Blog Post

Intune Customer Success
6 MIN READ

Changes to applications’ backup and restore behavior on iOS/iPadOS and macOS devices

Intune_Support_Team's avatar
Intune_Support_Team
Silver Contributor
Dec 08, 2022

Updated 01/23/23: Based on the feedback we’ve received, there are some slight changes to when and how we rollout this change. This change will not happen automatically, admins will be able to enable a new setting to prevent the iCloud backup of managed apps. This will be available to both supervised and non-supervised devices for iOS/iPadOS and macOS. The content below has been updated with these changes.

 

We're aware that customers have run into issues with the current backup and restore behavior for their iOS/iPadOS and macOS devices, such as apps not downloading. To fix these issues and improve the user experience, Intune will be adding a new setting that will allow admins to prevent the iCloud backup of certain managed applications (apps) on all iOS/iPadOS and macOS devices. This includes both supervised and non-supervised devices. This new setting is expected to release with the April (2304) service-side release. Stay tuned to What’s new in Microsoft Intune for the release announcement.

Admins will have the option to no longer back up managed App Store apps and line-of-business (LOB) apps on iOS/iPadOS and managed App Store apps on macOS devices (macOS LOB apps won’t support this feature), for both user and device licensed VPP/non-VPP apps. This will include both new and existing App Store/LOB apps sent with and without VPP that are being added to Intune and targeted to users and devices. Preventing the backup of the specified managed apps will ensure that these apps can be properly deployed via Intune when the device is enrolled and restored from backup. If the admin configures the new setting for new/existing apps in their tenant, managed apps can and will be re-installed for devices, but Intune will no longer allow them to be backed up.

 

Note: While we don't expect managed apps on devices to backup data to iCloud, please note that data saved locally for managed apps may not be available after a backup and restore.

 

The new setting will appear in - Apps > iOS/iPadOS apps or macOS apps > Add > Select app type > Select app > Configure settings > Add group > Edit assignment (VPN, or Uninstall on device removal, or Install as removable) > Prevent iCloud app backup.

 

For existing devices, when Prevent iCloud app backup is set to Yes for an app/apps, the new behavior will be automatically updated for all required App Store/LOB apps (with or without VPP). Required apps previously installed on devices will be automatically re-configured for all devices once the setting value is saved to Yes. Available apps will require the user to re-download the available app from the Company Portal app or the Company Portal website. Additionally, depending on the app’s configurations and licensing, a sync between Intune and the device may be needed.

 

The following table explains the different apps behavior on devices after it’s been restored from backup when Prevent iCloud app backup is set to Yes:

  Required app Available app
Store app without VPP Automatic app download after restoring, no sync required (“Waiting…”) Automatic app download after restoring, no sync required (“Waiting…”)
Store app with user license VPP Automatic app download after restoring, no sync required (“Waiting…”) Automatic app download after restoring, no sync required (“Waiting…”)
Store app with device license VPP Manual sync needed to download app, or automatic sync will occur within ~8 hours (Cloud icon) User needs to install the app from the Intune Company Portal app or the Company Portal website (Cloud icon)
LOB app (iOS/iPadOS only) Manual sync needed, or automatic sync will occur within ~8 hours (Cloud icon) User needs to install the app from the Intune Company Portal app or the Company Portal website (Cloud icon)


Keep in mind  

  • A manual device sync can be completed by the admin in the Intune console or can be triggered by the user in the Company Portal app (or on the Company Portal website). 
    • Automatic device syncs happen approximately every 8 hours.
  • All VPP apps are App Store apps.
  • User licensed apps are associated with the user’s App Store.
  • Device licensed apps are associated with the device’s serial number. 
  • When you complete a backup and restore to the same device, the Intune mobile device management (MDM) profile is still valid. When you complete a backup and restore to a new device, it’s a brand-new enrollment with a new Intune MDM profile.
  • When an app has the cloud icon, that means the app is associated with the Intune MDM profile, but it’s not actually downloaded.  
    • For required apps: A manual admin or user-initiated sync between Intune and the device is needed if the restore is done to the same device. Or the next automatic sync that occurs within 8 hours will download the app.   
    • For available apps: The user needs to request to “Install” the app in the Company Portal app or from the Company Portal website.
    • A sync between Intune and the device is not needed if the restore is done to a new device. That sync occurs automatically for all new enrollments.
  • When the apps status is “Waiting…”, it means that the app is associated with the user’s App Store. For both required and available apps, the app will install automatically, and no further action is needed from the admin or the users.
    • The behavior is the same for these apps whether the restore is done to the same device or a new device.  

