iCloud Backup restore bypasses DEP process

%3CLINGO-SUB%20id%3D%22lingo-sub-331204%22%20slang%3D%22en-US%22%3EiCloud%20Backup%20restore%20bypasses%20DEP%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331204%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3EWe%20are%20currently%20facing%20the%20challenge%20that%20a%20recovery%20from%20an%20iCloud%2FItunes%20backup%20bypasses%20the%20DEP%20process%20and%20no%20corporate%20portal%20is%20installed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPreventing%20a%20restore%20from%20a%20backup%20can't%20be%20a%20solution%2C%20can%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBR%3CBR%20%2F%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-331204%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331315%22%20slang%3D%22en-US%22%3ERe%3A%20iCloud%20Backup%20restore%20bypasses%20DEP%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331315%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20DEP%20process%20should%20take%20effect%20prior%20to%20the%20Setup%20Assistant%20prompt%20to%20restore%20from%20backup.%20Do%20you%20have%20supervision%20enabled%20as%20part%20of%20the%20device%20management%20settings%20for%20the%20DEP%20profile%3F%20It%20is%20required%20for%20devices%20using%20Company%20Portal%20as%20the%20authentication%20method.%20Other%20things%20to%20check%20would%20be%20the%20number%20of%20available%20licenses%20for%20Company%20Portal.%20Hope%20this%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-777228%22%20slang%3D%22en-US%22%3ERe%3A%20iCloud%20Backup%20restore%20bypasses%20DEP%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777228%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F278735%22%20target%3D%22_blank%22%3E%40trebelow%3C%2FA%3E%26nbsp%3BWell%2C%20this%20is%20an%20issue%20that%20definitely%20exists%20and%20I%20am%20able%20to%20reproduce.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20small%20subset%20of%20our%20users%20are%20permitted%20to%20have%20a%20relatively%20relaxed%20configuration%20which%20includes%20allowing%20backup%2Frestore%20to%2Ffrom%20iCloud.%20On%20such%20devices%20the%20Remote%20Management%20screen%20appears%20during%20device%20setup%20and%20the%20DEP%20profile%20appears%20to%20be%20downloaded%20to%20the%20device.%20However%2C%20I%20suspect%20the%20subsequent%20restore%20from%20iCloud%20breaks%20this%20as%2C%20the%20Company%20Portal%20and%20Authenticator%20apps%20are%20never%20delivered%20by%20Intune%20via%20DEP%2BVPP.%20In%20the%20enrollment%20portal%2C%20the%20device%20is%20listed%20as%20in%20a%20state%20of%20%22Not%20Contacted.%22%20Certain%20DEP%20device%20features%20such%20as%20locked%20enrollment%2C%20are%26nbsp%3B%3CSTRONG%3Enot%3C%2FSTRONG%3Eenforced.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Starting%20again%20and%20setting%20up%20the%20device%20as%20a%20new%20device%2C%20results%20in%20expected%20behaviour.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20restored%20devices%2C%20as%20a%20workaround%20we%20are%20able%20to%20download%20Company%20Portal%20via%20app%20store%20and%20enrol%20as%20a%20personal%20iOS%20device%2C%20then%20switch%20the%20device%20type%20to%20Corporate%20later%20on.%20However%20as%20stated%20above%2C%20the%20device%20is%20not%20fully%20DEP-enrolled.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1062191%22%20slang%3D%22en-US%22%3ERe%3A%20iCloud%20Backup%20restore%20bypasses%20DEP%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1062191%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F153423%22%20target%3D%22_blank%22%3E%40Rob%20Hardman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%20this%2C%20just%20doing%20some%20migration%20tests%20atm%2C%20and%20found%20the%20same%20behavior%2C%20if%20i%20allow%20icloud%20restore%20as%20part%20of%20the%20setup%20assistant%2C%20the%20device%20restores%20and%20starts%20back%20up%20streight%20into%20iPadOS...%20no%20supervision%20and%20no%20company%20portal%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068143%22%20slang%3D%22en-US%22%3ERe%3A%20iCloud%20Backup%20restore%20bypasses%20DEP%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068143%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F278735%22%20target%3D%22_blank%22%3E%40trebelow%3C%2FA%3E%26nbsp%3B%20This%20behaviour%20is%20only%20present%20when%20restoring%20from%20unmanaged%20backups%20(ones%20created%20from%20an%20unsupervised%20state)%20to%20the%20same%20device%20that%20was%20used%20to%20create%20the%20backup.%20Restoring%20unmanaged%20backups%20to%20a%20different%20device%20works%20as%20expected%20without%20any%20issues.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1537701%22%20slang%3D%22en-US%22%3ERe%3A%20iCloud%20Backup%20restore%20bypasses%20DEP%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1537701%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F278735%22%20target%3D%22_blank%22%3E%40trebelow%3C%2FA%3E%20-%20did%20you%20ever%20find%20a%20solution%20to%20this%3F%20I%20am%20facing%20the%20same%20issue%20in%20my%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,
We are currently facing the challenge that a recovery from an iCloud/Itunes backup bypasses the DEP process and no corporate portal is installed.

 

Preventing a restore from a backup can't be a solution, can it?

 

BR
Tim

5 Replies

The DEP process should take effect prior to the Setup Assistant prompt to restore from backup. Do you have supervision enabled as part of the device management settings for the DEP profile? It is required for devices using Company Portal as the authentication method. Other things to check would be the number of available licenses for Company Portal. Hope this helps.

@trebelow Well, this is an issue that definitely exists and I am able to reproduce.

 

A small subset of our users are permitted to have a relatively relaxed configuration which includes allowing backup/restore to/from iCloud. On such devices the Remote Management screen appears during device setup and the DEP profile appears to be downloaded to the device. However, I suspect the subsequent restore from iCloud breaks this as, the Company Portal and Authenticator apps are never delivered by Intune via DEP+VPP. In the enrollment portal, the device is listed as in a state of "Not Contacted." Certain DEP device features such as locked enrollment, are not enforced.

 

(Starting again and setting up the device as a new device, results in expected behaviour.)

 

For the restored devices, as a workaround we are able to download Company Portal via app store and enrol as a personal iOS device, then switch the device type to Corporate later on. However as stated above, the device is not fully DEP-enrolled.

@Rob Hardman 

 

Second this, just doing some migration tests atm, and found the same behavior, if i allow icloud restore as part of the setup assistant, the device restores and starts back up streight into iPadOS... no supervision and no company portal app.

@trebelow  This behaviour is only present when restoring from unmanaged backups (ones created from an unsupervised state) to the same device that was used to create the backup. Restoring unmanaged backups to a different device works as expected without any issues.

Hi@trebelow - did you ever find a solution to this? I am facing the same issue in my environment.