I really hope this isn't the case. I can see them coming with pitch forks and torches.

We are in VPP and DEP. If we just wanted to deploy new phones without restoring from a backup, we would be all set. The problem seems to be when restoring from a backup of a device that is not in MDM. The goal is to retain our employees iPhone data on the phone to make the transition smoother. 

I don't believe you will be able to restore data from a personal account into a corporate controlled device - which uses a different account.  You are talking about phones being transitioned from being "personally" configured with a personal iTunes account to being corporate configured on a corporate iTunes account.

If you could just transfer things between accounts like this iTunes revenue would be in trouble.

If you are ever deploying Apple devices and are using an MDM, make sure you get VPP and DEP. They are great products and are FREE!

Unless you have a Mac so you can run the Apple Configurator - the DEP program is horrible for small to medium sized business to deal with. It is fine for large volume purchases of Apple hardware.

On the whole, I recommend small to medium business use Android devices.  Cheaper.  More apps.  Easier to manage.  More options.  Usually no vendor lock in.

@PhilipDAth I agree in some cases. But, most of the users I deploy to are used to iOS and it is a reliable and good choice. With the new Apple Configurator you can enroll devices into DEP not even bought from Apple (with the 30 day period that they can be unenrolled by the user). Usually you don't even have to touch DEP if you just have it auto-assign to your server. 

@PhilipDAth I'm confused about your concerns with DEP. We use it with Mac's and iOS devices without ever having them touch Apple Configurator. DEP is a bit of a pain to get the initial enrollment set up with Apple, but then it's very easy to use and implement through Meraki SM. 

@MRCUR I spent about three weeks trying to get an Apple Customer Number from Apple for one customer.  I'm never doing that again.  Apple is just too painful to deal with directly.

For the vast majority of other customers, who don't buy direct from Apple, you have to rely on your Apple reseller to get you DEP enrolled.  I've found about 50% of them say "What is DEP", and they are not willing or unable to process the DEP enrolment.

About 30% of them know about DEP, but you can spend 2 or 3 weeks waiting while they try and contact the right person inside of their companies to process them.

About 10% of them are completely DEP switched on, and can just do it.

It has gotten so bad that I now tag it out of jobs.  I tell the customer if they want to use DEP and Apple devices they have to take responsibility for arranging the DEP portion.

It has been a horrible horrible experience getting Apple devices DEP enrolled - a lot of different times.

@PhilipDAth When I was setting of DEP I spoke directly with the buisness team at my Apple store. While the buisness number is great for support, the local team at your local Apple is the best.

It only took them 3 days to get us all setup with VPP and DEP. I just feel there is a lot of mis-conceptions about Apple in the enterprise. 

Maybe Apple are better to deal with in your country.  Like I said, I have had so many bad experiences I don't want to do another DEP configuration again.

@Melissa It is 100% possible to take an unsupervised backup and install it on a DEP device. I have taken 20+ unsupervised devices and switched them over to DEP with no loss in data. DEP forces the user to install the MDM profile after the backup is installed. Personally, Apple has never made it clear on how to do this and it makes system admins find it themselves.

Maybe I misread this - I thought in this case we were moving from an unsupervised enrolled device (not in DEP) to a supervised device in DEP. Is that not right?

I believe that is there goal. That is possible, if the device is in DEP and unsupervised backup can be used. This method does work in Apple Configurator.

@jared_f Are you saying you've been able to use Apple Configurator to take an unsupervised, un-enrolled (in DEP) device and enroll it into SM and DEP with supervised DEP settings applied, while allowing "restore from backup" in the initial setup? 

The main hurdle would be moving from unsupervised to supervised while allowing "restore from backup". 

Please let me know what your experience has been!!

I took some of my unsupervised devices that were not in my DEP and added them to DEP with the new Apple Configurator. Any DEP device can be restored from an unsupervised or supervised backup (iCloud or iTunes) because DEP pushes the enrollment payload after the restore wizard.

This cannot be done if you are just using Apple Configurator to add supervision. Device must be enrolled in DEP and have prestage enrollment setup in Meraki in order to complete this.

