vs Intune MacOS article after Microsoft Ignite in 2023.

The other reason, which I don’t want to belabor are customers currently uncomfortable with the direction of Omnissa or what went on during the Broadcom/Omnissa/KKR situation. We’ve had many customers reach out because of that very uncertainty.

Migrating Between MDMs on Windows

The most stressful/daunting situation is migrating from one platform to another in Windows 10/11.  You have several things to consider and work through. We’re going to cover a few vital things here:

• What Makes Windows Migrations Challenging?
• My WS1 to Intune Migration Tool
• Leveraging the WS1 API to Capture Data

Why are Windows Migrations Hard?

We’ll start with the main problem. What does Microsoft say is the ONLY way to migrate a Windows device from one environment to ANOTHER?

“Wipe the Device”

So, for those of us who live in the real world, we know that is NOT a realistic scenario. Sure, in a perfect world just buy everyone a new laptop, but how do you scale that at 100K endpoints? The answer is you can’t.

Before we move on, let’s be very clear:

Microsoft’s firm stance on migrating Windows Devices to a new device management platform is to wipe the device and start fresh. Any other scenario should be labeled as “unsupported.”

Overall, Microsoft believes strongly in a device wipe because of the potential for residual issues when you do not start with a clean slate. I completely get the reasons, but luckily we have had very good success with our migration tools as have others with high rates of success. (90%+)

Enterprises must make these strategic decisions to move to a new platform and vendors have often made life very difficult in these scenarios. It gets even crazier when those are Hybrid devices that are already domain-joined, which now makes you must figure out how to get them re-joined (if necessary) and all that fun stuff.

The argument is “but they have OneDrive!” It’s not a good argument and we need to make sure people can make good decisions and leverage the technology in the right way. People with real-world experience understand it. People hiding in a tower making unilateral decisions don’t.

ow, we can discuss the technical challenges that make it difficult. When you unenroll a device from Workspace ONE ideally via API with a command like this:

https://$ws1host/API/mdm/devices/$deviceid/commands?command=EnterpriseWipe&reason=Migration&keep_apps_on_device=true

It will unenroll your device from WS1, but luckily, we leverage the special parameter to keep those apps on the device. Many people who have tried to do this themselves miss that and remove apps, which does not go well.

Once that device is unenrolled, it is also removed from Entra ID and potentially tokens are being killed for the user’s login, depending on how WS1 is configured.

There also isn’t good co-existence much of the time because Entra Join relies on the automated enrollment mobility section. Many people think they can use “Some”, which isn’t the case and will break many migration designs. Mostly because it’s running as a headless device and MUST use “All”:

Once that device drops off of Entra, we also see issues like you can’t login anymore, you lose administrator rights, and the transition can be really tough. That is outside of tattooed policies, orphaned data, and the many flavors of fun that exist when removing a Windows device from its MDM.

The WS1 to Intune Migration Tool

When I made the decision a few years ago to move to Intune, I needed to find the right way to do it as the CTO at a medium-sized medical writing organization. Many people had asked me about building something, including my good friend fellow MVP JJ Wilcox. I had dabbled a little bit, but I now needed a solution.

Fast forward a bit, and I officially released my WS1 to Intune Migration Tool, which was inspired by my friend and another fellow MVP Steve Weiner, founder of GetRubix and his amazing Tenant-to-Tenant Migration utility.

Simply, my migration tool will migrate your device from ONE MDM to another without a device wipe, by programmatically unenrolling the device from Workspace ONE via API and re-enrolling it/registered it with Entra. The only true user impact are a few reboots, but people are up and running again within a few minutes. We’ve achieved a 92% success rate on migrations, which is much better than wiping a device.

At a high level, the tool:

1. Uses the API to do an unenrollment from WS1 while keeping the apps
2. Leverages Bulk Provisioning Packages to rejoin the device to Entra and auto-enroll into Intune
3. Performs reboots and facilitates a good user experience
4. Will perform some clean-up tasks and executes commands against the GRAPH API to set the primary user and ensure the device is functional

You can check out the demo of the tool here:

Leveraging the WS1 API to Capture Data

One of the other challenges around moving to a new platform is migrating your settings/policies/configuration. Two of the major items that we want to focus on are the policies (WS1 calls them profiles) and the apps.

For the policies, it might be a moot point, but I want to at least show you how to get the data. This code, which you can get off my GitHub here, will grab your policies and their settings and write it to a JSON file. An example can be seen below:

For working with the data for Windows Apps, it’s still a work in progress. For now, I have a nice PowerShell script here, which gets all of your application configuration data e.g. install commands, uninstall commands, etc into a nice single JSON file.

This will give you some nice information when you’re configuring your Intune environment. Here’s an example of what it looks like:

The only other thing I’m working on is downloading the actual installers out of the console, but that is still ongoing. We will update this article once that is completed.

Migrating Between MDMs on Apple Platforms

Apple migrations historically have not been forgiving.  You have several things to consider and work through. We’re going to cover a few vital things here:

• How Apple Enrollments Work
• Some Existing Solutions Today
• The True Path Forward on Apple Migrations

How Apple Enrollments Work

Migrating on Apple platforms has its own share of challenges. Apple’s MDM framework centers around an enrollment profile. Basically, when a device is enrolled into MDM the enrollment profile is installed containing things like certificates, various payloads, etc.

This is beyond the fact that you have multiple flavors of enrollment like Automated Device Enrollment (ADE) where the device is managed and “supervised” which basically gives administrators additional controls over that device.

The complication around MDM on Apple devices is that you can only have ONE enrollment profile on a single device. That does not make migrating to a new MDM particularly easy. We fundamentally do not have any magical way to address it either.

Typically, an ADE device needs to be wiped and other devices “can” be unenrolled and then re-enrolled, but it’s a terrible user experience and incredibly convoluted. You have so many things to account for like:

1. Losing contact, photos, etc.
2. Guiding users through that journey easily (near impossible to do)
3. Ensuring that when they move over, everything is the SAME

If you want to get crazy and learn all about enrollment profiles and the frameworks, you can read the Apple Developer documentation for more info.

The reality is today there is NO true migration path that is clean. Most of the stuff out there is just about making it look “pretty” and making it a bit “less painful” as with Apple platforms especially on iOS there is a lack of orchestration like we have in Windows.

Next, we’re going to discuss a few solutions out there today.

Some Existing Solutions Today

The entire path for migrating on iOS especially is just making it less painful vs. true orchestration. One of the most respected ones is the EBF Onboarder made by EBF.

You can check out their video below. Basically, what their product does is:

1. User logs into a portal
2. They start their migration (triggers APIs to unenroll)
3. Steps them through moving to Intune

EBF Onboarder Demo – iOS

Essentially, their platform makes the entire experience of an enterprise wipe more palatable for an end user at a nominal cost.

Personally, I often advocate to build a strong communication plan with your users to facilitate Apple migrations because realistically it’s all about the communication and setting proper expectations. You cannot escape the enterprise wipe so it’s ALL about making it the best user experience possible.

Another tool I wanted to highlight is my good friend Somesh has written a tool called “JUMP-IN”, which is an amazing MacOS application that simplifies your migration to Intune.

You literally just install the JUMP-IN application and it will walk you through migrating to your new MDM. A few of its features are:

• Universal MDM Support (JAMF, Kandji, WS1, and more)
• NO DEVICE WIPES!!
• Automatic current MDM detection
• Automatic secure backup creation
• FileVault recovery key rotation during the migration
• Migrate in as quickly as 15-20 minutes
• Detailed Logs

Check out his video demo below:

The True Path Forward for Apple Migrations

Once the new versions of iOS and MacOS hit production in the next month or so, we will have the NEW path forward for MDM migrations. Apple has now provided this great new capability inside of Apple Business Manager called “Assign Device Management”

You will now be able to move devices from one MDM to another. Some of the capabilities of it are:

• Set deadlines for enrollment completion and monitor pending migrations
• If user’s ignore it, the org can force the migration and re-enrollment. iOS/iPadOS devices will reboot and MacOS will show a nondismissable full-screen prompt.
• iOS/iPadOS can preserve apps and data as long as the new MDM deliver the apps before the “DeviceConfigured” command comes in.

The main key is that Intune has the same policies configured that exist today in your current environment. You can modify the script I referenced earlier here to the Apple platform to get the policies/settings to help facilitate success there.

It’s also important to note that the device must be enrolled in ADE and on iOS26, iPadOS26, or MacOS26. You can read more about it here.

Now, let’s go through a short demo to show what the user experience looks like when migrating with this new capability. You can also read my friend Somesh’s blog article here.

**Video coming soon as the new Public Beta broke this feature**

Migrating to New MDMs with Android

Moving to a new MDM with Android struggles from the exact same issues as Apple, but with no easy path in sight.

You can use EBF Onboarder, which is probably the best solution at the moment for these scenarios. The challenge lies in that we have 3 different types:

• Work Profile (BYOD enrollment method where you have a work container)
• Work Managed (Fully-managed work device that is often paired with Android Zero Touch Enrollment)
• Corporate Owned Personally-Enabled (COPE) which is a hybrid of the two and lets the user basically use their work device like a personal one.

For two of the three scenarios, you have to do a device wipe to move it to a new MDM. With Work Profile, it basically tears down your Work Profile and you re-enroll with your new Work Profile. It’s relatively simplistic, and you do tend to find that Android users prioritize their privacy and are more flexible with their user experience.

With that being said, I will be releasing a new self-hosted solution that will help users migrate to Android easier, with Entra authentication in the next few weeks. Overall, the path forward isn’t too difficult for Android.

Update: Today, we are officially releasing that solution I mentioned above. You can check out the video here:

Translating Your Workspace ONE Skills to Intune

Learning Microsoft Intune will take some time, but you’re already off to a great start with your WS1 background. I wrote a series of blogs that will help translate what you know today and transform it into what you need to know tomorrow.

You can read the 4-part series below:

• The Workspace ONE Admin’s Guide to Intune Part One: Core UEM
• The Workspace ONE Admin’s Guide to Microsoft Intune Part 2
• The Workspace ONE Admin’s Guide to Intune Part 3: Apps
• The Workspace ONE Admin’s Guide to Intune Windows Device Security

What’s Next?

Well, that was fun! I would love for everyone to hit me in the comments and tell me what you might like to see next in this series.

Primarily, we will be writing the next series of Workspace ONE vs. Intune articles for Windows, iOS, and MacOS over the next month or so.

• Workspace ONE UEM vs Microsoft Intune Windows 2025

I would also love to see some people join us at our new event Workplace Ninjas US, which is in Dallas, Texas on December 9th and 10th for only $400! This event will have multiple Microsoft VPs, 40+ Microsoft MVPs and so much more! We’ll cover several tracks like Entra, Intune, Copilot, Security, DaaS, and a new MSP track!

If you want to come, use the code below for $50 off just for reading this article. That deal is good for 30 days!