Changes to applications’ back up and restore behavior on supervised iOS/iPadOS devices

Posted by

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

We're aware that customers have run into issues with the current backup and restore behavior for their supervised iOS/iPadOS devices, such as apps not downloading. To fix these issues and improve the user experience, Intune will prevent the iCloud backup of certain managed applications (apps) on supervised iOS/iPadOS devices. This change is expected to occur with the January (2301) service-side release.

With this change, Intune will no longer be backing up managed App Store apps and line-of-business (LOB) apps on supervised iOS/iPadOS devices, for both user and device licensed VPP/non-VPP apps. This will include both new and existing App Store/LOB apps sent with and without VPP that are being added to Intune and targeted to users and devices. Preventing the backup of the specified managed apps will ensure that these apps can be properly deployed via Intune when the device is enrolled and restored from backup. With this upcoming change, managed apps can and will be re-installed for supervised devices, but Intune will no longer allow them to be backed up.

Note: While we don't expect managed apps on supervised devices to backup data to iCloud, please note that data saved locally for managed apps may not be available after a backup and restore.

For newly enrolled devices, no managed App Store apps (sent with/without VPP) or LOB apps will be backed up to iCloud. This includes both required and available apps. These apps will be automatically re-configured for all devices once this change is implemented.


For existing devices, the new behavior will be automatically updated for all App Store/LOB apps. This includes both required and available apps. However, depending on the app’s configurations and licensing, a sync between Intune and the device may be needed.


The following table explains the different apps behavior on the device after it’s been restored:

  Required app Available app
Store app without VPP Automatic app download after restoring, no sync required (“Waiting…”) Automatic app download after restoring, no sync required (“Waiting…”)
Store app with user license VPP Automatic app download after restoring, no sync required (“Waiting…”) Automatic app download after restoring, no sync required (“Waiting…”)
Store app with device license VPP Manual sync needed to download app, or automatic sync will occur within ~8 hours (Cloud icon) User needs to install the app from the Intune Company Portal app or the Company Portal website (Cloud icon)
LOB app Manual sync needed, or automatic sync will occur within ~8 hours (Cloud icon) User needs to install the app from the Intune Company Portal app or the Company Portal website (Cloud icon)


Keep in mind  

  • A manual device sync can be completed by the admin in the Intune console or can be triggered by the user in the Company Portal app (or on the Company Portal website). 
    • Automatic device syncs happen approximately every 8 hours.
  • All VPP apps are App Store apps.
  • User licensed apps are associated with the user’s App Store.
  • Device licensed apps are associated with the device’s serial number. 
  • When you complete a backup and restore to the same device, the Intune mobile device management (MDM) profile is still valid. When you complete a backup and restore to a new device, it’s a brand-new enrollment with a new Intune MDM profile.
  • When an app has the cloud icon, that means the app is associated with the Intune MDM profile, but it’s not actually downloaded.  
    • For required apps: A manual admin or user-initiated sync between Intune and the device is needed if the restore is done to the same device. Or the next automatic sync that occurs within 8 hours will download the app.   
    • For available apps: The user needs to request to “Install” the app in the Company Portal app or from the Company Portal website.
    • A sync between Intune and the device is not needed if the restore is done to a new device. That sync occurs automatically for all new enrollments.
  • When the apps status is “Waiting…”, it means that the app is associated with the user’s App Store. For both required and available apps, the app will install automatically, and no further action is needed from the admin or the users.
    • The behavior is the same for these apps whether the restore is done to the same device or a new device.  

Examples

  1. Automatic app installment, “Waiting” status.
    Apps associated with a user’s App Store automatically install on the device, as indicated by the app’s “Waiting…” status (shown in the Figure 1 below). This includes required and available Store apps without VPP and Store apps with user licensed VPP. The behavior is the same whether the restore is done on the same device or on a new device.
    Figure 1: Screenshot of a user’s apps waiting to install on an iOS device.Figure 1: Screenshot of a user’s apps waiting to install on an iOS device.
     
  2. Device sync needed.
    Device licensed VPP App Store apps and LOB apps are unable to install automatically and need a device sync. This is indicated with the cloud icon on these apps and the pop-up that shows when the app is tapped (shown in Figures 2 and 3). For required apps, this can be done with a manual sync completed by the admin, the user installs the application, or by waiting until the next automatic sync that will occur within 8 hours. For available apps, the user must go to the Company Portal app (Apps > Select an app > Install) or the Company Portal website to manually “Install” the app (Figure 4).
    Figure 2: A screenshot of the “Unable to install” message a user may see when attempting to install and a device sync is needed..Figure 2: A screenshot of the “Unable to install” message a user may see when attempting to install and a device sync is needed..Figure 3: A screenshot of the “Unable to install” message a user may see when attempting to install an app and a device sync is needed.Figure 3: A screenshot of the “Unable to install” message a user may see when attempting to install an app and a device sync is needed.
    Figure 4: The option to “Install” an app from the Intune Company Portal app after the user has signed in.Figure 4: The option to “Install” an app from the Intune Company Portal app after the user has signed in.

Checking if an app is backed up by iCloud

On all devices, you can see which managed apps are not being backed up by iCloud by navigating to Settings > General > VPN & Device Management > Management profile > Apps. When selecting an app, if the restrictions state “App data will not be backed up”, then the app is not backed up by iCloud (Figure 5). Alternatively, you can check whether an app is backed up in the iCloud settings (Settings > iCloud > Under ”Apps using iCloud”, select show all). Apps that show “Backup not supported” are not being backed up by iCloud (Figure 6).

Figure 5: A screenshot of the Backup Details on the user device showing apps that are backed up with the indicator switch in green and apps that are not backed up greyed out with the text “Backup Not Supported.”Figure 5: A screenshot of the Backup Details on the user device showing apps that are backed up with the indicator switch in green and apps that are not backed up greyed out with the text “Backup Not Supported.”Figure 6: Screenshot of restriction text indicating that an app is not backed up to iCloud.Figure 6: Screenshot of restriction text indicating that an app is not backed up to iCloud.

We understand there may be nuanced scenarios where you may want to allow configured managed apps to be backed up to iCloud (same as the current behavior). We’re planning in a future release to introduce a setting within Intune that will allow you to turn this new behavior off, if needed.

 

To learn more about iOS/iPadOS backup and restore scenarios within Intune, read Backup and restore scenarios for iOS/iPadOS.

 

If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.