Back up and restore managed devices
Migrating users and their data to a new iPhone, iPad, or Apple Vision Pro is a common workflow in many organizations. This migration often involves a device management service—which may also link to Apple School Manager or Apple Business Manager. You can use this workflow for organization-owned devices or devices that the user owns.
Depending on your deployment model, there are different approaches to backing up and restoring devices. Also, users may be using their personal Apple Account, your organization’s Managed Apple Account, or—in the case of User Enrollment and account-driven Device Enrollment—possibly both. For more information, see User Enrollment and device management. If you’re migrating to a different device management service, see Migrate managed devices to another device management service.
Note: To ensure the highest level of security for backups of devices owned by an organization, it’s recommended to use a Mac.
What does an iPhone or iPad backup include?
Backups include information such as the layout of the Home Screen, app data, device settings, and photos and videos (if iCloud Photos isn’t used). Backups don’t include apps and media that users synced from their computer or stored in iCloud. Backups can also be unencrypted or encrypted.
If a backup is unencrypted, it never contains the following types of information:
Any saved passwords
Call history
Health data
Website history
Wi-Fi settings
How are iPhone and iPad backups created?
You can create backups using any of the following methods:
iCloud Backup: Requires a personal Apple Account or a Managed Apple Account and is encrypted by default. iCloud Backup works only when the device is locked, is connected to a power source, and has Wi-Fi access to the internet.
Finder: Doesn’t require a personal Apple Account or a Managed Apple Account and is unencrypted by default.
Apple Configurator for Mac: Doesn’t require a personal Apple Account or a Managed Apple Account and is unencrypted by default.
Backups using Apple Configurator for Mac
You can manually set up one device the way you want it, back it up using Apple Configurator for Mac, and then restore that backup to other devices.
Important: Backups created when a user is signed in with a personal Apple Account or a Managed Apple Account can contain private information—such as app data, account and password information, and browser history. Before backing up a device, review the device’s content for any information you don’t want restored to other devices.
Backups using a device management service
Backups may contain different information depending on how a device enrolls in a device management service: User Enrollment, Device Enrollment, or Automated Device Enrollment.
Regardless of enrollment method, the iPhone or iPad now contains at least one configuration profile, which may contain one or more payloads. These payloads often contain various configurations—for example, the authentication information to join specific Wi-Fi networks, allow connections to networks using VPN, and enforce certain restrictions (which may limit what the user can do with their device). Certain payloads may also add the following items to users’ devices:
Certificates
Fonts
Web Clips
Backups include configuration profiles and their associated data. When performing backups using the Finder or Apple Configurator for Mac, a device management service can enforce encryption for the backup.
Management configuration in backups
When you back up a device, the backup includes the management configuration. This configuration describes, among other things, whether a device is supervised or a Shared iPad. You need to encrypt backups when using profile-based Device Enrollment or Automated Device Enrollment so that the backup includes the device management service profile.
Backup restrictions
iOS and iPadOS support various restrictions to manage how backups are being stored and what data they contain:
iCloud Backup: Disables iCloud Backup on supervised devices.
Force encrypted backups: If set to true, forces backups using the Finder or Apple Configurator to be encrypted.
Backup proprietary in-house books: Books distributed by the organization aren’t included in the backup.
Prevent app backup: Managed Apps are excluded from the backup.
Managed Apps
Apps that you install using a device management service are called Managed Apps, and you can assign them to a device, a personal Apple Account, or a Managed Apple Account. When you install a Managed App, the enrollment method determines whether the Managed App stays on the device after it unenrolls from a device management service. When you remove the app, you also remove its data.
Profile-based Device Enrollment and Automated Device Enrollment: The device management service determines whether Managed Apps get removed.
Account-driven Device Enrollment and User Enrollment: The device management service always removes Managed Apps.
A device management service can also determine whether the user can back up the data for a Managed App. The app itself isn’t part of the backup and you need to install it after restoring the backup. For more information on Managed Apps, see Distribute Managed Apps.
Managed books
You can use a device management service to distribute EPUB books and PDFs that you create. If you do, the device management service can prevent the backup from including those managed books.
Backups for User Enrollment and account-driven Device Enrollment
User Enrollment and account-driven Device Enrollment require a Managed Apple Account. In this deployment model, a user may also be signed in with their personal Apple Account. Backups using a personal Apple Account behave as described above. A backup taken with a Managed Apple Account contains only Managed App data and can’t be used to fully restore a device.
Restoring backups with profile-based Device Enrollment and Automated Device Enrollment
You can restore a backup to either the same device or a different device. Depending on the level of management from a device management service, there are differences in what the backup restores. And, regardless of whether a backup is unencrypted or encrypted, after restoring a device, the user needs to create a passcode or password, and can optionally perform the steps to create biometric authentication.
Restore a backup to the same device
If you restore a backup to the same device, the process restores the management configuration and a device management service enrollment profile. Using this information, the next time the device connects to the internet, it performs a check-in with the device management service, which then determines whether to accept the connection from the restored device.
Important: If the device management service doesn’t accept the connection from the restored device, the operating system removes the enrollment profile, associated configurations, and any apps marked for removal during unenrollment.
You can’t restore any profiles containing a hardware-bound key that you deploy using the Automated Certificate Management Environment protocol. If the device management service uses such an identity to authenticate a device, the operating system can’t restore the enrollment, so it removes it. For devices that appear in Apple School Manager or Apple Business Manager, the device automatically triggers enrollment using Automated Device Enrollment instead.
If the backup contains Managed App data or enterprise books, this data is restored as well. If the Managed App isn’t present on the device but the backup includes the Managed App data, a placeholder may be shown for the app. App placeholders aren’t shown when restoring devices using Apple Configurator.
Restore a backup to a different device
If you restore a backup to a different device, the operating system automatically deletes management configurations and device management service enrollment during the restore. For devices that appear in Apple School Manager or Apple Business Manager, the device then reaches out to the device management service to determine whether it has a defined management configuration. If available, it downloads the management configuration and applies it.
If the backup contains Managed App data, the device management service restores that too, unless there’s a definition indicating that the device management service needs to remove the data upon unenrollment. If the backup contains enterprise books, the device management service restores them as well.
Restore a backup with User Enrollment and account-driven Device Enrollment
In case a backup has been created with the same Managed Apple Account that was used to initiate the enrollment, a restore option is presented as part of the enrollment flow. If the backup contains Managed App data, it’s restored unless the app is already installed on the device. In that case, the user is told which app data is being skipped during the restore.