Back up and restore managed devices
Migrating users and their data to a new iPhone, iPad or Apple Vision Pro is a common workflow in many organisations. This migration often involves a device management service — which may also link to Apple School Manager or Apple Business Manager. You can use this workflow for organisation-owned devices or devices that the user owns.
Depending on your deployment model, there are different approaches to backing up and restoring devices. Also, users may be using their personal Apple Account, your organisation’s Managed Apple Account, or — in the case of User Enrolment and account-driven Device Enrolment — possibly both. For more information, see User Enrolment and device management. If you’re migrating to a different device management service, see Migrate managed devices to another device management service.
Note: To ensure the highest level of security for backups of devices owned by an organisation, it’s recommended to use a Mac.
What does an iPhone or iPad backup include?
Backups include information such as the layout of the Home Screen, app data, device settings, and photos and videos (if iCloud Photos isn’t used). Backups don’t include apps and media that users synced from their computer or stored in iCloud. Backups can also be unencrypted or encrypted.
If a backup is unencrypted, it never contains the following types of information:
Any saved passwords
Call history
Health data
Website history
Wi-Fi settings
How are iPhone and iPad backups created?
You can create backups using any of the following methods:
iCloud Backup: Requires a personal Apple Account or a Managed Apple Account, and is encrypted by default. iCloud Backup works only when the device is locked, is connected to a power source, and has Wi-Fi access to the internet.
Finder: Doesn’t require a personal Apple Account or a Managed Apple Account, and is unencrypted by default.
Apple Configurator for Mac: Doesn’t require a personal Apple Account or a Managed Apple Account, and is unencrypted by default.
Backups using Apple Configurator for Mac
You can manually set up one device the way you want it, back it up using Apple Configurator for Mac and then restore that backup to other devices.
Important: Backups created when a user is signed in with a personal Apple Account or a Managed Apple Account can contain private information — such as app data, account and password information, and browser history. Before backing up a device, review the device’s content for any information you don’t want restored to other devices.
Backups using a device management service
Backups may contain different information depending on how a device enrols in a device management service: User Enrolment, Device Enrolment or Automated Device Enrolment.
Regardless of enrolment method, the iPhone or iPad now contains at least one configuration profile, which may contain one or more payloads. These payloads often contain various configurations — for example, the authentication information to join specific Wi-Fi networks, allow connections to networks using VPN and enforce certain restrictions (which may limit what the user can do with their device). Certain payloads may also add the following items to users’ devices:
Certificates
Fonts
Web Clips
Backups include configuration profiles and their associated data. When performing backups using the Finder or Apple Configurator for Mac, a device management service can enforce encryption for the backup.
Management configuration in backups
When you back up a device, the backup includes the management configuration. This configuration describes, among other things, whether a device is supervised or a Shared iPad. You need to encrypt backups when using profile-based Device Enrolment or Automated Device Enrolment so the backup includes the device management service profile.
Backup restrictions
iOS and iPadOS support various restrictions to manage how backups are being stored and what data they contain:
iCloud Backup: Disables iCloud Backup on supervised devices.
Force encrypted backups: If set to true, forces backups using the Finder or Apple Configurator to be encrypted.
Back up proprietary in-house books: Books distributed by the organisation aren’t included in the backup.
Prevent app backup: Managed Apps are excluded from the backup.
Managed Apps
Apps you install using a device management service are called Managed Apps, and you can assign them to a device, a personal Apple Account or a Managed Apple Account. When you install a Managed App, the enrolment method determines whether the Managed App stays on the device after it unenrols from a device management service. When you remove the app, you also remove its data.
Profile-based Device Enrolment and Automated Device Enrolment: The device management service determines whether Managed Apps get removed.
Account-driven Device Enrolment and User Enrolment: The device management service always removes Managed Apps.
A device management service can also determine whether the user can back up the data for a Managed App. The app itself isn’t part of the backup and you need to install it after restoring the backup. For more information on Managed Apps, see Distribute Managed Apps.
Managed books
You can use a device management service to distribute EPUB books and PDFs that you create. If you do, the device management service can prevent the backup from including those managed books.
Background tasks
User Enrolment and account-driven Device Enrolment require a Managed Apple Account. In this deployment model, a user may also be signed in with their personal Apple Account. Backups using a personal Apple Account behave as described above. A backup taken with a Managed Apple Account contains only Managed App data and can’t be used to fully restore a device.
Restoring backups with profile-based Device Enrolment and Automated Device Enrolment
You can restore a backup to either the same device or a different device. Depending on the level of management from a device management service, there are differences in what the backup restores. And, regardless of whether a backup is unencrypted or encrypted, after restoring a device, the user needs to create a passcode or password, and can optionally perform the steps to create biometric authentication.
Restore a backup to the same device
If you restore a backup to the same device, the process restores the management configuration and a device management service enrolment profile. Using this information, the next time the device connects to the internet, it performs a check-in with the device management service, which then determines whether to accept the connection from the restored device.
Important: If the device management service doesn’t accept the connection from the restored device, the operating system removes the enrolment profile, associated configurations and any apps marked for removal during unenrolment.
You can’t restore any profiles containing a hardware-bound key that you deploy using the Automated Certificate Management Environment protocol. If the device management service uses such an identity to authenticate a device, the operating system can’t restore the enrolment, so it removes it. For devices that appear in Apple School Manager or Apple Business Manager, the device automatically triggers enrolment using Automated Device Enrolment instead.
If the backup contains Managed App data or enterprise books, this data is restored as well. If the Managed App isn’t present on the device but the backup includes the Managed App data, a placeholder may be shown for the app. App placeholders aren’t shown when restoring devices using Apple Configurator.
Restore a backup to a different device
If you restore a backup to a different device, the operating system automatically deletes management configurations and device management service enrolment during the restore. For devices that appear in Apple School Manager or Apple Business Manager, the device then reaches out to the device management service to determine whether it has a defined management configuration. If available, it downloads the management configuration and applies it.
If the backup contains Managed App data, the device management service restores that too, unless there’s a definition indicating that the device management service needs to remove the data upon unenrolment. If the backup contains enterprise books, the device management service restores them as well.
Restore a backup with User Enrolment and account-driven Device Enrolment
In case a backup has been created with the same Managed Apple Account that was used to initiate the enrolment, a restore option is presented as part of the enrolment flow. If the backup contains Managed App data, it’s restored unless the app is already installed on the device. In that case, the user is told which app data is being skipped during the restore.