Apple Business

Add an existing Mac to Apple Business without wiping

Every Apple admin eventually inherits the Mac that shouldn’t exist: bought retail before Apple Business was set up, carried over from an acquisition, or converted from BYOD. Apple’s official path is still Erase All Content and Settings, then Configurator pairing. The realistic April 2026 path that keeps user data intact is an open-source community script called add2abm — here’s how to use it safely, and how it differs from the genuinely new macOS 26 MDM migration feature that gets confused with it.

Published April 21, 2026 11 min read By Arclion Managed Services

In this guide

  • The pain this solves
  • add2abm vs. macOS 26 MDM migration — not the same thing
  • Prerequisites
  • Step-by-step add2abm flow
  • Apple Configurator for Mac (USB-C) notes
  • What supervision looks like after
  • The 30-day provisional release window
  • Limits and edge cases
  • Common pitfalls

Accuracy note

Two different “no wipe” stories people confuse

There are two distinct things in Apple admin circles right now and they solve different problems. Keep them straight before committing to a plan.

add2abm (the subject of this guide)

Open-source third-party script from Inetum Poland (Apache 2.0). Re-triggers Setup Assistant on a Mac that has never been in Apple Business, so it can be pair-claimed via Apple Configurator. Works on macOS Sonoma and later, including macOS 26 Tahoe. Not an Apple feature.

macOS 26 native MDM migration

Real Apple feature that shipped in fall 2025. Moves a Mac, iPhone, or iPad from one MDM to another inside Apple Business with no wipe. The device must already be ADE-enrolled. Does not help for Macs that were never in Apple Business.

Apple Configurator alone

Apple’s first-party path. Still requires Erase All Content and Settings before pairing, as of April 2026. No official “add without erasing” toggle exists in Configurator or System Settings.

Why this matters

The pain this solves

Historically, getting a Mac that had never been in Apple Business into the organization with full supervision and ADE assignment meant one of two things: an Erase All Content and Settings plus Configurator pairing, or a round-trip through an authorized reseller that could back-load the serial into your tenant. Both required a full data loss event — the user lost apps, preferences, local accounts, and iCloud sign-in state, and IT lost a morning restoring it all.

For orgs inheriting Macs from acquisitions, converting BYOD hardware to corporate, or just cleaning up pre-Apple Business purchases, the add2abm flow is the practical path forward.

Before you start

Prerequisites

Apple silicon or T2 Mac

Pre-T2 Intel Macs cannot be supervised retroactively by any known method. Confirm via About This Mac → Chip (Apple silicon) or System Report’s Controller section (T2).

Activation Lock off

Sign the Mac out of Find My and any personal Apple Account’s device-locking features. If Activation Lock is on, Setup Assistant will block the Apple Business claim.

macOS Recovery access

add2abm only runs from Recovery’s Terminal, not from a logged-in session. You also need a working network from Recovery — Wi-Fi works, but Ethernet via a USB-C adapter is more reliable on corporate networks with captive joins.

Not sealed to another org

If the Mac’s serial is already in another organization’s Apple Business tenant, that org has to release it first. Check in Apple Business Devices before starting.

Apple Business role and MDM ready

Administrator or Device Enrollment Manager in Apple Business. MDM server set as the default (or explicit) assignment for Apple Configurator-added Macs.

iPhone running Apple Configurator

Signed in with a Managed Apple Account. Configurator for iPhone is still the primary pairing tool; Configurator for Mac (USB-C) also works but the official docs still assume an erased target.

Local admin credentials

Script restores the original user records after pairing. You’ll need the admin password to log back in and complete any FileVault unlock.

Backup anyway

The operation is designed to be non-destructive, but Apple silicon plus FileVault makes “recoverable” a relative term. Take a Time Machine backup first every time.

Walkthrough

Step-by-step add2abm flow

Step 1 — Prep Apple Business

Confirm the Mac isn’t already in another org. In Apple Business Preferences → Device Management Services → Management Assignment → Default Assignment, set the target MDM server as default for Apple Configurator additions.

Step 2 — Prep the Mac

Sign out of Find My. Disable Activation Lock. Take a backup. Note the local admin password and confirm it unlocks FileVault if FileVault is on.

Step 3 — Boot to macOS Recovery

Apple silicon: shut down, press and hold the power button until “Loading startup options” appears, choose Options. T2 Intel: hold Command-R at boot.

Step 4 — Open Terminal

From the Recovery menu bar: Utilities → Terminal. Verify network connectivity — open a second Terminal tab and ping apple.com if in doubt.

Step 5 — Run the script

Run sh <(curl -s add2abm.inetum.zone). The script prompts interactively before making changes. It clears the .AppleSetupDone flag and temporarily relocates local user records so macOS replays Setup Assistant on next boot.

Step 6 — Reboot into Setup Assistant

The Mac behaves like a freshly activated device: language picker, Wi-Fi join, and so on. Join a network that can reach Apple’s activation servers.

Step 7 — Pair with Apple Configurator

On the iPhone, open Apple Configurator, sign in with a Managed Apple Account, tap Add to Apple Business Manager. Scan the particle image on the Mac, or tap Pair Manually and enter the six-digit code.

