Home » General Settings
Applicable For Endpoint Central MSP 
 
 

How to migrate using UEM Migration tool

Table of content

Prerequisites
  • Configure the APNS certificate and Knox enrollment on the destination server.
  • Create the credentials in Credential Manager on the destination server exactly as they exist on the source server, ensuring there are no case sensitivity errors, spaces, or extra characters (only if credentials are used in configuration).
  • If you are migrating On-Premises Product, verify that the NAT used on the source / destination server matches the domains listed in the SSL certificate of the source server.
  • Ensure both the source and destination servers are reachable from the machine where the migration tool is installed, with a reliable network connection.
  • Ensure both the source and destination licenses are active and that the license is not downgraded.
  • Ensure the email ID is configured for the local admin user in MDM Users in source server.
  • Check that the source server is updated to the latest version. If not, upgrade to the latest build before migration (check latest build here).
  • Kindly ensure if agent installation prerequisites are met, before proceeding with agent migration.
Important

Please make sure the following network settings are in place before starting the migration. These are required to transfer and sync data successfully.

Outbound

  • Source Server (MSP Server): Allow the required domain and port to connect with the machine where the migration tool is installed. Only outbound connections are needed. (If the source server and migration tool are in the same network, this step is not needed.)
  • If you are migrating from, or to Cloud product, allow access to *.manageengine.com and *.zoho.com for outbound connections. The domain may vary based on your cloud setup. All connections use port 443.

      If you need specific domains to be whitelised, kindly allow the following domains:

    • https://patchdb.manageengine.com
    • https://mdm.manageengine.com
    • https://mdmdatabase.manageengine.com
    • https://www.zoho.com
    • https://manageengine.com
    • https://creator.zoho.com

    Based on International Data Center:

    • https://mdm.manageengine.in/com/uk
    • https://endpointcentral.manageengine.in/com/uk
    • https://download-accl.zoho.com/in/uk
    • https://downloads.zohocdn.com/in/uk
    • https://accounts.zoho.com/in/uk
    • https://upload-accl.zoho.com/in/uk
    • https://uploads.zohocdn.com/in/uk

Inbound (iOS Devices)

If you are migrating iOS devices, you can do it in either of these ways:

  1. Using ME MDM App
  2. Using Webclip: If you prefer this option, make sure port 7383 is allowed for inbound connections. (Optional)

Agent details that are migrated using the UEM migration tool

Category Migrated details
Scope of Management
  • Agents meta in SOM view
  • Custom groups
  • Remote office (Distribution server needs to be installed manually).
  • Domains without credentials
  • Replication Policy details
Software packages
  • Manually-created software packages
  • Template package (only live & unmodified packages are migrated)
  • Auto-Update template
  • Auto-Update policies
Patch
  • Settings:
    • Patch DB Settings
    • Cleanup settings
    • Download settings
    • System Health Policy
    • Office Click To run
  • Script Repository
  • Test Group
  • Decline Patch
  • Deployment Policy
  • Automate patch deployment
Configurations

All configurations and configuration templates will be migrated, except the following:

  • Mac configurations
  • Configurations linked to Non-live or modified template packages
  • Configurations with file uploads larger than 250 MB

Note: The following settings will also be migrated:

  • Configuration settings
  • USB settings
  • Windows: All configurations except Secure USB, User management and WiFi will be migrated.
  • Mac: Custom script, Message box, File folder operation, Install/uninstall software, Install/uninstall patch - Only these configurations will be migrated.
  • Linux: Custom script, Message box, Install/uninstall patch - Only these configurations will be migrated. 

Certain configurations (e.g., file folder operations, folder backup, etc.) may require credentials to be executed successfully. These configurations need to be redeployed to the targets with the necessary credentials.
Mobile Device Management
  • Apps:
    • Store apps
    • AFW account
  • Profiles
  • Groups
  • Users
  • Devices
  • Managed Google Play
Vulnerability Manager
  • Software Vulnerability Exception
  • System Misconfiguration Exception
  • RDS Software Exception
  • Peer To Peer Software Exception
  • Web Server Misconfiguration Exception
  • Policy Group
  • Compliance Audit
  • Quarantine Policy
Bitlocker
  • BLM Policy
  • BLM Policy Management
Device Control
  • DCP Settings
  • DCP Trusted Device
  • DCP Policy
  • DCP Policy Deployment
Note
  • Data in features other than the ones mentioned above must be created manually.
  • Active Directory-based Custom Groups, default Custom Groups, and AD users (along with their associated groups and tasks) will not be migrated.
  • Script files larger than 250 MB will not be migrated.

