James Vincent

Restore an unmanaged iOS Backup to a Supervised iOS Device and manage with MDM

I’ve recently spent a lot of time working with iOS devices, specifically with device management and Intune. Engaging with a large organisation to assist with a migration from one Apple Business Manager and Intune setup, into another. This project, along with my long-standing desire to reduce my own screentime led me to explore Supervising my own personal iPhone and enrolling it into Intune for management (for the ability to hide/restrict certain applications!)

The problem is that in order for a device to go from an Unsupervised state, into a Supervised state, the device must be factory reset. And when this is your own personal device, the upheaval and disruption that can cause is monumental. Most banks, or maybe it’s just mine, make it really difficult to switch your secure token from one device to another, eSIM registration can be a faff, and let’s not talk about Microsoft Authenticator which requires each token to be reset after restoring from a backup… a pain at the best of times, a colossal disruption if like me you have upwards of 40 MFA tokens.

Anyway, over the festive break, I made the most of the quiet time by investigating the feasibility of backing up my unmanaged, unsupervised device, and restoring the backup onto a supervised device. It turns out it is possible, but it also turns out to be a faff – for starters, you require an additional iOS device, with sufficient space, to be used for staging.

Prerequisites

  • The Unmanaged, Unsupervised device
  • An Apple Account (fka. AppleID)
    • Use the same account for all procedures.
  • A backup of the Unmanaged, Unsupervised device
    • iCloud backup
    • Local backup
      • Recommend taking both kinds of backups, just incase!
  • A staging device
    • Another iOS device
    • Running the same iOS version
    • With sufficient space to restore your backup
  • Time
  • Recommended: An Apple Mac device
    • For taking a Local backup
    • For running Configurator 2
      • Configurator can also be used on another iOS device but given you really don’t want to mess this up, I strongly recommend a Mac for this procedure.
  • Recommended: Apple Business Manager

Procedure

The Apple Deployment Platform documentation states

Management configuration in backups

When a device is backed up, the management configuration is contained in the backup. This configuration describes, among other things, whether a device is supervised or a Shared iPad. Backups must be encrypted when using profile-based Device Enrolment or Automated Device Enrolment for the MDM enrolment profile to be included.

and

Restore a backup to a different device

If a device is restored from a backup taken from a different device, the management configuration and MDM enrolment are automatically deleted during the restore. If the device’s serial number appears in Apple School Manager or Apple Business Manager, it subsequently reaches out to determine whether a management configuration has been defined for it. If available, it downloads the management configuration and applies it.

If the backup contains managed app data, it’s restored too, unless MDM has defined that the app should be removed upon unenrolment. If the backup contains enterprise books, they are restored.

So, if you attempt to backup your Unmanaged, Unsupervised device, reset your device, Supervise it and/or enrol it into MDM, then attempt to restore the backup, you’ll get all your data back, but you’ll also lose your Supervision and enrolment status.

This is where the staging device comes in use…

  1. Back up your Unmanaged, Unsupervised device using iCloud and/or Local Backup. (Reference: YourPhone)
    • I recommend taking backups using both methods, just in case. When taking a local backup, encrypt it, as it will make your life easier upon restoration, as it’ll include a bit more data post restoration.
  2. Restore the backup to the staging device. (Reference: OldPhone)
  3. Take a backup of the Staging Device (OldPhone) using iCloud and/or Local Backup.
    • I recommend taking backups using both methods, just in case. When taking a local backup, encrypt it, as it will make your life easier upon restoration, as it’ll include a bit more data post restoration.
    • The use of OldPhone is complete at this point, but just keep it around, in case. It has a known good restore running on it!
  4. Nervously, erase and factory reset YourPhone.
  5. Add YourPhone to Apple Business Manager/supervise the device.
    • You can use Apple Configurator 2 on the recommended Apple Mac device, or
    • You can install Configurator from the App Store to another iOS device.
      • Configurator on an iOS device is simpler/easier; however, you can supervise a device without ABM using Configurator 2 on a Mac… so it depends on your situation.
  6. Connect YourPhone to your MDM server in Apple Business Manager or by using Configurator 2, Intune in this case.
  7. Assign the relevant MDM enrolment profile to YourPhone in your MDM platform, Intune in this case.
    • Ensure that the enrolment profile is configured properly and not configured to skip/block essential sections of the Setup Wizard such as backup and restore and Apple ID and sign-in steps.

