Back up and restore managed devices
Migrating users and their data to a new iPhone, iPad, or Apple Vision Pro is a common workflow in many organizations. This migration often involves a mobile device management (MDM) solution—which may also be linked to Apple School Manager or Apple Business Manager. You can use this workflow for devices owned by your organization or devices owned by the user.
Depending on your deployment model, there are different approaches to backing up and restoring devices. Also, users may be using their personal Apple Account, your organization’s Managed Apple Account, or—in the case of User Enrollment and account-driven Device Enrollment—possibly both. For more information, see User Enrollment and MDM. If you’re migrating to a different MDM solution, see Reenroll devices in MDM.
Note: To ensure the highest level of security for backups of devices owned by an organization, it’s recommended to use a Mac.
What does an iPhone or iPad backup include?
Backups include information such as the layout of the Home Screen, app data, device settings, and photos and videos (if iCloud Photos isn’t used). Backups don’t include apps and media that users synced from their computer or stored in iCloud. Backups can also be unencrypted or encrypted.
If a backup is unencrypted, it never contains the following types of information:
Any saved passwords
Call history
Health data
Website history
Wi-Fi settings
How are iPhone and iPad backups created?
You can create backups using any of the following methods:
iCloud Backup: Requires a personal Apple Account or a Managed Apple Account and is encrypted by default. iCloud Backup works only when the device is locked, is connected to a power source, and has Wi-Fi access to the internet.
Finder: Doesn’t require a personal Apple Account or a Managed Apple Account and is unencrypted by default.
Apple Configurator for Mac: Doesn’t require a personal Apple Account or a Managed Apple Account and is unencrypted by default.
Backups using Apple Configurator for Mac
You can manually set up one device the way you want it, back it up using Apple Configurator for Mac, and then restore that backup to other devices.
Important: Backups created when a user is signed in with a personal Apple Account or a Managed Apple Account can contain private information—such as app data, account and password information, and browser history. Before backing up a device, review the device’s content for any information you don’t want restored to other devices.
Backups using MDM
Backups may contain different information depending on how they were enrolled in MDM: User Enrollment, Device Enrollment, or Automated Device Enrollment.
Regardless of enrollment method, the iPhone or iPad now contains at least one configuration profile, which may contain one or more payloads. These payloads often contain various configurations—for example, the authentication information to join specific Wi-Fi networks, allow connections to networks using VPN, and enforce certain restrictions (which may limit what the user can do with their device). Certain payloads may also add the following items to users’ devices:
Certificates
Fonts
Web Clips
Included in a backup are configuration profiles and their associated data. When performing backups using the Finder or Apple Configurator for Mac, MDM can enforce encryption for the backup.
Management configuration in backups
When a device is backed up, the management configuration is contained in the backup. This configuration describes, among other things, whether a device is supervised or a Shared iPad. Backups must be encrypted when using profile-based Device Enrollment or Automated Device Enrollment for the MDM enrollment profile to be included.
Backup restrictions
iOS and iPadOS support various restrictions to manage how backups are being stored and what data they contain:
iCloud Backup: Disables iCloud Backup on supervised devices.
Force encrypted backups: If set to true, forces backups using the Finder or Apple Configurator to be encrypted.
Backup proprietary in-house books: Books distributed by the organization aren’t included in the backup.
Prevent app backup: Managed apps are excluded from the backup.
Managed Apps
Apps installed using MDM are called Managed Apps, and they can be assigned to a device, a personal Apple Account, or a Managed Apple Account. When a Managed App is installed, the MDM solution can dictate, for profile-based Device Enrollment and Automated Device Enrollment, whether the app should remain on the device when MDM enrollment is removed. If the app is removed, its data is also removed. Managed Apps installed on devices using account-driven Device Enrollment and User Enrollment are always removed during unenrollment.
MDM can also dictate whether the user can back up the data for a Managed App. The app itself isn’t part of the backup and needs to be installed after restore. For more information on Managed Apps, see Distribute Managed Apps.
Managed books
You can use MDM to distribute EPUB books and PDFs that you create. If you do, the MDM solution can prevent those managed books from being included in the backup.
Backups for User Enrollment and account-driven Device Enrollment
User Enrollment and account-driven Device Enrollment require a Managed Apple Account. In this deployment model, a user may also be signed in with their personal Apple Account. Backups using a personal Apple Account behave as described above. A backup taken with a Managed Apple Account contains only Managed App data and can’t be used to fully restore a device.
Restoring backups with profile-based Device Enrollment and Automated Device Enrollment
Backups can be restored to either the same device or a different device. Depending on the level of management from an MDM solution, there are differences in what gets restored. And, regardless of whether a backup is unencrypted or encrypted, after a device is restored, the user must create a new passcode or password and can optionally go through the steps to create new biometric authentication.
Restore a backup to the same device
If a device is restored from a backup taken from the same device, the management configuration and MDM enrollment profile in the backup are restored. Using this information, the next time the device is connected to the internet, it performs a check-in with the MDM solution, which then decides whether to accept the connection from the restored device.
Important: If the connection from the restored device isn’t accepted by the MDM solution, then the MDM enrollment profile, associated configurations, and apps marked for removal on unenrollment get removed.
Profiles containing a hardware-bound key deployed using the Automated Certificate Management Environment protocol can’t be restored. If the MDM solution uses such an identity to authenticate a device, the enrollment can’t be restored and is removed. For devices registered in Apple School Manager or Apple Business Manager, the device automatically triggers enrollment using Automated Device Enrollment instead.
If the backup contains managed app data or enterprise books, this data is restored as well. If the Managed App isn’t present on the device but the backup includes the Managed App data, a placeholder may be shown for the app. App placeholders aren’t shown when restoring devices using Apple Configurator.
Restore a backup to a different device
If a device is restored from a backup taken from a different device, the management configuration and MDM enrollment are automatically deleted during the restore. If the device’s serial number appears in Apple School Manager or Apple Business Manager, it subsequently reaches out to determine whether a management configuration has been defined for it. If available, it downloads the management configuration and applies it.
If the backup contains managed app data, it’s restored too, unless MDM has defined that the app should be removed upon unenrollment. If the backup contains enterprise books, they are restored.
Restore a backup with User Enrollment and account-driven Device Enrollment
In case a backup has been created with the same Managed Apple Account that was used to initiate the enrollment, a restore option is presented as part of the enrollment flow. If the backup contains managed app data, it’s restored unless the app is already installed on the device. In that case, the user is told which app data is being skipped during the restore.