Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Meraki MDM migration risk: are your endpoint controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Migrating from Cisco Meraki Systems Manager requires cleanly removing old management control, reassigning device tokens, and preserving APNs or Android Enterprise trust so endpoints do not drift, lose control, or keep stale profiles, according to JumpCloud. The governance lesson is that endpoint identity transitions fail when lifecycle and cryptographic ownership are not treated as one process.

NHIMG editorial — based on content published by JumpCloud: migrating from Cisco Meraki Systems Manager to a replacement MDM

By the numbers:

Questions worth separating out

Q: How should teams prevent orphaned management profiles during an MDM migration?

A: Teams should remove the old management authority first, then confirm that the endpoint no longer receives policy from the retired platform before enrolling it elsewhere.

Q: Why do MDM migrations create endpoint identity risk?

A: Because the device is not just hardware.

Q: What signals show an MDM transition is not complete?

A: Look for stale profiles, orphaned certificates, missing organisation identifiers, failed push delivery, and devices that still appear in the retired platform's inventory.

Practitioner guidance

  • Map the old and new trust anchors Document every device binding that points to the retired MDM, including ABM, ASM, Zero-Touch, APNs, and Android Enterprise service accounts.
  • Sequence unenrollment before reenrollment Run targeted unenrollment through the original dashboard API before you push the new enrollment flow.
  • Audit for stale profiles after cutover Check endpoint logs and local management state to confirm the old organisation identifier has been removed, then verify that certificates, profiles, and corporate payloads no longer reference the previous platform.

What's in the full article

JumpCloud's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step API unenrollment workflow for Meraki Dashboard operations
  • Exact APNs and Android Enterprise payload handling during device handoff
  • Detailed troubleshooting for stale profiles, push failures, and token mismatches
  • Migration method trade-offs for factory reset, BYOD, and in-place transitions

👉 Read JumpCloud's guide to migrating from Cisco Meraki Systems Manager →

Meraki MDM migration risk: are your endpoint controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Endpoint migrations expose a governance assumption that device identity can be transferred without a control gap. That assumption works only when the old authority is fully revoked before the new one takes over. In this workflow, the device can remain bound to stale profiles, expired tokens, or orphaned payloads if the sequencing fails. Practitioners should treat migration as a lifecycle event, not a tooling change.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why unmanaged identity transitions so often become hidden control failures.

A question worth separating out:

Q: When should organisations choose a factory reset instead of in-place migration?

A: Choose a factory reset when the endpoint must be fully re-owned, when residual policy state would create compliance risk, or when a supervised device must be rebuilt from a known-clean baseline. In-place migration is only suitable when the team can verify that the old profile has been removed without leaving hidden management residue.

👉 Read our full editorial: MDM migration from Cisco Meraki exposes endpoint identity drift



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Endpoint migrations expose a governance assumption that device identity can be transferred without a control gap. That assumption works only when the old authority is fully revoked before the new one takes over. In this workflow, the device can remain bound to stale profiles, expired tokens, or orphaned payloads if the sequencing fails. Practitioners should treat migration as a lifecycle event, not a tooling change.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why unmanaged identity transitions so often become hidden control failures.

A question worth separating out:

Q: When should organisations choose a factory reset instead of in-place migration?

A: Choose a factory reset when the endpoint must be fully re-owned, when residual policy state would create compliance risk, or when a supervised device must be rebuilt from a known-clean baseline. In-place migration is only suitable when the team can verify that the old profile has been removed without leaving hidden management residue.

👉 Read our full editorial: MDM migration from Cisco Meraki exposes endpoint identity drift



   
ReplyQuote
Share: