Skip to main content

How to migrate from ADEP to Apple Business Manager?

Webinar ADEP to ABM migration

Apple has been pushing organizations away from the Apple Developer Enterprise Program (ADEP) toward Apple Business Manager (ABM) for several years. If you are still distributing internal apps through ADEP, the migration is not optional. Apple has tightened ADEP renewal requirements and actively encourages the switch.

This guide covers why the migration matters, what changes for your app distribution workflow, and how to execute the move without disrupting your users.

Why Apple Wants You Off ADEP

ADEP was originally designed for organizations to distribute proprietary apps to employees without going through the App Store. You would sign apps with your enterprise certificate and distribute them via a download link or an internal website.

The problem: enterprise certificates were widely abused. Third-party companies used them to distribute apps outside the App Store, bypassing Apple's review process. This led Apple to crack down on ADEP, revoking certificates from violators and making the program harder to obtain and renew.

Apple Business Manager offers a controlled alternative. Apps distributed through ABM (via Managed Google Play-style distribution using MDM) are tied to your organization and can only be installed on enrolled devices. Apple gets the control it wants; you get a more reliable distribution channel.

What Changes When You Move to ABM

App Distribution

With ADEP, you sign apps with your enterprise certificate and host them yourself (or use a service like Appaloosa). Users install apps by tapping a link and trusting the enterprise profile.

With ABM, you upload apps as custom apps to App Store Connect (they remain unlisted and private to your organization). Your MDM solution then pushes these apps to enrolled devices. Users do not need to trust any profile. Apps install silently on supervised devices.

The key difference: ABM distribution requires devices to be enrolled in MDM. If you currently distribute ADEP apps to unmanaged devices, you will need to enroll those devices first.

App Signing

ADEP apps are signed with your enterprise distribution certificate. ABM custom apps are signed through App Store Connect using your standard Apple Developer Program membership ($99/year). This means you need to re-sign your apps with a different certificate and upload them to App Store Connect as custom (unlisted) apps.

The re-signing process is straightforward if you have the source code: update the provisioning profile, archive the app, and upload through Xcode or Transporter. If you use a CI/CD pipeline (Fastlane, Bitrise, etc.), update the signing configuration there.

Device Requirements

ABM distribution through MDM works on any enrolled device running iOS 11 or later. For silent installation (no user prompt), devices need to be supervised. If your devices are enrolled via Automated Device Enrollment (ADE), they are supervised by default.

Prerequisites Before You Start

Before beginning the migration, make sure these pieces are in place:

Apple Developer Program membership. You need a standard $99/year Apple Developer membership (separate from ADEP). If you do not have one, apply at developer.apple.com. Approval typically takes a few days for organizations.

Apple Business Manager account. Set up ABM at business.apple.com if you have not already. Verify your organization's domain and create your first admin account.

MDM server connected to ABM. Your MDM solution must be linked to your ABM account. This is how devices receive apps. If you use Appaloosa, the connection is configured in your admin console under Apple integration settings.

Device enrollment plan. Decide how you will enroll devices that are currently unmanaged. Options include ADE for new devices, QR code enrollment for existing devices, or user-initiated enrollment for BYOD.

Migration Steps

Step 1: Inventory Your ADEP Apps

List all apps currently distributed through your enterprise certificate. For each app, note the bundle identifier, current version, number of active users, and whether you have access to the source code. Apps without source code will require special handling.

Step 2: Set Up App Store Connect for Custom Apps

In your Apple Developer account, go to App Store Connect. Create a new app record for each internal app. Set the distribution method to "Custom Apps" (this keeps them unlisted). Configure the app metadata (name, description, screenshots are minimal for custom apps since they will not appear in the public App Store).

Step 3: Re-Sign and Upload Apps

Update each app's provisioning profile to use your standard Apple Developer certificate instead of the enterprise certificate. Build and archive the app in Xcode. Upload to App Store Connect using Xcode or Transporter. Apple will perform a basic review (faster than full App Store review, typically 24-48 hours).

Step 4: Assign Apps in ABM

Once approved, your custom apps appear in Apple Business Manager under "Apps and Books." Assign licenses to your MDM server. Your MDM solution will then show these apps as available for distribution to your device groups.

Step 5: Enroll Devices

Devices that are not yet enrolled in MDM need to be enrolled before they can receive ABM-distributed apps. For a gradual migration, start with teams that already have supervised devices. Expand to the rest of the fleet over the following weeks.

Step 6: Push Apps via MDM

Configure your MDM to distribute the new custom apps to the same device groups that previously received ADEP apps. On supervised devices, installation is silent. On non-supervised devices, users receive a prompt to install.

Step 7: Revoke the Enterprise Certificate

Once all users have transitioned to the ABM-distributed version of each app, revoke your ADEP enterprise certificate. This ensures that old ADEP-signed app versions stop working, pushing any remaining users to the new distribution channel. Set a clear deadline and communicate it to your teams in advance.

Common Issues During Migration

Apps Without Source Code

If you have apps signed with the enterprise certificate but no longer have access to the source code (vendor apps, legacy tools), you cannot re-sign them for App Store Connect. Contact the original developer to obtain an updated build, or find a replacement app. This is often the hardest part of the migration.

Unmanaged Devices

Employees with unmanaged devices who currently install ADEP apps via links will lose access when you revoke the certificate. Plan their MDM enrollment in advance. Zero-touch enrollment works for new devices; QR code enrollment works for existing ones.

App Review Delays

Custom app reviews are faster than public App Store reviews, but they can still take 24-48 hours. Plan for this when scheduling your migration timeline. Submit apps early to avoid blocking the rollout.

Timeline

A typical ADEP to ABM migration takes 2-4 weeks for a fleet of under 500 devices:

Week 1: Inventory apps, set up App Store Connect, begin re-signing and uploading.

Week 2: Apps approved, assign in ABM, enroll pilot group, test distribution.

Week 3: Roll out to full fleet, monitor installation success rates.

Week 4: Address stragglers, revoke enterprise certificate, close ADEP account.

For larger fleets or organizations with many custom apps, add an extra week for each additional complexity factor.
Julien Ott
June 8, 2022

Ready to deploy MDM?

Get started today with unrestricted access to our platform and help from our product experts.

Get Started

Alternatively, contact sales.

Free 14-day trial
Cancel anytime, no questions asked.
Expert Support
Get customized and expert onboarding to get started.