Examples

  1. Automatic app installment, “Waiting” status.
    Apps associated with a user’s App Store automatically install on the device, as indicated by the app’s “Waiting…” status (shown in the Figure 1 below). This includes required and available Store apps without VPP and Store apps with user licensed VPP. The behavior is the same whether the restore is done on the same device or on a new device.
    Figure 1: Screenshot of a user’s apps waiting to install on an iOS device.
     
  2. Device sync needed.
    Device licensed VPP App Store apps and LOB apps are unable to install automatically and need a device sync. This is indicated with the cloud icon on these apps and the pop-up that shows when the app is tapped (shown in Figures 2 and 3). For required apps, this can be done with a manual sync completed by the admin, the user installs the application, or by waiting until the next automatic sync that will occur within 8 hours. For available apps, the user must go to the Company Portal app (Apps > Select an app > Install) or the Company Portal website to manually “Install” the app (Figure 4).
    Figure 2: A screenshot of the “Unable to install” message a user may see when attempting to install and a device sync is needed..Figure 3: A screenshot of the “Unable to install” message a user may see when attempting to install an app and a device sync is needed.
    Figure 4: The option to “Install” an app from the Intune Company Portal app after the user has signed in.

  3. Initiating a manual sync

    Users can initiate a manual device sync from the Company Portal app, or from the Company Portal website.

    • Company Portal app: Users can select Devices > select the device that requires a sync > Check status.

      Figure 5: Screenshot of the Intune Company Portal all for iOS with the "Check status" setting highlighted.

    • Company Portal website: Users can select the menu on the top right > Devices > select device that requires a sync > Check status. The "Check status" button triggers a manual sync between the device and Intune.

      Figure 6: Screenshot of the Intune Company Portal website in a browser session with the "Check status" setting highlighted.

Checking if an app is backed up by iCloud on iOS/iPadOS

On all devices, you can see which managed apps are not being backed up by iCloud by navigating to Settings > General > VPN & Device Management > Management profile > Apps. When selecting an app, if the restrictions state “App data will not be backed up”, then the app is not backed up by iCloud (Figure 5). Alternatively, you can check whether an app is backed up in the iCloud settings (Settings > iCloud > Under "Device Backups", select iCloud Backup > select your device > select Show All Apps). Apps that show “Backup not supported” are not being backed up by iCloud (Figure 6).

Figure 7: A screenshot of the Backup Details on the user device showing apps that are backed up with the indicator switch in green and apps that are not backed up greyed out with the text “Backup Not Supported.”Figure 8: Screenshot of restriction text indicating that an app is not backed up to iCloud.

To learn more about iOS/iPadOS backup and restore scenarios within Intune, read Backup and restore scenarios for iOS/iPadOS.

 

If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

 

Post updates:

01/23/23: Updated to clarify backup and restore scenarios based on customer feedback. Thank you!

02/28/23: We previously noted that this new setting is expected to release with the March (2303) service-side release; Updated ETA to: April (2304).

11/07/23: Added a new section "Initiating a manual sync" under Examples.

Updated Dec 01, 2023
Version 6.0

9 Comments

  • paddy_braun's avatar
    paddy_braun
    Copper Contributor
    Jan 09, 2024

    Hi Joachimb89 ,

     

    as described in my answer to ChrisNeu , you cannot backup your corporate IDs inside Authenticator to iCloud. It only stores your private MS Account IDs. Hence, you better leave the Block managed apps from storing data in iCloud is set to Yes.

    You are right, this setting applies to all managed apps in a whole, and should be turned on. But it has nothing to do with iCloud Backup. It is the iCloud Sync feature. Two different things, people always mix up.

    Sync is controlled with one setting for all apps inside the iOS platform restrictions, Backup is controlled with an individual setting per-app inside the App catalogue. As the latter is a setting, which is not sent to the device during every check-in, but only when the specific app is getting installed or updated or re-installed. This is by design, intended by Apple.

     

    • Corporate iOS devices with MDM & MAM policies applied
    • > What is backed up and what not, depends on your policies. Please specify the setting in doubt, than only your question can be answered.
    • VPP apps deployed to all devices. Either required or available
    • > no effect on the backup mechanism. The iCloud backup and the iCloud sync mechanisms are depending on whether the app is managed or unmanaged, and for MAM (APP), whether or not you deployed the App setting "IntuneMAMUPN".
    • App assignment configured with setting Prevent iCloud app backup set to Yes
    • completely blocks the backup of app data to iCloud via iCloud Backup mechanisms. No effect on iCloud Sync

     

    In an App Protection policy -> Data Protection ->

    • Prevent Backup org data to iTunes and iCloud backups set to Block
    • > same as "prevent iCloud app backup" but only for apps which support MAM, not applicable to all Managed Apps. this MAM policy is supported both, managed and unmanaged devices
    • Save copies or org data set to Block
    • > applies only to organizational data from the corporate account. you can define exceptions like corporate onedrive or sharepoint
    • In a device restriction policy Block managed apps from storing data in iCloud is set to Not Configured
    • has nothing to do with app backup. applies only to iCloud Sync feature

     

    iCloud Sync: Apps store their data in iCloud autonomously. Needs to be implemented by the app developer.

    iCloud Backup: is the device Backup feature by Apple which is triggered by the system/by the user and copies the app storage.

     

    When I check in Settings -> * Apple ID * -> Apps using iCloud -> all managed apps are enabled (green tick)

    > This is iCloud Sync

     

    When I check in Settings -> * Apple ID * -> *Current iOS Device name* -> iCloud Backup -> All Device backups -> All managed apps show "Backup not Supported"

    > This is iCloud Backup

     

    The remaining questions should be answered with my post above.

     

  • paddy_braun's avatar
    paddy_braun
    Copper Contributor
    Jan 09, 2024

    Hi ChrisNeu,

     

    What kind of app data is even backed up using the new prevention feature compared without using it?

    > you cannot backup any app data if this feature is enabled. It is valid for the app in a whole.

     

    - the app itself or only a reference to the app so it is re-installed from App Store after restore?

    > apps binary data is never backed up to iCloud/iTunes, the backup mechanism is aware, that the app binary data is available on the Apple App Store. During restore, the app binary is re-downloaded from Apple. That ensures a smaller backup and avoids backing up loads of data which is unnecessary. Only the list of installed apps and their position on the homescreen is stored. For apps that are pre-paid via Apple VPP (license belongs to the company) or line-of-business apps, the apps cannot be re-downloaded automatically from Apple. For that you need to check-in again with Intune and download from Comp Portal. Hence, for any app, where there is no backup prevention, the reference for app binary is backed-up plus the data inside the app (user data, which cannot be re-downloaded from Apple)

     

    - App including its data saved in managed locations like OneDrive for Business?

    > the above documentation is not affecting the storages that are enabled inside an application. it is only affecting the backup behavior on system-level (iCloud/iTunes only). If you wish to control Backup on App-level, please use the Intune App Protection Policies.

     

    - App including its data saved in iCloud if access not blocked by any other means?

    > yes, if you don't block backups via Setting in the Intune App Catalog Assignment nor via the App Protection Policies, the user data plus an App Store reference for the binary installation is stored as a backup.

     

    - App including its data saved locally to devices?

    > I don't really understand the question.

     

    - only the Information from where the app should by installed after restoring the device (cloud symbol vs “Waiting…”)?

    > generally, if all information is available to the device after the restore, the app would queue for installation ("Waiting..."). You'll see a cloud symbol in the following situations:

    --> App was managed before as an optional app assignment > you need to re-download from Comp Portal

    --> App was managed before as a required app assignment > you need to check-in and wait for all the required apps to be re-pushed

    --> app was not managed but was automatically off-loaded by iOS mechanisms --> you tap on the app icon which triggers a re-download from App Store

     

    - behavior of Microsoft Authenticator App: restoring account information only possible with icloud backup combined with MSA (Microsoft Account)?

    > not possible in any way, if you make the restore on a new device. Corporate identities need to be re-setup after the iCloud restore because the keychain won't be restored completely and Authenticator is aware that it was restored on a different devices.

    > for restore on the same device, I am not sure right now. Better you test on your own, but I think as the keychain is restored 1:1, the Authenticator probably restored with all the identities, too.

    > the built-in "iCloud Backup" (inside the Authenticator App Menu) is in reality the iCloud Sync feature. It only syncs your personal Account identities, plus your Passwords if you use the password manager feature. Corporate Account Identities (Azure Accounts) are not synced. However, once iCloud Sync feature was disabled for managed Apps via MDM, this feature will be deactivated.

     

    Using the same configuration like @Joachimb89 I would appreciate a best practice guide for backing up a supervised iOS device with private use allowed (managed Authenticator App, and all Office Apps protected by managed app protection policy blocking access to iCloud).

    > I think this is highly individual per Company and use case, hence there is no general best practice. Sometimes also according to law, you need to ensure certain settings. However, I generally recommend to ensure blocking iCloud Backup for every single managed app via the app catalog. Additionally you should block the iCloud Sync feature for Managed Apps. Both settings are part of iOS restrictions. It is vendor-independent, working for all MDM/EMMs. That way, the corporate data is prevented from being backed up by iCloud Backup mechanisms. Plus you give your users the freedom to use the integrated backup mechanisms to backup their personal data. Hope this helps.
    DM me, if you want to know more about secure integration of personal use in corporate devices.

     

    Best regards

    Patrick

  • ChrisNeu's avatar
    ChrisNeu
    Copper Contributor
    Jan 09, 2024

    Hello Intune_Support_Team,

     

    following Joachimb89‘s last blog question from July 2023, I do have the same question regarding backing up Office Apps and its data with iCloud Backup.

     

    What kind of app data is even backed up using the new prevention feature compared without using it?

     

    - the app itself or only a reference to the app so it is re-installed from App Store after restore?

    - App including its data saved in managed locations like OneDrive for Business?

    - App including its data saved in iCloud if access not blocked by any other means?

    - App including its data saved locally to devices?

    - only the Information from where the app should by installed after restoring the device (cloud symbol vs “Waiting…”)?

    - behavior of Microsoft Authenticator App: restoring account information only possible with icloud backup combined with MSA (Microsoft Account)?

     

    Using the same configuration like Joachimb89 I would appreciate a best practice guide for backing up a supervised iOS device with private use allowed (managed Authenticator App, and all Office Apps protected by managed app protection policy blocking access to iCloud).

     

    Best regards 

     

     

     

  • Joachimb89's avatar
    Joachimb89
    Copper Contributor
    Jul 17, 2023

    Our goal is to block all managed apps from storing data in iCloud except for MS Authenticator. It is/was not possible to define this on a per-app level. In a device restriction policy the setting Block managed apps from storing data in iCloud is set to Yes

     

    During my test explained below I changed the restriction Block managed apps from storing data in iCloud to Not Configured which enables backing up Authenticator with a personal MS account but ofcourse also enables this for all other apps.

     

    Can someone (Intune_Support_Team ?) please clarify as I'm a bit confused what is and what is not backed up to iCloud in the following setup:

     

    • Corporate iOS devices with MDM & MAM policies applied
    • VPP apps deployed to all devices. Either required or available
    • App assignment configured with setting Prevent iCloud app backup set to Yes
    • In an App Protection policy -> Data Protection ->
      • Prevent Backup org data to iTunes and iCloud backups set to Block
      • Save copies or org data set to Block
    • In a device restriction policy Block managed apps from storing data in iCloud is set to Not Configured

    When I check in Settings -> * Apple ID * -> Apps using iCloud -> all managed apps are enabled (green tick)

    When I check in Settings -> * Apple ID * -> *Current iOS Device name* -> iCloud Backup -> All Device backups -> All managed apps show "Backup not Supported"

     

    My question is: with the above setup, does that fully block the apps from storing and/or backing up data in iCloud? Or does this only prevent the "app installation info" from being being backed up? Aka, when restoring from an iCloud backup; does it restore the app with or without data and is that data stored in iCloud?