  1. Turn on YourPhone and follow the Setup Wizard prompts. YourPhone is Supervised at this stage.
  2. On the Restore screen, choose to restore from a backup, either iCloud or “Mac or PC”.
    • !!! Ensure you restore the backup of OldPhone
      • If you select the original YourPhone backup, you will overwrite your Supervised status. This may only apply if using Local Backup as the restoration option.
    • If using iCloud to restore, ensure you enter the same Apple Account that was used to take the iCloud backup originally.
      • You might potentially get away with restoring from “Another nearby device”, but I did not test this. My staging device was an iPhone XS so was pretty slow in everything, which is why I opted to use Local Backup.
  3. The restoration will occur immediately, and you’re currently only halfway through the Setup Wizard. How long the restoration takes will depend on the size of the backup, which could take a while. However, after the restoration has completed, Setup Wizard will continue, and you should now be asked if you wish to enrol into MDM. Which of course you do.

Congratulations, you’ve spent a lot of time and effort doing that, but you should now have a Supervised device, Managed by MDM with all your data restored…!

James avatar

James

I am a UK based Modern Workplace Architect, with an enthusiasm for Device Management.

21 responses to “Restore an unmanaged iOS Backup to a Supervised iOS Device and manage with MDM”

  1. Marc

    Good writeup James. We encountered this issue when moving from one MGMT platform to Intune and had a number of users who were only partially enrolled somehow. We never ended up fixing them but managed to get around the issues when users had received new devices (and also did discover the workaround you found here but we didn’t have the opportunity to do this for everyone).

    I really wish Apple could do something about this as it works when you have two devices to use – so there’s no technical reason why it shouldn’t work with one device only. Like a Restore but Keep Management option. Maybe iOS27 on the iPhone 34? :-p

    Reply
    1. James

      Maybe…! Maybe they’ll claim it’s not their issue? Either way, hopefully an option like that does arrive at some point.

      Reply
  2. Jeff

    Hi James,
    I’m thinking of trying this when I get a new iPhone 16 soon. The idea is that I want a supervised phone that I can restrict when I’m maybe in an unfamiliar place, or a high crime area. Since thieves have started robbing people of their iPhones and forcing them to give up passcodes, I thought “Okay here’s my code but the phone is restricted and won’t allow system mods so have fun!”

    I wouldn’t be using MDM, so would this process work just to get a supervised version of my “OldPhone” onto my new iPhone 16? I found a chart that shows my 11 Pro should be at the same level of iOS 18 as any other phone so hope it will work.

    Thanks for the details instructions!

    Reply
    1. James

      Hi Jeff, I used an iPhone 11 as a staging device for my iPhone 16. Your situation sounds the same as mine. I backed up my 16, restored to 11, then did the Supervision/Management piece.

      Your exact reasoning was the same as mine too.

      Whilst you have no intention of running MDM, if you have a Mac device, Apple Configurator 2 will allow you to perform some MDM tasks should you desire.

      Reply
      1. Jeff

        Okay great minds . . .
        I’ll let you know how it works out. Might get the new phone later this week.

        Reply
  3. Jeff

    Hi James,

    I’m at the erase and reset YourPhone stage and the phone is asking if I want to keep the eSIM data. I assume yes is the right choice here?

    So far everything seems to be working. I did notice that after I restored the OldPhone (iPhone 11 Pro) from the YourPhone backup (iPhone 16 Pro), it changed the OldPhone name to the one in the backup – i.e. the YourPhone name. I don’t think that matters as the backup system on my Mac is organizing the backups by phone model, even though the phone “names” are the same now. I just have to be careful in selecting the correct one for restore.

    Reply
    1. James

      Upto you I guess. Some carriers can be a real pain to reissue eSIM’s, some painless. Try keeping it and if it doesn’t work as expected, I guess you can request another.

      Reply
  4. Jeff

    Hmmm, so I have the erased YourPhone and see the restore screen. If I select Mac or PC, it wants me to have an app called Apple Devices to restore from. This is not an app I am aware of or that exists in the App Store. If I choose iCloud seems to me that it will restore from the last backup of YourPhone instead of OldPhone, because I don’t think it gives me a choice to select a backup. It just wants the Apple Account which is the same for both devices. I can do a restore from the Mac iPhone manager in the Finder, but I think that would reset the supervision. I’m going to try the nearby device method since that will pull from the OldPhone data.

    Reply
    1. James

      At this point, you should have OldPhone running and working with an up to date backup of your main phone, so you can in theory be a bit more gung-ho/experimental with YourPhone, knowing you have a good/working backup and whilst not ideal, a working phone, albeit an old one.

      Apple Devices appears to be a Windows thing; https://support.apple.com/en-gb/guide/devices-windows/welcome/windows – there must be a way round/beyond/through this.

      At this point YourPhone should be supervised, so it’s about ensuring the restore doesn’t overwrite that setting. So it would be a case of reading the included link to the Apple documentation and establishing which restore methods fit your criteria. Nearby devices should, if I recall.