To perform the migration

  • Download the UEM Migration Tool on the machine running the central server.
  • Install the downloaded EXE file and set up credentials to access the migration tool. Once you sign in, you will be able to view the migration tool console.
  • Configure Proxy Settings. Supported options:
    1. No Connection to Internet
    2. Direct Connection to Internet
    3. HTTP Proxy configuration
    4. Automatic configuration using script
    To set up proxy settings, click Settings → Proxy → Choose the connection type from the dropdown → Save.

  • For Apple devices, configure NAT settings by clicking Settings → NAT and adding the required IP address or FQDN, then click Save.

  • Navigate to the Migration tab and click Migrate Now to proceed.

Steps to Authenticate for On-Premises Product:

Note
This step for authentication is explained for migrating from Endpoint Central On-Premises to Endpoint Central Cloud. In the same way you can choose the authentication, depending on the on-premises product you are migrating. If you are migrating from a Cloud Product, kindly refer here
    • Select the required product for migration [product of which data needs to be migrated] , For example select Endpoint Central On-premises as the product name and provide the source server authentication details.

  • Since the source server is an on-premises based product, you will need to enter the API key.

Note: If the the source server or destination server is an on-premises based product, an API key will be asked.

To generate the API key, follow the steps below:

  • Go to Admin -> Integrations -> API Explorer -> Authentication -> Login.
  • Select Local Authentication from the drop-down list.[if cx is using AD user for authentication, choose AD authentication & enter the username & password & click execute ]
  • Enter your username [User with administrator role in EC server] , password and click Execute
  • you will recieve a MFA [if MFA is enabled] & enter the Otp & click execute

  • Enter your username, password and click Execute.
  • Scroll down and you will find the API key as mentioned below.

    • Enter the Server URL in a FQDN format in server URL field and click Proceed.
    • You will be navigated to the destination server page.

Steps to authenticate for Cloud Product:

Note
This step for authentication is explained for migrating from Endpoint Central Cloud to Endpoint Central On-Premises. In the same way you can choose the authentication, depending on the cloud product you are migrating. If you are migrating from a On-Premises Product, kindly refer here

Select the required product to be migrated [product where data needs to be migrated]. For example, Select Endpoint Central Cloud as the product name and provide all the destination server authentication details. Click Authenticate.

    • You will be navigated to the cloud accounts page to sign in. After you have logged in with your destination cloud server account you will be redirected to the Consents page. Click Accept after reading all the terms and agreements.

  • After your authentication has been successfully completed, you will be navigated to the confirmation page, now click Migrate Now.

  • A small pop up box will appear confirming the source and destination server details. Click Accept and Migrate.

How to migrate between UEMS Cloud Products?

  • Select the source server name as the product name.

 

  • Select the Data Center in which your account is present.
  • Click Authenticate.
  • You will be redirected to the accounts page to log in. If you have already logged in, enter the account details.

  • Finally, click Accept when you're navigated to the Consents page.
  • After your authentication has been completed successfully, you will be navigated to the destination server authentication page.
  • Choose the Cloud product as the product name and specify all the destination server authentication details.
  • You will be redirected to your cloud account's sign-in page for authentication. Enter the email and password associated with your cloud account. Subsequently, you'll be directed to the Consents page where you should click Accept. Confirm that the designated email is accurate on the destination server page. If not, click the Reauthenticate option.
  • After you have signed in, you will be navigated to the confirmation page, click Migrate Now.

  • A small pop up box will appear confirming the source and destination server details. Click Accept and Migrate.

Module Customisation

After completing authentication, proceed to the next step to customize the modules for migration. Choose the data modules to migrate.

Update View

Each module represents a category such as:

  • Users
  • Groups
  • Devices
  • Apps
  • Profiles
  • Enrollment Tokens

Select the required modules, keeping in mind any dependencies. A module represents a broad category like Groups, Devices, or Apps. For example, the Groups module depends on the Users module. If the Users module is not selected, Groups cannot be migrated.