     

  • PatrickBraunCC's avatar
    PatrickBraunCC
    Copper Contributor
    Jan 02, 2023

    jatom9 

    If I understand your request correctly, you are referring to the Outlook contact sync feature. It is possible to turn off the "sync" of contacts from Outlook to native contacts. In fact, this is not a true sync, but rather an export (contacts are stored under the user's local/iCloud address book). So all the native iOS settings which apply for your offline/iCloud contacts also apply for the Outlook-synced contacts. To turn it off, you can utilize a managed app configuration for Outlook on iOS.

    To learn more:

    https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#general-app-configuration-scenarios 

     

    If you require business contacts availability in native contacts, (e.g. for bluetooth-car-integration), you can still deploy a native exchange profile which is limited to contacts sync and cannot be changed by the user. Then you profit from all the native iOS managed open-in mechanisms and control these contacts via iOS restrictions. (e.g. no access by privately-installed apps, like Whatsapp). iOS backup for contacts which synced from a managed Exchange profile, is blocked by default.

     

    Hence, the origin of your issue is not really related to this topic here, but belongs to iOS and Outlook contact handling.

  • jatom9's avatar
    jatom9
    Copper Contributor
    Dec 30, 2022

    Hello,

    Could you please let us know if  this change will affect Outlook synchronized Contacts? Currently even after disabling "Outlook" Backup from Settings->My Account->iCloud->iCloud Backup->My device (at the bottom)->Show All Apps-> Outlook , contacts are still saved correctly in Contacts iOS app. In one of the screenshot we could see that some applications have "Backup not supported" option enabled, how it looks in case of Outlook iOS app? If it will be enabled then re-installation of Outlook app is probably needed, so how it will behave next with synchronization between Outlook and iOS Contacts applications?

     

  • PatrickBraunCC's avatar
    PatrickBraunCC
    Copper Contributor
    Dec 14, 2022

    Checking if an app is backed up by iCloud

    there is a mistake in the location where to check for iCloud backups. In the text above it says: "Settings > iCloud > Under ”Apps using iCloud”, select show all". This is not what is shown in the screenshot!

    the mentioned location is actually the place to enable iCloud App Data Sync, which is a completely different iOS feature and can be controlled by iOS Restriction "iCloud Documents and Data Sync". It can be turned off completely or only for managed apps, but not for apps individually.

     

    The iCloud device backup feature where you can check if a managed app is allowed to be backed up, can be found here: 

    Settings > iCloud > Under "Device Backups", select iCloud Backup > scroll down and select your device > "show all apps"

    Now you will see what is shown in the screenshot above.

    Intune will block the iCloud Backup for all managed apps in the 2301 release.
    From an iOS MDM point of view, it is technically possible to control this for each managed app individually, if the MDM vendor supports it.

    Let's see, if the individual control for each managed app - whether it supports iCloud Backup or not - will come in a future Intune release.

     

    Keep in mind, that this information - if iCloud Backup is allowed for an app - is delivered during installation of the app. I.e. once the setting changed on the MDM site, the app either needs to be updated or re-installed. So if you expect to see this on your device but don't see it, check in with your device and wait for Intune to push the updated information to the device. In case of impatience, re-install the app manually 😉 

     

    Andy_Cerat Intune_Support_Team 

  • ukazim's avatar
    ukazim
    Copper Contributor
    Dec 08, 2022

    Does this apply to a non-enrolled Mobile Application Managed (MAM) device as well aka BYOD or will this only apply if a device is fully enrolled? On BYOD devices that are MAM Managed after this change will it block the backup from triggering against managed apps?