      I restored using the Local Backup I’d taken, so initiated the Restore from my middle man device. I can’t recall if that was a PC or Mac now, probably a Mac.

      Reply
    2. Jeff

      No luck. Using the nearby phone transfer method stopped with a “Data Transfer Failed” message that amusingly used the biggest font I’ve ever seen on an iPhone. I tried the restore on the Mac using the iPhone management in the Finder, but it erased the phone and removed the supervision. I guess I might try it again and attempt the restore from iCloud but I’m pretty sure it’s going to pull from the wrong backup. I may have gotten tripped up somewhere, so I’ll review and give another go in a day or so. Gotta get it to work soon because the 11 Pro has to be shipped off for trade-in value.

      Reply
      1. James

        I was in the same boat RE Trade In. I’ve just read around to refresh myself (whilst still being asleep!) and found that any restore method should work. The supervision state is device bound, and is why we use the OldPhone.

        You could browse to the location of local backups on your Mac/PC and move the existing backups which are usually GUID based folders. Take a new backup of OldPhone (ensuring encrypted), and then you’d know that the only local backup you can access is ‘the right backup’.

        Alternatively, rename your OldPhone in Settings on the device, and back it up to the cloud again. This should make it easier to identify.

        Whilst not ideal, you should have a working ‘OldPhone’, so it’s just trial and error with YourPhone now. Worst case, you have to restore to the 16 Unsupervised and revisit it again later/write it off. But you can’t be too far off a success.

        Reply
        1. Jeff

          I wanted to ask about what you mean by “local backup”. Is this a backup made via the Finder when you plug in an iPhone? Or is it a backup made in the Apple Configurator? So far my experience is that any backup restored from the Mac Finder interface erases the phone before restoring.

          Today I did make a backup of OldPhone using the Configurator just to have it available when I attempt the whole process again. I’ll also look at removing iCloud backups that are not pertinent.

          Reply
          1. James

            By local backup, I mean exactly what your understanding is. A backup taken to my Mac/PC. See below, there’s 2 with the same GUID, one taken on the 6th Jan, one with -JV suffix on the 7th. I can’t recall exactly, but the one taken on the 6th, is likely to be my Original iPhone 16 backup. The one dated the 7th, with the -JV suffix, is likely to be the “local backup” of the OldPhone, called -JV purely to identify it when I’m selecting to “Restore from Backup”.

            Local Backup

  5. Jeff

    Success! I used an iCloud backup for the restore after supervision was added. Worked quickly and without issue. The phone setup processs does let you choose which iCloud backup you wish to restore, so I was able to easily select the OldPhone backup. I am now configuring different levels of security. I probably will keep the phone in a general “mild” state of restriction – not allowing account or passcode changes – at all times. If I really think I need serious protection I’ll have a profile that hides sensitive apps like Wallet, my password manager, financial apps and so on. Plus there will be an un-restricted profile for when I need to make any changes etc.

    Thanks for your help on this. It’s really not that hard to do, just a little time consuming. This process is also much easier than some others I saw that required editing files using the Terminal.

    Reply
    1. James

      Nice one! I’m glad you got this working! Like you say, it’s just time consuming and can be a bit of a headache to get your head around.

      Reply
  6. JJ

    Thanks for your excellent guide, I’ve found documentation on this pretty limited. I want to use my primary iPhone in supervised mode. If I were to move back to an unsupervised device at a later date, do you know if the backups will automatically re-enable supervised mode?

    Reply
    1. James

      I haven’t tested this, as I don’t have a spare device, nor have I come across a need to “go back”, but… the documentation to me suggests that the “Supervision” state is somewhat decoupled from the backup. Supervision occurs when using (Automated) Device Enrolment.

      If you read “Restore a backup to a different device” within the first link, the restoration to a new device would NOT be enrolled in ABM, thus not part of any device management/device enrolment (thus, non-supervised)…

      https://support.apple.com/en-gb/guide/deployment/depd44f045b4/web
      https://support.apple.com/en-gb/guide/deployment/dep1d89f0bff/web

      The best way to answer any question like this, is to simply try it.

      Reply
  7. Naman Kumar

    Can the same thing roughly be applied for macOS (unsupervised to supervised, without data loss)?

    Reply
    1. James

      You’ve way more flexibility with a mac and full OS, so I’d assume you could do something. What exactly are you wanting to keep when going from Unsupervised to Supervised? Because, on a single device, I’d just recommend a backup and then restore, post OS install…

      Reply
  8. Jon

    Hello!

    Thank you for this amazing writeup. Do you think that there might we a way to modify the backup files / use something like iMazing to do a partial restore?

    Reply
    1. James

      Possibly. I’ve not tinkered with Backups for a long long time.

      Only one way to find out – give it a go!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *