Changes to applications’ backup and restore behavior on iOS/iPadOS and macOS devices

Hi ChrisNeu,

What kind of app data is even backed up using the new prevention feature compared without using it?

> you cannot backup any app data if this feature is enabled. It is valid for the app in a whole.

- the app itself or only a reference to the app so it is re-installed from App Store after restore?

> apps binary data is never backed up to iCloud/iTunes, the backup mechanism is aware, that the app binary data is available on the Apple App Store. During restore, the app binary is re-downloaded from Apple. That ensures a smaller backup and avoids backing up loads of data which is unnecessary. Only the list of installed apps and their position on the homescreen is stored. For apps that are pre-paid via Apple VPP (license belongs to the company) or line-of-business apps, the apps cannot be re-downloaded automatically from Apple. For that you need to check-in again with Intune and download from Comp Portal. Hence, for any app, where there is no backup prevention, the reference for app binary is backed-up plus the data inside the app (user data, which cannot be re-downloaded from Apple)

- App including its data saved in managed locations like OneDrive for Business?

> the above documentation is not affecting the storages that are enabled inside an application. it is only affecting the backup behavior on system-level (iCloud/iTunes only). If you wish to control Backup on App-level, please use the Intune App Protection Policies.

- App including its data saved in iCloud if access not blocked by any other means?

> yes, if you don't block backups via Setting in the Intune App Catalog Assignment nor via the App Protection Policies, the user data plus an App Store reference for the binary installation is stored as a backup.

- App including its data saved locally to devices?

> I don't really understand the question.

- only the Information from where the app should by installed after restoring the device (cloud symbol vs “Waiting…”)?

> generally, if all information is available to the device after the restore, the app would queue for installation ("Waiting..."). You'll see a cloud symbol in the following situations:

--> App was managed before as an optional app assignment > you need to re-download from Comp Portal

--> App was managed before as a required app assignment > you need to check-in and wait for all the required apps to be re-pushed

--> app was not managed but was automatically off-loaded by iOS mechanisms --> you tap on the app icon which triggers a re-download from App Store

- behavior of Microsoft Authenticator App: restoring account information only possible with icloud backup combined with MSA (Microsoft Account)?

> not possible in any way, if you make the restore on a new device. Corporate identities need to be re-setup after the iCloud restore because the keychain won't be restored completely and Authenticator is aware that it was restored on a different devices.

> for restore on the same device, I am not sure right now. Better you test on your own, but I think as the keychain is restored 1:1, the Authenticator probably restored with all the identities, too.

> the built-in "iCloud Backup" (inside the Authenticator App Menu) is in reality the iCloud Sync feature. It only syncs your personal Account identities, plus your Passwords if you use the password manager feature. Corporate Account Identities (Azure Accounts) are not synced. However, once iCloud Sync feature was disabled for managed Apps via MDM, this feature will be deactivated.

Using the same configuration like @Joachimb89 I would appreciate a best practice guide for backing up a supervised iOS device with private use allowed (managed Authenticator App, and all Office Apps protected by managed app protection policy blocking access to iCloud).

> I think this is highly individual per Company and use case, hence there is no general best practice. Sometimes also according to law, you need to ensure certain settings. However, I generally recommend to ensure blocking iCloud Backup for every single managed app via the app catalog. Additionally you should block the iCloud Sync feature for Managed Apps. Both settings are part of iOS restrictions. It is vendor-independent, working for all MDM/EMMs. That way, the corporate data is prevented from being backed up by iCloud Backup mechanisms. Plus you give your users the freedom to use the integrated backup mechanisms to backup their personal data. Hope this helps.
DM me, if you want to know more about secure integration of personal use in corporate devices.

Best regards

Patrick