James Vincent

Restore an unmanaged iOS Backup to a Supervised iOS Device and manage with MDM

I’ve recently spent a lot of time working with iOS devices, specifically with device management and Intune. Engaging with a large organisation to assist with a migration from one Apple Business Manager and Intune setup, into another. This project, along with my long-standing desire to reduce my own screentime led me to explore Supervising my own personal iPhone and enrolling it into Intune for management (for the ability to hide/restrict certain applications!)

The problem is that in order for a device to go from an Unsupervised state, into a Supervised state, the device must be factory reset. And when this is your own personal device, the upheaval and disruption that can cause is monumental. Most banks, or maybe it’s just mine, make it really difficult to switch your secure token from one device to another, eSIM registration can be a faff, and let’s not talk about Microsoft Authenticator which requires each token to be reset after restoring from a backup… a pain at the best of times, a colossal disruption if like me you have upwards of 40 MFA tokens.

Anyway, over the festive break, I made the most of the quiet time by investigating the feasibility of backing up my unmanaged, unsupervised device, and restoring the backup onto a supervised device. It turns out it is possible, but it also turns out to be a faff – for starters, you require an additional iOS device, with sufficient space, to be used for staging.

Prerequisites

  • The Unmanaged, Unsupervised device
  • An Apple Account (fka. AppleID)
    • Use the same account for all procedures.
  • A backup of the Unmanaged, Unsupervised device
    • iCloud backup
    • Local backup
      • Recommend taking both kinds of backups, just incase!
  • A staging device
    • Another iOS device
    • Running the same iOS version
    • With sufficient space to restore your backup
  • Time
  • Recommended: An Apple Mac device
    • For taking a Local backup
    • For running Configurator 2
      • Configurator can also be used on another iOS device but given you really don’t want to mess this up, I strongly recommend a Mac for this procedure.
  • Recommended: Apple Business Manager

Procedure

The Apple Deployment Platform documentation states

Management configuration in backups

When a device is backed up, the management configuration is contained in the backup. This configuration describes, among other things, whether a device is supervised or a Shared iPad. Backups must be encrypted when using profile-based Device Enrolment or Automated Device Enrolment for the MDM enrolment profile to be included.

and

Restore a backup to a different device

If a device is restored from a backup taken from a different device, the management configuration and MDM enrolment are automatically deleted during the restore. If the device’s serial number appears in Apple School Manager or Apple Business Manager, it subsequently reaches out to determine whether a management configuration has been defined for it. If available, it downloads the management configuration and applies it.

If the backup contains managed app data, it’s restored too, unless MDM has defined that the app should be removed upon unenrolment. If the backup contains enterprise books, they are restored.

So, if you attempt to backup your Unmanaged, Unsupervised device, reset your device, Supervise it and/or enrol it into MDM, then attempt to restore the backup, you’ll get all your data back, but you’ll also lose your Supervision and enrolment status.

This is where the staging device comes in use…

  1. Back up your Unmanaged, Unsupervised device using iCloud and/or Local Backup. (Reference: YourPhone)
    • I recommend taking backups using both methods, just in case. When taking a local backup, encrypt it, as it will make your life easier upon restoration, as it’ll include a bit more data post restoration.
  2. Restore the backup to the staging device. (Reference: OldPhone)
  3. Take a backup of the Staging Device (OldPhone) using iCloud and/or Local Backup.
    • I recommend taking backups using both methods, just in case. When taking a local backup, encrypt it, as it will make your life easier upon restoration, as it’ll include a bit more data post restoration.
    • The use of OldPhone is complete at this point, but just keep it around, in case. It has a known good restore running on it!
  4. Nervously, erase and factory reset YourPhone.
  5. Add YourPhone to Apple Business Manager/supervise the device.
    • You can use Apple Configurator 2 on the recommended Apple Mac device, or
    • You can install Configurator from the App Store to another iOS device.
      • Configurator on an iOS device is simpler/easier; however, you can supervise a device without ABM using Configurator 2 on a Mac… so it depends on your situation.
  6. Connect YourPhone to your MDM server in Apple Business Manager or by using Configurator 2, Intune in this case.
  7. Assign the relevant MDM enrolment profile to YourPhone in your MDM platform, Intune in this case.
    • Ensure that the enrolment profile is configured properly and not configured to skip/block essential sections of the Setup Wizard such as backup and restore and Apple ID and sign-in steps.

  1. Turn on YourPhone and follow the Setup Wizard prompts. YourPhone is Supervised at this stage.
  2. On the Restore screen, choose to restore from a backup, either iCloud or “Mac or PC”.
    • !!! Ensure you restore the backup of OldPhone
      • If you select the original YourPhone backup, you will overwrite your Supervised status.
    • If using iCloud to restore, ensure you enter the same Apple Account that was used to take the iCloud backup originally.
    • You might potentially get away with restoring from “Another nearby device”, but I did not test this. My staging device was an iPhone XS so was pretty slow in everything, which is why I opted to use Local Backup.
  3. The restoration will occur immediately, and you’re currently only halfway through the Setup Wizard. How long the restoration takes will depend on the size of the backup, which could take a while. However, after the restoration has completed, Setup Wizard will continue, and you should now be asked if you wish to enrol into MDM. Which of course you do.

Congratulations, you’ve spent a lot of time and effort doing that, but you should now have a Supervised device, Managed by MDM with all your data restored…!

Tags
, , , , , , , , ,
James avatar

James

2 responses to “Restore an unmanaged iOS Backup to a Supervised iOS Device and manage with MDM”

  1. Marc

    Good writeup James. We encountered this issue when moving from one MGMT platform to Intune and had a number of users who were only partially enrolled somehow. We never ended up fixing them but managed to get around the issues when users had received new devices (and also did discover the workaround you found here but we didn’t have the opportunity to do this for everyone).

    I really wish Apple could do something about this as it works when you have two devices to use – so there’s no technical reason why it shouldn’t work with one device only. Like a Restore but Keep Management option. Maybe iOS27 on the iPhone 34? :-p

    Reply
    1. James

      Maybe…! Maybe they’ll claim it’s not their issue? Either way, hopefully an option like that does arrive at some point.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *