Apple Business
Every Apple admin eventually inherits the Mac that shouldn’t exist: bought retail before Apple Business was set up, carried over from an acquisition, or converted from BYOD. Apple’s official path is still Erase All Content and Settings, then Configurator pairing. The realistic April 2026 path that keeps user data intact is an open-source community script called add2abm — here’s how to use it safely, and how it differs from the genuinely new macOS 26 MDM migration feature that gets confused with it.
In this guide
Accuracy note
There are two distinct things in Apple admin circles right now and they solve different problems. Keep them straight before committing to a plan.
Open-source third-party script from Inetum Poland (Apache 2.0). Re-triggers Setup Assistant on a Mac that has never been in Apple Business, so it can be pair-claimed via Apple Configurator. Works on macOS Sonoma and later, including macOS 26 Tahoe. Not an Apple feature.
Real Apple feature that shipped in fall 2025. Moves a Mac, iPhone, or iPad from one MDM to another inside Apple Business with no wipe. The device must already be ADE-enrolled. Does not help for Macs that were never in Apple Business.
Apple’s first-party path. Still requires Erase All Content and Settings before pairing, as of April 2026. No official “add without erasing” toggle exists in Configurator or System Settings.
Why this matters
Historically, getting a Mac that had never been in Apple Business into the organization with full supervision and ADE assignment meant one of two things: an Erase All Content and Settings plus Configurator pairing, or a round-trip through an authorized reseller that could back-load the serial into your tenant. Both required a full data loss event — the user lost apps, preferences, local accounts, and iCloud sign-in state, and IT lost a morning restoring it all.
For orgs inheriting Macs from acquisitions, converting BYOD hardware to corporate, or just cleaning up pre-Apple Business purchases, the add2abm flow is the practical path forward.
Before you start
Pre-T2 Intel Macs cannot be supervised retroactively by any known method. Confirm via About This Mac → Chip (Apple silicon) or System Report’s Controller section (T2).
Sign the Mac out of Find My and any personal Apple Account’s device-locking features. If Activation Lock is on, Setup Assistant will block the Apple Business claim.
add2abm only runs from Recovery’s Terminal, not from a logged-in session. You also need a working network from Recovery — Wi-Fi works, but Ethernet via a USB-C adapter is more reliable on corporate networks with captive joins.
If the Mac’s serial is already in another organization’s Apple Business tenant, that org has to release it first. Check in Apple Business Devices before starting.
Administrator or Device Enrollment Manager in Apple Business. MDM server set as the default (or explicit) assignment for Apple Configurator-added Macs.
Signed in with a Managed Apple Account. Configurator for iPhone is still the primary pairing tool; Configurator for Mac (USB-C) also works but the official docs still assume an erased target.
Script restores the original user records after pairing. You’ll need the admin password to log back in and complete any FileVault unlock.
The operation is designed to be non-destructive, but Apple silicon plus FileVault makes “recoverable” a relative term. Take a Time Machine backup first every time.
Walkthrough
Confirm the Mac isn’t already in another org. In Apple Business Preferences → Device Management Services → Management Assignment → Default Assignment, set the target MDM server as default for Apple Configurator additions.
Sign out of Find My. Disable Activation Lock. Take a backup. Note the local admin password and confirm it unlocks FileVault if FileVault is on.
Apple silicon: shut down, press and hold the power button until “Loading startup options” appears, choose Options. T2 Intel: hold Command-R at boot.
From the Recovery menu bar: Utilities → Terminal. Verify network
connectivity — open a second Terminal tab and ping apple.com
if in doubt.
Run sh <(curl -s add2abm.inetum.zone). The script prompts
interactively before making changes. It clears the
.AppleSetupDone flag and temporarily relocates local user records
so macOS replays Setup Assistant on next boot.
The Mac behaves like a freshly activated device: language picker, Wi-Fi join, and so on. Join a network that can reach Apple’s activation servers.
On the iPhone, open Apple Configurator, sign in with a Managed Apple Account, tap Add to Apple Business Manager. Scan the particle image on the Mac, or tap Pair Manually and enter the six-digit code.
A screen reading approximately “This Mac has been assigned to [Organization]” appears. The device now shows up in Apple Business as an Apple Configurator-added Mac, ready for MDM assignment.
