Back up and restore managed devices
Migrating users and their data to a new iPhone, iPad, or Apple Vision Pro is a common workflow in many organizations. This migration often involves a device management service—which may also link to Apple School Manager or Apple Business Manager. You can use this workflow for organization-owned devices or devices that the user owns.
Depending on your deployment model, there are different approaches to backing up and restoring devices. Also, users may be using their personal Apple Account, your organization’s Managed Apple Account, or—in the case of account-driven enrollments—possibly both. For more information, see User Enrollment and device management. If you’re migrating to a different device management service, see Migrate managed devices to another device management service.
Note: Use Apple Configurator for Mac when manually preparing, updating, or backing up Apple devices instead of the Apple Devices app.
What does an iPhone, iPad, or Apple Vision Pro backup include?
Backups include information such as the layout of the Home Screen, app data, device settings, and photos and videos (if iCloud Photos isn’t used). Backups don’t include apps and media that users synced from their computer or stored in iCloud. Backups can also be unencrypted or encrypted.
If a backup is unencrypted, it never contains the following types of information:
Any saved passwords
Call history
Health data
Website history
Wi-Fi settings
How are backups created?
You can create backups using any of the following methods:
iCloud Backup: Requires a personal Apple Account or a Managed Apple Account and is encrypted by default. iCloud Backup works only when the device is locked, is connected to a power source, and has Wi-Fi access to the internet.
Finder: Doesn’t require a personal Apple Account or a Managed Apple Account and is unencrypted by default.
Apple Configurator for Mac: Doesn’t require a personal Apple Account or a Managed Apple Account and is unencrypted by default.
Backups that use Apple Configurator for Mac
You can manually set up one iPhone or iPad the way you want it, back it up using Apple Configurator for Mac, and then restore that backup to other devices.
Important: Backups created when a user is signed in with a personal Apple Account or a Managed Apple Account can contain private information—such as app data, account and password information, and browser history. Before backing up a device, review the device’s content for any information you don’t want restored to other devices.
Backups that use a device management service
Backups may contain different information depending on how a device enrolls in a device management service: account-driven enrollments, profile-based Device Enrollment, or Automated Device Enrollment.
Management configuration in backups
When you create an encrypted backup of a device enrolled using profile-based Device Enrollment or Automated Device Enrollment, the backup includes the management configuration. This configuration describes, among other things, whether a device is supervised or a Shared iPad. It also contains configuration profiles and their associated data.
Backup restrictions
iOS and iPadOS support various restrictions to manage how backups are being stored and what data they contain:
iCloud Backup: Disables iCloud Backup on supervised devices.
Force encrypted backups: If set to true, forces backups using the Finder or Apple Configurator to be encrypted.
Backup proprietary in-house books: Books distributed by the organization aren’t included in the backup.
Managed Apps
Apps that you install using a device management service are called Managed Apps, and you can assign them to a device, a personal Apple Account, or a Managed Apple Account. When you install a Managed App, the enrollment method determines whether the Managed App stays on the device after it unenrolls from a device management service. When you remove the app, you also remove its data.
Profile-based Device Enrollment and Automated Device Enrollment: The device management service determines whether Managed Apps get removed.
Account-driven enrollments: The device management service always removes Managed Apps.
A device management service can also determine for each Managed App whether its data is included in a backup. The app itself isn’t part of the backup and you need to install it after restoring the backup. For more information on Managed Apps, see Distribute Managed Apps.
Managed books
You can use a device management service to distribute EPUB books and PDFs that you create. If you do, the device management service can prevent the backup from including those managed books.
Backups for User Enrollment and account-driven Device Enrollment
Account-driven enrollments require a Managed Apple Account. In this deployment model, a user may also be signed in with their personal Apple Account. Backups using a personal Apple Account behave as described above. A backup taken with a Managed Apple Account contains only Managed App data and can’t be used to fully restore a device.
Restore backups with profile-based Device Enrollment and Automated Device Enrollment
You can restore a backup to either the same device or a different device. Depending on the level of management from a device management service, there are differences in what the backup restores. And, regardless of whether a backup is unencrypted or encrypted, after restoring a device, the user needs to create a passcode or password, and can optionally perform the steps to create biometric authentication.
For Automated Device Enrollments, you can set the do_not_use_profile_from_backup key in the management configuration which causes the device to ignore it during a restore and reach out to Apple School Manager or Apple Business Manager instead. The resulting behavior is the same as a restore to a different device. This allows you to provide the same user experience for devices registered in Apple School Manager or Apple Business Manager independent of the target device or change the management state during a restore.
Note: Declarations are never restored. Instead, the device syncs assigned declarations from the device management service and applies them as determined by the associated activation predicate. If a previously applied declaration isn’t assigned or not applied anymore, the device automatically removes associated configuration states and assets.
Restore a backup to the same device
If you restore a backup to the same device, the process restores the management configuration and a device management service enrollment profile. Using this information, the next time the device connects to the internet, it performs a check-in with the device management service, which then determines whether to accept the connection from the restored device.
Important: If the device identity certificate became invalid since the backup was created or the device management service doesn’t accept the connection from the restored device, the operating system removes the enrollment profile, associated configurations, and any apps marked for removal during unenrollment.
You can’t restore any profiles containing a hardware-bound key that you deploy using the Automated Certificate Management Environment protocol. If the device management service uses such an identity to authenticate a device, the operating system can’t restore the enrollment, so it removes it. For devices that appear in Apple School Manager or Apple Business Manager, the device automatically triggers enrollment using Automated Device Enrollment instead.
If the backup contains Managed App data or enterprise books, this data is restored as well. If the Managed App isn’t present on the device but the backup includes the Managed App data, a placeholder may be shown for the app. App placeholders aren’t shown when restoring devices using Apple Configurator.
Restore a backup to a different device
If you restore a backup to a different device, the operating system automatically deletes the management configuration and device management service enrollment during the restore. For devices that appear in Apple School Manager or Apple Business Manager, the device then reaches out to Apple School Manager or Apple Business Manager to determine whether a device management service it has provided a management configuration. If available, it downloads the management configuration and applies it.
If the backup contains Managed App data, the device management service restores that, unless there’s a configuration indicating that the device management service needs to remove the data upon unenrollment. If the backup contains enterprise books, the device management service restores them as well.
Restore a backup with account-driven enrollments
Restoring a device backup doesn’t restore the device management service enrollment profile. The user has to navigate to Settings > General > VPN & Device Management and select the Sign In to Work or School Account button to perform the enrollment after the restore.
In case a backup has been created with the same Managed Apple Account that was used to initiate the enrollment, a restore option is presented as part of the enrollment flow. If the backup contains Managed App data, it’s restored unless the app is already installed on the device. In that case, the user is told which app data is being skipped during the restore.