Apple's Managed Migration Assistant: Bring IT control to macOS device refreshes

For the first time, IT has declarative MDM control over what transfers when a user migrates from an old Mac to a new one.

Everyone who’s gotten a new personal iPhone knows that screen: 'Transfer from iPhone.' You tap it, wait, and Apple transfers everything. It's straightforward and powerful. Hardware refreshes are a natural part of the device lifecycle for employees, but transferring data and preserving settings has historically been a challenge.

Organizations have long wished for Migration Assistant in macOS to work just as seamlessly for their users as it does for consumers, while ensuring the controls they need to ensure organizational security and compliance remain in place. In macOS 26.4, Apple delivered on that wish.

What Apple's Managed Migration Assistant enables

Managed Migration Assistant is an Apple MDM capability that gives IT administrators declarative control over Mac-to-Mac migrations during Setup Assistant. It runs as part of the Automated Device Enrollment flow, scoped via your MDM configuration.

Migration was entirely user-controlled with no enforcement mechanism. IT can now specify which data transfers, which accounts are included, and which security settings apply.

What IT can control

The Managed Migration Assistant declaration exposes four configuration options:

Required File and Folder Paths

Define which paths must migrate to the new device. Paths are relative to the user's Home folder, and folder paths require a trailing slash (e.g., Documents/Work/). At the time of this writing, sub-paths are supported, so you can require an entire parent directory while still excluding specific contents within it.

Excluded Paths

Specify paths that must not migrate, even if they exist within a required parent directory. In the Migration Assistant UI, users see parent directories only; subfolders are not shown. The declaration still applies correctly at migration time.

Excluded User Accounts

Prevent specific user accounts from transferring to the new Mac. Local admin accounts exist to support IT operations, not end users. Migrating one means it arrives on the new device untracked, carrying stale credentials and privileges that were never explicitly granted. If the account is still needed, MDM provisions it fresh.

One thing you cannot control: the user's ~/Library folder always migrates regardless of your configuration. It is not subject to required or excluded path rules.

Managed Migration Assistant in Iru

To configure Managed Migration Assistant in Iru:

1. The admin creates a Migration Assistant library item in Iru and assigns it to the appropriate Blueprint.
2. The device enrolls via ADE. Scope it by assigning the library item to whichever Blueprint covers the devices you want it to apply to: all devices, or a specific subset.
3. During Setup Assistant, the Restore/Migration screen appears (be sure not to skip this screen; see below)
4. Iru applies the declaration from the library item, enforcing the configuration.
5. The user selects their old Mac as the migration source.
6. The migration runs within the parameters defined in the library item.

All four configuration controls are available in the library item: security and privacy settings, required paths, excluded paths, and excluded user accounts.

Iru surfaces the completion data on each device record. The device details tab shows what migrated, what was skipped, and when. The same data is available via the enterprise API device details endpoint.

One gotcha to know before you configure this

If your ADE library item is configured to skip all Setup Assistant screens, Migration Assistant will not run. The Restore screen must be explicitly un-skipped for Managed Migration Assistant to have anything to attach to.

If you're adding this to an existing ADE flow that suppresses all panes by default, audit your current ADE configuration first. If the Restore screen is being skipped, un-skip it before deploying a Migration Assistant configuration. Otherwise, your configuration will be applied to a screen that never appears.

What you get after migration completes

Declarative Device Management provides a completion report after migration runs: what migrated, what was skipped, how much data transferred, and a timestamp. For IT teams that previously had zero visibility into a Migration Assistant run, this is a meaningful operational change. Iru surfaces that data on each device record.

Post-migration, managed app deployment should still run through your MDM, not rely on whatever apps came over from the old Mac. Apps that migrated via Migration Assistant are carry-over copies, not managed deployments. Let your MDM redeploy managed apps as it normally would, so they're in a known-good state rather than a migration artifact.

Start migrating with Iru

Migration has long been one of enterprise IT's least controllable processes. Managed Migration Assistant changes that. Iru delivers it. IT now defines what transfers, what stays behind, and what security posture the new Mac starts with.

See it in action. Want to bring IT control to your Mac migrations? Book a demo and we'll walk you through Managed Migration Assistant in Iru.