If auto-advance is set, Setup Assistant proceeds into the MDM’s ADE flow and the management profile installs. Otherwise finish Setup Assistant and let the MDM push the profile on first check-in.
The original local user account still appears at the login window. Sign in with the existing password; documents, apps, Photos library, and iCloud sign-in state should all be intact. add2abm restores the relocated user records automatically.
After enrollment
Data volume isn’t erased. Documents, Photos library, apps, local accounts — all intact. iCloud sign-in carries over unless an MDM restriction later forces it off.
The MDM enrollment profile installs, Declarative Device Management applies, and the Mac shows as an ADE device in both Apple Business and the MDM.
The enrollment itself doesn’t change settings. Whatever profiles, apps, or restrictions the MDM pushes afterward will apply on the normal cadence.
Retroactive enrollment doesn’t automatically hand the MDM the existing personal recovery key. When a FileVault escrow configuration is pushed and a bootstrap token is present, the key is rotated and then escrowed. No profile = no escrow.
A bootstrap token is generated and escrowed to the MDM at the first secure-token-enabled login after enrollment. This is standard macOS behavior, unchanged in macOS 26.
Because the Mac was added via Apple Configurator (not an authorized reseller), the user can remove supervision during the first 30 days. After 30 days, only Apple Business can release it.
Limits
Cannot be supervised retroactively. Full stop. The only option is replacement or acceptance of an unsupervised, user-approved MDM enrollment.
add2abm cannot break another org’s Apple Business claim. The Mac has to be released by the original tenant first, via an Apple Support case if necessary.
If FileVault is on and no admin credential unlocks the volume, the flow cannot continue. Verify the admin password or recovery key before booting into Recovery.
On a Configurator-added Mac, Remote Management may be skippable in Setup Assistant unless the MDM marks it non-skippable in the ADE profile. Confirm the profile before recording any video.
802.1X networks with captive portals or mTLS frequently won’t join from Recovery. Use Ethernet via USB-C adapter or a guest SSID.
Configurator for Mac can pair another Mac via USB-C, but the documented path still assumes Erase All Content and Settings on the target. Treat USB-C Configurator as a fallback only.
Adjacent feature
This isn’t the flow above. It’s worth understanding because the two features are often conflated.
Transfers Macs, iPhones, and iPads from MDM A to MDM B while staying in the same Apple Business tenant — no wipe, no user intervention. Managed apps and data are preserved.
macOS 26 / iOS 26 / iPadOS 26. Both MDMs support Apple’s migration APIs and Declarative Device Management. Device already ADE-enrolled. Both MDMs linked to the same Apple Business org.
Changing MDM vendors, merging tenants after acquisitions, splitting tenants. Doesn’t help if the Mac was never in Apple Business in the first place — that’s what add2abm is for.
When it breaks
Without the default assignment set in Apple Business, the Mac lands in Apple Business unassigned. Not broken — just stuck. Set Default Assignment before you start.
Explicitly unsupported by the project. Only run from Recovery’s Terminal. Running from a live macOS session will fail and may leave the Mac in a weird intermediate state.
The pairing stalls or fails silently if Find My is still on. Disable it from the live macOS session before rebooting to Recovery.
End users can remove supervision during the first 30 days after a Configurator add. Communicate this up front, or queue an Apple Business release-review after day 30 to confirm all added Macs stuck.
It doesn’t. Escrow only happens after the MDM pushes a FileVault configuration profile, and a bootstrap token must exist for key rotation to succeed. Plan the profile push as a post-enrollment step.
add2abm targets Sonoma-era behavior and later. Don’t assume it works on Ventura or older without checking the project README. macOS 26 Tahoe is supported.
Want this handled for you?
The Apple Business prep, the Recovery boot, the add2abm run, the Configurator pairing, and the post-enrollment FileVault escrow are all standard Arclion onboarding work. If you have inherited Macs that never made it into Apple Business, Foundation brings them in without erasing user data.
What to send
Keep reading
The standard Configurator pairing flow for brand-new or freshly-erased devices — the pattern add2abm leverages.
Read the guideOnce the Mac lands in Apple Business, this is how you get it pointed at the right MDM with the right ADE profile.
Read the guideThe other “don’t wipe the fleet” lesson every Apple admin eventually learns.
Read the guide