Select the checkbox to view the list of prerequisites in a pop-up.
Ensure all prerequisites are completed before proceeding with the migration.
Click Agree and Proceed to continue.

Update View

Migrate the Data

Now that you’ve selected the necessary modules, the next step is to initiate the actual data migration.

  • Click Migrate Now to begin the data migration.
  • Monitor the status in the Migration Status page.

Update View

Note: If a module migration fails, click "Retry". If it still fails, report the issue to support (the support page link will be embedded).
Note: If a dependent module fails, it will be marked as "Skipped". Additionally, while the migration is in progress, you cannot retry, edit the server details, or delete the configuration.
Note: After the initial selection, you can use the "Add New" button to migrate additional features or modules that were not selected earlier.

Retry option for migration failure

All the modules will be migrated from the source to the destination account as shown below. In case any module encounters an unsuccessful migration, you can choose the particular module and initiate a Retry.

Device migration

Once all the modules have been successfully migrated, follow the steps mentioned to migrate your agents to the cloud server.

Migrate Windows/Mac/Linux devices

Migrate Android devices

Android devices must be migrated with a migration profile applied to the device or re-enrolled post-migration.

Migrate iOS devices

How to migrate MDM Part of Windows Endpoints from Endpoint Central On-Premises to Endpoint Central Cloud?

This step needs to be followed only after deploying the Endpoint Central agent through the Source UEM and the connection is established between the Endpoint Central server and agents.

Kindly find the document to install agents in Windows endpoints.

If customers want to re-enroll devices under MDM, we can use Endpoint Central configurations to achieve this. Kindly change from %EXE_PATH% to %EXE_PATH% -f in the enrollment.bat file inside scripts and configure the Domain Controller configurations as mentioned in the document.

Important: Kindly do not suggest this method for machines that are enrolled using Azure AD enrollment, as it will brick the device.

How to migrate MDM Part of Mac Endpoints from Endpoint Central On-Premises to Endpoint Central Cloud?

This guide explains the migration process for both ABM-enrolled and non-ABM Mac devices, including those managed by third-party vendors like JAMF, and covers the OP (On-Premises) to OD (On-Demand/Cloud) migration.

  1. On the Endpoint Central Cloud console, navigate to Agent → SoM Settings.
  2. Under the Enable MDM Profile tab, disable Mac Devices and click Save.
  3. Install the agent from Endpoint Central Cloud on the target Mac devices.
  4. After installation, create a custom script configuration using the provided script and dependency file.
  5. Use the following arguments for the script file:
    • EC OP Auth Key: Guide the customer to obtain the API key from the API Explorer.
    • DC Cloud URL: Example – endpointcentral.manageengine.com
    • DC OP URL: Example – https://fqdn:8383/
    • Whether device is enrolled in ABM: Yes or No
  6. Deploy the script from the Endpoint Central Cloud console.
  7. The device will prompt for new profile installation. The end user must click Prompt and enter their password to enroll the device.

Note:

  • For ABM-enrolled Mac devices running macOS Sonoma, use me-mac-migration.sh without the dependency file. The admin must run the script locally and enter admin credentials.
  • Remote migration is not supported for Sonoma devices due to macOS limitations (see Apple forum for reference).
  • Non-ABM devices will migrate without any issues, regardless of the macOS version.

Post-migration actions

  • Ensure to manually move the agent devices after successful migration. By default, the new agents will be located under the default remote office after being moved under the Cloud server. The agents can then be relocated under the respective remote offices - Remote office management.
  • Tasks created for deploying configurations and automated patch deployment will be saved as drafts and will remain suspended. They can be manually deployed to the targets after moving the agents to the respective remote office.
  • Domain metadata will be added; domain credentials can be entered to sync the domains.
  • Distribution servers for remote offices need to be manually installed.
  • Inventory scan details will be populated after the agent migration.
  • Only software packages that are manually created, template packages which are in live and remain unmodified by users will be migrated.
  • After migration, mobile devices will be moved to the respective group. Individual profiles that are device-specific will not be migrated and need to be manually redeployed.
  • Only AFW and enterprise apps will be migrated. Apple ABM/ASM tokens need to be manually added in the Cloud server.

Reach out to us for personalized migration assistance and dedicated support.