iOS/iPadOS Backup and Restore - Microsoft Intune (2023)

You may need to back up and restore an iOS/iPadOS device managed by Intune Automated Device Enrollment (ADE) during the setup wizard. For example when:

• A device is factory reset and restored from a previous backup.
• A user gets a new device and wants to migrate data from the old device.

To backup and restore an iOS/iPadOS device, you must follow Apple's instructions:

• For information on how to back up your device, seeHow to back up your iPhone, iPad, and iPod touch.
• To reset your device, seeRestore your iPhone, iPad, or iPod touch from a backup.
• For information on transferring data to a new device, see the following Apple Support article:
  • Use iCloud to transfer data from your old iOS device to your new iPhone, iPad, or iPod touch

For more information on how to restore Apple devices from a backup, seePrimeros pasos con Apple Business Manager o Apple School Manager con Mobile Device Management.

Microsoft Secure Authenticator

When using the Microsoft Authenticator app, it's also important to protect your credentials and accounts. For more information visitBackup and restore account credentials in authenticator app.

Restoring a backup to an iOS/iPadOS device

When a user restores their content from an iCloud or iTunes backup, there are many considerations to take into account:

• Restoring from a backup is only possible during Apple Setup Assistant. This backup is a "once in a lifetime" opportunity. Linking the Apple ID in Settings after setup is not the same as reset. Typically, while files and documents are linked, user data and settings are not restored (think of "appearance" like wallpaper, widgets, installed apps, user settings, etc.). Only a limited set of data can be restored, such as iCloud Photo Library and messages.
• The restore process workflow is different depending on whether you are restoring the backup to the same device or to a different device.
  • When restoring to a device other than the one that was backed up, the setup wizard continues with the registration process (from the Remote Management screen) after the backup has been successfully restored. The result is that you are registered with the MDM provider and also manage your restored content from your iCloud account.
  • When restoring to the same device where the backup was made, the setup wizard does not continue after the backup has been successfully restored. Stays on the home screen of the device. The result is that you do not have to go through the "remote management" and subsequent registration steps. It retains the management state (and management profile) that it had at the time of the backup. This result is generally positive unless this process is being done as part of a migration to a different EMM provider (see below).
    • Also, specifically for Intune, there are two different methods for resetting a device that affect post-recovery behavior related to enrollment status:
      • If you wiped the device locally, the device remains registered after the restore and should not require any intervention. This is generally the desired behavior.
      • If you performed a remote wipe using the Intune admin center, the device is first wiped before the wipe. Therefore, after recovery, the device must be re-registered through the Company Portal app before it can work.
• Also consider how long it has been since the backup was created and what the impact of a restore (which essentially reverts the device to the previous point in time) would be. For example, was the corresponding device entry deleted in Intune? (either by accident or intentional shutdown/cleaning). What about Azure AD registration? And the management certificate? These certificates are valid for one year for iOS/iPadOS. Is the restored management certificate still valid? Was the management certificate renewed after the backup? These scenarios may be less common, but are worth considering, especially if the backup you are restoring is out of date.
• To avoid problems, make sure that users do not perform a backup while the device is enrolled; you want users to be able to perform all backup/restore activities without affecting the management profile and associated certificates. If the management profile was locked to the device by the previous EMM, the end user does not have the option to remove the management profile from the device. To facilitate this type of migration, one option is to remove the device from the old EMM before the user creates a backup of the iOS/iPadOS device. Alternatively, if you cannot guarantee that the device was not registered when the backup was created, you can hide the setup wizardrestore screen. You can find the blank screen settings in your iOS/iPadOS enrollment profile in the Microsoft Intune admin center. See step 18 for more information.Create an Apple Enrollment Profile.

Migrating to Intune from another EMM provider

Backup/Restore Specific

• In most cases, your MDM enrollment status (at the time of the backup) is not of particular importance. However, in a migration scenario where you are moving from one MDM provider to another, it is important to keep this in mind.
  • If you restore a backup that was created during enrollment with MDM provider A and restore it to the same device, but try to enroll in Intune, an error will occur. The restore will succeed as explained above (no errors), but since MDM provider A restored the management profile, Intune will not manage the device. When trying to manually enroll the device using the Company Portal app, I get the error "The new MDM payload does not match the old one" when trying to install the new Intune management profile. To resolve this error, you'll need to delete the existing admin profile for MDM provider A and re-enroll in Intune through the company portal. Migrating from one Intune tenant to another Intune tenant would show the same behavior.
  • To successfully and completely re-enroll an ADE device, a factory reset is required and the device cannot be restored from its own backup (otherwise the ADE settings and profiles in the backup will be applied) .

Migrate without erasing the device

There is one additional migration scenario to consider that should not be affected by any of the above.

• If you migrate from one MDM provider to another without wiping the device (for example, using a tool like EBF Onboarder), the device should not have any negative impact as it will never be restored. Instead, an MDM provider "enrolls/enrolls" the device, removes the management profile, and then manually enrolls it in Intune through the Company Portal app. The user's iCloud account is not deleted and backups are not restored, as setup support is not involved in this scenario.
• There are other considerations in a scenario where the device is migrated without performing a device wipe:
  • If the device was monitored by the current EMM provider, the monitored state is maintained
  • The new management profile (Intune) cannot be "locked down", that is, the user can remove the management profile in Settings.
  • These devices are enrolled in Intune as "personal" devices, not "corporate" devices. This condition affects the device's collected app inventory, displayed phone number, etc., as describedHere.
    • If you want to designate these migrated devices as corporate devices, do one of the following:
      • Add corporate device identifiers as describedHere. As long as you can get a list of serial numbers from your current EMM provider and that list is imported before enrolling the devices in Intune, this is the easiest option and avoids scripts.
      • Use a script to change the Ownership Type from Personal to Corporate. There is a sample script that takes an exported (.csv) list of device serial numbers (from your current EMM provider) as inputHere.

Next steps

Learn more about automatic device enrollment.