Step 8 — Mac claims into Apple Business

A screen reading approximately “This Mac has been assigned to [Organization]” appears. The device now shows up in Apple Business as an Apple Configurator-added Mac, ready for MDM assignment.

Step 9 — Complete MDM ADE enrollment

If auto-advance is set, Setup Assistant proceeds into the MDM’s ADE flow and the management profile installs. Otherwise finish Setup Assistant and let the MDM push the profile on first check-in.

Step 10 — Log back in and verify

The original local user account still appears at the login window. Sign in with the existing password; documents, apps, Photos library, and iCloud sign-in state should all be intact. add2abm restores the relocated user records automatically.

After enrollment

What supervision looks like on a non-wiped Mac

User data remains on disk

Data volume isn’t erased. Documents, Photos library, apps, local accounts — all intact. iCloud sign-in carries over unless an MDM restriction later forces it off.

Mac is now supervised and ADE

The MDM enrollment profile installs, Declarative Device Management applies, and the Mac shows as an ADE device in both Apple Business and the MDM.

Restrictions kick in post-enrollment

The enrollment itself doesn’t change settings. Whatever profiles, apps, or restrictions the MDM pushes afterward will apply on the normal cadence.

FileVault escrow needs a profile

Retroactive enrollment doesn’t automatically hand the MDM the existing personal recovery key. When a FileVault escrow configuration is pushed and a bootstrap token is present, the key is rotated and then escrowed. No profile = no escrow.

Bootstrap token on first login

A bootstrap token is generated and escrowed to the MDM at the first secure-token-enabled login after enrollment. This is standard macOS behavior, unchanged in macOS 26.

30-day provisional release window

Because the Mac was added via Apple Configurator (not an authorized reseller), the user can remove supervision during the first 30 days. After 30 days, only Apple Business can release it.

Limits

Edge cases and unverified behavior

Pre-T2 Intel Macs

Cannot be supervised retroactively. Full stop. The only option is replacement or acceptance of an unsupervised, user-approved MDM enrollment.

Already sealed to another tenant

add2abm cannot break another org’s Apple Business claim. The Mac has to be released by the original tenant first, via an Apple Support case if necessary.

FileVault with only a personal recovery key

If FileVault is on and no admin credential unlocks the volume, the flow cannot continue. Verify the admin password or recovery key before booting into Recovery.

Remote Management skip behavior

On a Configurator-added Mac, Remote Management may be skippable in Setup Assistant unless the MDM marks it non-skippable in the ADE profile. Confirm the profile before recording any video.

Wi-Fi from Recovery on corporate networks

802.1X networks with captive portals or mTLS frequently won’t join from Recovery. Use Ethernet via USB-C adapter or a guest SSID.

Apple Configurator for Mac over USB-C

Configurator for Mac can pair another Mac via USB-C, but the documented path still assumes Erase All Content and Settings on the target. Treat USB-C Configurator as a fallback only.

Adjacent feature

macOS 26 MDM-to-MDM migration — the actual new thing

This isn’t the flow above. It’s worth understanding because the two features are often conflated.

Moves Macs between MDMs

Transfers Macs, iPhones, and iPads from MDM A to MDM B while staying in the same Apple Business tenant — no wipe, no user intervention. Managed apps and data are preserved.

Requirements

macOS 26 / iOS 26 / iPadOS 26. Both MDMs support Apple’s migration APIs and Declarative Device Management. Device already ADE-enrolled. Both MDMs linked to the same Apple Business org.

When it helps

Changing MDM vendors, merging tenants after acquisitions, splitting tenants. Doesn’t help if the Mac was never in Apple Business in the first place — that’s what add2abm is for.

When it breaks

Common pitfalls

Skipping the MDM default assignment

Without the default assignment set in Apple Business, the Mac lands in Apple Business unassigned. Not broken — just stuck. Set Default Assignment before you start.

Running add2abm from a logged-in session

Explicitly unsupported by the project. Only run from Recovery’s Terminal. Running from a live macOS session will fail and may leave the Mac in a weird intermediate state.

Forgetting Activation Lock

The pairing stalls or fails silently if Find My is still on. Disable it from the live macOS session before rebooting to Recovery.

The 30-day removal window surprise

End users can remove supervision during the first 30 days after a Configurator add. Communicate this up front, or queue an Apple Business release-review after day 30 to confirm all added Macs stuck.

Assuming FileVault escrow happens automatically

It doesn’t. Escrow only happens after the MDM pushes a FileVault configuration profile, and a bootstrap token must exist for key rotation to succeed. Plan the profile push as a post-enrollment step.

Running on macOS older than Sonoma

add2abm targets Sonoma-era behavior and later. Don’t assume it works on Ventura or older without checking the project README. macOS 26 Tahoe is supported.

Want this handled for you?

Arclion migrates in-use Macs as part of Foundation

The Apple Business prep, the Recovery boot, the add2abm run, the Configurator pairing, and the post-enrollment FileVault escrow are all standard Arclion onboarding work. If you have inherited Macs that never made it into Apple Business, Foundation brings them in without erasing user data.

What to send

  • Number of existing Macs not yet in Apple Business
  • Chip generation (Apple silicon, T2, pre-T2 Intel)
  • Whether your MDM is live, and which vendor
Book an environment review

Keep reading

Related Arclion resources