Help

DEP devices can skip enrollment via backup restore

KMerendaTFMC
New Contributor III

Posted on ‎06-05-2018 09:49 AM

My org is currently using another MDM tool and planning to migrate to AirWatch. Most devices are supervised/enrolled in DEP.

To move the supervised devices to Jamf, I know I'll have to completely erase them (erase all content and settings). Users hate this, so I did some testing to see if iCloud/iTunes backup could be used. I took a supervised iOS 11.4 iPad that was enrolled and active in the old MDM, made an iCloud backup, then erased the device. I changed DEP assignment to use Jamf, then went through the setup assistant.

I found that the option to restore from backup happens before DEP configuration is applied for enrollment to Jamf. If I choose to restore from backup, the back applies and the device restarts, but I'm taken directly to the home screen and bypass the entire setup assistant. I checked for profiles in settings and found that the device did not have any management from the old solution or from Jamf: No profiles installed at all.

Thoughts?

Labels:
6 REPLIES 6

KMerendaTFMC
New Contributor III

Posted on ‎06-05-2018 10:02 AM

.

0 Kudos

Dylan_YYC
Contributor III

Posted on ‎06-05-2018 10:06 AM

To enroll in the JSS, it'll have to be manually done or wiped and setup from new unfortunately.

0 Kudos

KMerendaTFMC
New Contributor III

Posted on ‎06-05-2018 10:14 AM

@Dylan_YYC manual enrollment would lose the benefits of a supervised device, right?

0 Kudos

jlockman
New Contributor II

Posted on ‎06-05-2018 10:17 AM

I'm currently migrating from AirWatch to JAMF.

You should be able to block the restore from backup option in your Prestage Enrollment (DEP profile).

There are some quirks with iCloud restore and DEP but it is possible to use iCloud and maintain DEP management. In general, if you are making any change in the enrollment then you want to restore to a different device. For example, when we implemented DEP for our phones, I had a bunch of unmanaged phones out there. On the backend I assigned them to our MDM but because the iCloud backup was unmanaged, the restore would bypass most of setup including the forced enrollment into MDM unless restored to a different device. Same principle applies when changing MDM servers.

If you want to migrate from one MDM to another with iCloud backup, the restore needs to be completed on a different device. I just tested this last week on a user's iPhone running iOS 11.4 and it worked for me.

If you must keep users on the same device, it is still possible but requires a bit more work and a spare device.

User backs up their original device managed by old MDM (Device A)
Assign Device B to new MDM and go through setup, restore backup of Device A
Device B is prompted to enroll in new MDM
Once fully setup, do a new iCloud backup of Device B.
Do a full Erase all Content and Settings on device A, assign to new MDM server, go through setup and restore latest backup made on Device B.

Pretty sure Apple had a KB on this issue but I can't seem to find it right now.

Samji3877
New Contributor

Posted on ‎05-08-2019 06:22 AM

jlockman you deserve more thumbs - have one on me

cfuller
New Contributor

Posted on ‎06-13-2019 03:08 PM

Did you ever find the KB, jlockman????

I'm migrating from Meraki to MS Intune

I've noticed that when backing up the old device (iPhone SE, managed in Meraki) then do a restore to new device (iPhone 6s, managed in DEP and MS Intune) that it will do the restore, then skip the remote management. Hence no policies pushed and no apps are being pushed either.

What are you suggestion to resolve this?

I tried a backup of the old device, then turn the new device on, setup as a new, then log in w/ the user's iCloud account, then select what I want turned on, to restore. I'm expecting for the user, the Pics, Notes, Messages(SMS) are important and everything else is secondary. Mail, Contacts and Calendars will get pulled from the Outlook server.

Thanks for any assistance!

0 Kudos