Back up and restore managed devices
Migrating users and their data to a new iPhone, iPad or Apple Vision Pro is a common workflow in many organisations. This migration often involves a device management service — which may also link to Apple School Manager or Apple Business Manager. You can use this workflow for organisation-owned devices or devices that the user owns.
Depending on your deployment model, there are different approaches to backing up and restoring devices. Also, users may be using their personal Apple Account, your organisation’s Managed Apple Account, or — in the case of account-driven enrolments — possibly both. For more information, see User Enrolment and device management. If you’re migrating to a different device management service, see Migrate managed devices to another device management service.
Note: Use Apple Configurator for Mac when manually preparing, updating or backing up Apple devices instead of the Apple Devices app.
What does an iPhone, iPad or Apple Vision Pro backup include?
Backups include information such as the layout of the Home Screen, app data, device settings, and photos and videos (if iCloud Photos isn’t used). Backups don’t include apps and media that users synced from their computer or stored in iCloud. Backups can also be unencrypted or encrypted.
If a backup is unencrypted, it never contains the following types of information:
Any saved passwords
Call history
Health data
Website history
Wi-Fi settings
How are backups created?
You can create backups using any of the following methods:
iCloud Backup: Requires a personal Apple Account or a Managed Apple Account, and is encrypted by default. iCloud Backup works only when the device is locked, is connected to a power source, and has Wi-Fi access to the internet.
Finder: Doesn’t require a personal Apple Account or a Managed Apple Account, and is unencrypted by default.
Apple Configurator for Mac: Doesn’t require a personal Apple Account or a Managed Apple Account, and is unencrypted by default.
Backups that use Apple Configurator for Mac
You can manually set up one iPhone or iPad the way you want it, back it up using Apple Configurator for Mac and then restore that backup to other devices.
Important: Backups created when a user is signed in with a personal Apple Account or a Managed Apple Account can contain private information — such as app data, account and password information, and browser history. Before backing up a device, review the device’s content for any information you don’t want restored to other devices.
Backups that use a device management service
Backups may contain different information depending on how a device enrols in a device management service: account-driven enrolments, profile-based Device Enrolment or Automated Device Enrolment.
Management configuration in backups
When you create an encrypted backup of a device enrolled using profile-based Device Enrolment or Automated Device Enrolment, the backup includes the management configuration. This configuration describes, among other things, whether a device is supervised or a Shared iPad. It also contains configuration profiles and their associated data.
Backup restrictions
iOS and iPadOS support various restrictions to manage how backups are being stored and what data they contain:
iCloud Backup: Disables iCloud Backup on supervised devices.
Force encrypted backups: If set to true, forces backups using the Finder or Apple Configurator to be encrypted.
Back up proprietary in-house books: Books distributed by the organisation aren’t included in the backup.
Managed Apps
Apps you install using a device management service are called Managed Apps, and you can assign them to a device, a personal Apple Account or a Managed Apple Account. When you install a Managed App, the enrolment method determines whether the Managed App stays on the device after it unenrols from a device management service. When you remove the app, you also remove its data.
Profile-based Device Enrolment and Automated Device Enrolment: The device management service determines whether Managed Apps get removed.
Account-driven enrolments: The device management service always removes Managed Apps.
A device management service can also determine for each Managed App whether its data is included in a backup. The app itself isn’t part of the backup and you need to install it after restoring the backup. For more information on Managed Apps, see Distribute Managed Apps.
Managed books
You can use a device management service to distribute EPUB books and PDFs that you create. If you do, the device management service can prevent the backup from including those managed books.
Background tasks
Account-driven enrolments require a Managed Apple Account. In this deployment model, a user may also be signed in with their personal Apple Account. Backups using a personal Apple Account behave as described above. A backup taken with a Managed Apple Account contains only Managed App data and can’t be used to fully restore a device.
Restore backups with profile-based Device Enrolment and Automated Device Enrolment
You can restore a backup to either the same device or a different device. Depending on the level of management from a device management service, there are differences in what the backup restores. And, regardless of whether a backup is unencrypted or encrypted, after restoring a device, the user needs to create a passcode or password, and can optionally perform the steps to create biometric authentication.
For Automated Device Enrolments, you can set the do_not_use_profile_from_backup key in the management configuration, which causes the device to ignore it during a restore and reach out to Apple School Manager or Apple Business Manager instead. The resulting behaviour is the same as a restore to a different device. This allows you to provide the same user experience for devices registered in Apple School Manager or Apple Business Manager, independent of the target device or change of the management state during a restore.
Note: Declarations are never restored. Instead, the device syncs assigned declarations from the device management service and applies them as determined by the associated activation predicate. If a previously applied declaration isn’t assigned or not applied anymore, the device automatically removes associated configuration states and assets.
Restore a backup to the same device
If you restore a backup to the same device, the process restores the management configuration and a device management service enrolment profile. Using this information, the next time the device connects to the internet, it performs a check-in with the device management service, which then determines whether to accept the connection from the restored device.
Important: If the device identity certificate became invalid since the backup was created or the device management service doesn’t accept the connection from the restored device, the operating system removes the enrolment profile, associated configurations and any apps marked for removal during unenrolment.
You can’t restore any profiles containing a hardware-bound key that you deploy using the Automated Certificate Management Environment protocol. If the device management service uses such an identity to authenticate a device, the operating system can’t restore the enrolment, so it removes it. For devices that appear in Apple School Manager or Apple Business Manager, the device automatically triggers enrolment using Automated Device Enrolment instead.
If the backup contains Managed App data or enterprise books, this data is restored as well. If the Managed App isn’t present on the device but the backup includes the Managed App data, a placeholder may be shown for the app. App placeholders aren’t shown when restoring devices using Apple Configurator.
Restore a backup to a different device
If you restore a backup to a different device, the operating system automatically deletes the management configuration and device management service enrolment during the restore. For devices that appear in Apple School Manager or Apple Business Manager, the device then reaches out to Apple School Manager or Apple Business Manager to determine whether a device management service has provided a management configuration. If available, it downloads the management configuration and applies it.
If the backup contains Managed App data, the device management service restores that, unless there’s a configuration indicating that the device management service needs to remove the data upon unenrolment. If the backup contains enterprise books, the device management service restores them as well.
Restore a backup with account-driven enrolments
Restoring a device backup doesn’t restore the device management service enrolment profile. The user has to navigate to Settings > General > VPN & Device Management and select the Sign In to Work or School Account button to perform the enrolment after the restore.
In case a backup has been created with the same Managed Apple Account that was used to initiate the enrolment, a restore option is presented as part of the enrolment flow. If the backup contains Managed App data, it’s restored unless the app is already installed on the device. In that case, the user is told which app data is being skipped during the restore.