This matches what I've seen with iOS @jared_f. As long as you have the device entered in DEP and have settings assigned through Dashboard, DEP enrollment will properly happen even after you restore from a backup that was not previously DEP/supervised. 

I will note that this does NOT work for Mac's. If you have a Mac that's enrolled in DEP and then you restore an image of that Mac to another Mac that has DEP settings assigned, the second Mac will not be enrolled in DEP. 

Right, so in this case, if @CMurdaugh would like to supervise these devices, restore from backup cannot be used. If it's not the goal to supervise them - just to add them to DEP...the Apple Configurator + restore from backup method should work! 

Depending on what method they use, if it involves touching the device, take the time to setup DEP. If the phone ever gets wiped, it won't require enrollment to happen again.

Hi all,

i've read the comments and i'm in the same boat as the OP (i think).

I need to supervise/enroll 150 devices that are already in service. None of them are in DEP yet, but that framework is all setup and ready to go (along with Apple Conf 2.6.2).

Still unsure about best practice for doing this, so continued replies would be appreciated. 🙂

@Jacko Do you need to restore the existing data or not? Either way, you need to get the devices into DEP on the Apple side and then assign settings to them in Dashboard. 

Once you've done this, you can wipe each device and it will become supervised and get the DEP profile during the setup process. If you want to restore data from iCloud or iTunes you can do that as well - just pick the appropriate option on the restore screen. 

Well, i'm struggling at simply getting the DEP profile onto freshly wiped ios devices, even though they are in Apple's DEP and [obviously] Meraki > DEP.

There has been conflicting info about whether pre-supervised devices can be DEP supervised then restored as the theory is that the backup state was unsupervised so that is what would be put back on the device.

Think the jury is still out on that isn't it?

@Jacko DEP happens *after* the restore process in the iOS setup. This means you can take a device in any state, wipe it, restore from backup and have DEP applied. 

Are you sure you've applied DEP settings in Dashboard to the devices? Does DEP happen if you don't do a restore? 

Ok what's confused me is that, it does restore but doesn't add the wifi SSID that i assigned in the Apple Config profile.

So, ok it restores, i have to go through some of the necessary steps to get to the "remote management' screen, which is then where it grabs the DEP profile and then subsequently according to what tags are assigned to the device in Meraki dashboard it will then assign a 'settings' profile which can be updated and rolled out whithout rebooting/wiping.

Am i correct so far?

If so, then how do you make a touchless deployment whereby it adds the wifi SSID so you don't have to. Is that only done in Apple Configurator?

@Jacko Yes, I believe you're required to use Apple Configurator to do a touchless deployment. @jared_f probably has a better handle on that than I do as we simply use an open "enrollment" SSID when setting up iOS devices. 

Thanks, that may not be such an issue i guess.

Just trying to automate the process as much as possible.

One thing i've found is that after a supervised enrolment i cannot access users account settings on iphone or ipad. i cant see in the profiles where that area is allowed/disallowed.

If disallowed then the devices surely can't back up to icloud?

Hi All!

Restoring from a backup is possible with DEP devices. During DEP the device becomes managed and supervised no matter what. Please have your users make a backup, add the device to DEP with Apple Configrator 2, and assign DEP settings within Meeaki before the user starts setup.

I plan on writing a guide and doing a video walk through if possible to clear this matter up!

jared

Good point - once the device is supervised, restore from backup will work in the future on that device. The issue is restoring from backup when the backup was made on an unsupervised device (when trying to move to a supervised state).

@Melissa,

This seems to be my experience as well, although my experience is limited.  Here is my scenario:

I had an iPhone 6s that was unsupervised and unmanaged.  I backed up to iCloud.

My new iPhone 8 was enrolled in DEP and assigned to Meraki with a Supervised/Mandatory profile.  In going through initial setup on the new phone, I chose restore from iCloud.  After completing setup, the device was not supervised or managed, and I never received any screen that would indicate anything was coming in from DEP.  So, I did a few experiments.

1.  Updated iOS on the phone, wiped the phone (it kept the iOS update) and tried the restore again.  Didn't make any difference.

2.  Ran through the setup on the iPhone 8 without a restore.  Phone was Supervised and enrolled and Meraki app pushed as it should have been.

