Updated 01/23/23: Based on the feedback we’ve received, there are some slight changes to when and how we rollout this change. This change will not happen automatically, admins will be able to enable a new setting to prevent the iCloud backup of managed apps. This will be available to both supervised and non-supervised devices for iOS/iPadOS and macOS. The content below has been updated with these changes.
We're aware that customers have run into issues with the current backup and restore behavior for their iOS/iPadOS and macOS devices, such as apps not downloading. To fix these issues and improve the user experience, Intune will be adding a new setting that will allow admins to prevent the iCloud backup of certain managed applications (apps) on all iOS/iPadOS and macOS devices. This includes both supervised and non-supervised devices. This new setting is expected to release with the April (2304) service-side release. Stay tuned to What’s new in Microsoft Intune for the release announcement.
Admins will have the option to no longer back up managed App Store apps and line-of-business (LOB) apps on iOS/iPadOS and managed App Store apps on macOS devices (macOS LOB apps won’t support this feature), for both user and device licensed VPP/non-VPP apps. This will include both new and existing App Store/LOB apps sent with and without VPP that are being added to Intune and targeted to users and devices. Preventing the backup of the specified managed apps will ensure that these apps can be properly deployed via Intune when the device is enrolled and restored from backup. If the admin configures the new setting for new/existing apps in their tenant, managed apps can and will be re-installed for devices, but Intune will no longer allow them to be backed up.
Note: While we don't expect managed apps on devices to backup data to iCloud, please note that data saved locally for managed apps may not be available after a backup and restore.
The new setting will appear in - Apps > iOS/iPadOS apps or macOS apps > Add > Select app type > Select app > Configure settings > Add group > Edit assignment (VPN, or Uninstall on device removal, or Install as removable) > Prevent iCloud app backup.
For existing devices, when Prevent iCloud app backup is set to Yes for an app/apps, the new behavior will be automatically updated for all required App Store/LOB apps (with or without VPP). Required apps previously installed on devices will be automatically re-configured for all devices once the setting value is saved to Yes. Available apps will require the user to re-download the available app from the Company Portal app or the Company Portal website. Additionally, depending on the app’s configurations and licensing, a sync between Intune and the device may be needed.
The following table explains the different apps behavior on devices after it’s been restored from backup when Prevent iCloud app backup is set to Yes:
| Required app | Available app | |
| Store app without VPP | Automatic app download after restoring, no sync required (“Waiting…”) | Automatic app download after restoring, no sync required (“Waiting…”) |
| Store app with user license VPP | Automatic app download after restoring, no sync required (“Waiting…”) | Automatic app download after restoring, no sync required (“Waiting…”) |
| Store app with device license VPP | Manual sync needed to download app, or automatic sync will occur within ~8 hours (Cloud icon) | User needs to install the app from the Intune Company Portal app or the Company Portal website (Cloud icon) |
| LOB app (iOS/iPadOS only) | Manual sync needed, or automatic sync will occur within ~8 hours (Cloud icon) | User needs to install the app from the Intune Company Portal app or the Company Portal website (Cloud icon) |
Keep in mind
- A manual device sync can be completed by the admin in the Intune console or can be triggered by the user in the Company Portal app (or on the Company Portal website).
- Automatic device syncs happen approximately every 8 hours.
- All VPP apps are App Store apps.
- User licensed apps are associated with the user’s App Store.
- Device licensed apps are associated with the device’s serial number.
- When you complete a backup and restore to the same device, the Intune mobile device management (MDM) profile is still valid. When you complete a backup and restore to a new device, it’s a brand-new enrollment with a new Intune MDM profile.
- When an app has the cloud icon, that means the app is associated with the Intune MDM profile, but it’s not actually downloaded.
- For required apps: A manual admin or user-initiated sync between Intune and the device is needed if the restore is done to the same device. Or the next automatic sync that occurs within 8 hours will download the app.
- For available apps: The user needs to request to “Install” the app in the Company Portal app or from the Company Portal website.
- A sync between Intune and the device is not needed if the restore is done to a new device. That sync occurs automatically for all new enrollments.
- When the apps status is “Waiting…”, it means that the app is associated with the user’s App Store. For both required and available apps, the app will install automatically, and no further action is needed from the admin or the users.
- The behavior is the same for these apps whether the restore is done to the same device or a new device.
Examples
- Automatic app installment, “Waiting” status.
Apps associated with a user’s App Store automatically install on the device, as indicated by the app’s “Waiting…” status (shown in the Figure 1 below). This includes required and available Store apps without VPP and Store apps with user licensed VPP. The behavior is the same whether the restore is done on the same device or on a new device.Figure 1: Screenshot of a user’s apps waiting to install on an iOS device.
- Device sync needed.
Device licensed VPP App Store apps and LOB apps are unable to install automatically and need a device sync. This is indicated with the cloud icon on these apps and the pop-up that shows when the app is tapped (shown in Figures 2 and 3). For required apps, this can be done with a manual sync completed by the admin, the user installs the application, or by waiting until the next automatic sync that will occur within 8 hours. For available apps, the user must go to the Company Portal app (Apps > Select an app > Install) or the Company Portal website to manually “Install” the app (Figure 4).Figure 2: A screenshot of the “Unable to install” message a user may see when attempting to install and a device sync is needed..
Figure 3: A screenshot of the “Unable to install” message a user may see when attempting to install an app and a device sync is needed.
Figure 4: The option to “Install” an app from the Intune Company Portal app after the user has signed in.
- Initiating a manual sync
Users can initiate a manual device sync from the Company Portal app, or from the Company Portal website.
- Company Portal app: Users can select Devices > select the device that requires a sync > Check status.
Figure 5: Screenshot of the Intune Company Portal all for iOS with the "Check status" setting highlighted.
- Company Portal website: Users can select the menu on the top right > Devices > select device that requires a sync > Check status. The "Check status" button triggers a manual sync between the device and Intune.
Figure 6: Screenshot of the Intune Company Portal website in a browser session with the "Check status" setting highlighted.
- Company Portal app: Users can select Devices > select the device that requires a sync > Check status.
Checking if an app is backed up by iCloud on iOS/iPadOS
On all devices, you can see which managed apps are not being backed up by iCloud by navigating to Settings > General > VPN & Device Management > Management profile > Apps. When selecting an app, if the restrictions state “App data will not be backed up”, then the app is not backed up by iCloud (Figure 5). Alternatively, you can check whether an app is backed up in the iCloud settings (Settings > iCloud > Under "Device Backups", select iCloud Backup > select your device > select Show All Apps). Apps that show “Backup not supported” are not being backed up by iCloud (Figure 6).
To learn more about iOS/iPadOS backup and restore scenarios within Intune, read Backup and restore scenarios for iOS/iPadOS.
If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.
Post updates:
01/23/23: Updated to clarify backup and restore scenarios based on customer feedback. Thank you!
02/28/23: We previously noted that this new setting is expected to release with the March (2303) service-side release; Updated ETA to: April (2304).
11/07/23: Added a new section "Initiating a manual sync" under Examples.