3.  Wiped the phone and tried with the restore again.  Still no go.

4.  Restored the same backup to a DEP Supervised/Mandatory iPhone 6S instead of the new iPhone 8.  This WORKED!

5.  Backed up from this now Supervised iPhone 6s to iCloud.

6.  Restored from this supervised backup to the new iPhone 8.  This worked.

I'm thinking something new was introduced with iPhone 8 that prevents the DEP push when restoring from an unsupervised device.

If someone else has the equipment to try the same experiment, I would love to see if my scenario can be duplicated.

@CherylA That may be the case. Seems to be working fine with the iPads. I believe we should open a support case with Apple. It is very problematic if what you are saying is true.

It looks like there is a patch for this.

@PhilipDAth Your "patch" link just goes to the android open source website.  No relevance to Apple iOS / DEP.

It was making a wry joke.

@PhilipDAth I thought maybe you were joking, but you had my hopes up there for a second! 🙂

@PhilipDAth I laughed 😉 

I will monitor my post on the other community. I am also going to reachout to my buisness team at Apple and see what there support states.

It might also be interesting to peek into other MDM forums to see if other MDMs are seeing the same thing 😉  If they are, it seems like that would point back to Apple.

I reached out to a friend at Jamf. Hoping to get some clarity. This has been really bugging me lol.

Apple seems to put safe guards in place so we as admins don't abuse power, but they also make things difficult at points too.

Jared

@CherylA Just to verify, did you remove the Meraki MDM profile from your 6S before restoring it to your new phone?

https://www.reddit.com/r/ipad/comments/5gogol/restoring_from_an_icloud_backup_to_a_depenrolled/

@jared_f

No, I didn't remove the profile from the 6s before restoring the backup to the 8.

@CherylA That may be your issue.

@jared_f I doubt that's the issue. Here is what I found out from Apple on this process:

Does your device have a network connection at that point?

@Melissa Thanks for checking. I am sorry for not coming out and saying that a device swap was needed. I thought we were referring to a deployment with devices being swapped. You can also do the following:

Backup Device A

Restore Backup on Device B (forcing it through DEP)

Backup Device B

Restore Back on Device B and DEP should come down

This is very frustrating and is an Apple issue that needs to be addressed.

@Melissa, @jared_f

I still don't think this is the scenario I'm seeing.

I backed up from an unsupervised, non-DEP, non-managed iPhone 6s (DEVICE 1).

I restored that backup to a DEP, Supervised, Mandatory iPhone 8 (DEVICE 2), and the DEP settings did not come down, and the device was not supervised or managed.

That should have worked.  It works if I don't do a restore and set the phone up as new (so I know the DEP and Meraki settings are correct).  It seems restoring the unsupervised backup overrides the DEP.

Are you saying I would then need to back up again from the iPhone 8, wipe the phone, and then restore again to the iPhone 8 in order to get the DEP settings and supervision?

That would stink to have to sit with the user to back up, erase and restore a brand new phone, after they've already gone through the setup once.

Hi @CherylA -  so sorry for the delay. The key piece I've learned in this thread is that it is possible to use "restore from backup" and supervise a device, but only if the backup is made on a different device than the one you intend to supervise. It does not seem that this process works on all models, as you were unable to restore from backup and apply supervised settings when moving from an unsupervised iPhone 6 on an iPhone 8.

To be honest - the majority of folks I work with that ask this question (about restoring from backup) are trying to supervise the device they have in hand. In that case, I think we've determined the above process will not work for them. 

This is a huge kick in the conkers for someone like me who has to retrospectively supervise almost 200 devices.

This is only retrospective because Apple used to make it so damned hard to enroll into DEP. Since they've now made it much easier, i now have a DEP account i now need to get all our devices into DEP then supervise them.

You all the rest of the nightmare i'm about to have, as some of you have been through it / standing on the precipice. 😞

Understood - it sounds like Apple is aware of the issue and may fix it at some point...

In the meantime, the main complaint I hear about this is around losing is text history. If your users absolutely need to save this - there are other ways to do it. I've seen people use 3rd party programs like TouchCopy to download texts from a device before wiping it.

For any in-app data, they can still backup to iCloud before wiping on a per-app basis and sync those apps AFTER set up. They would just not be able to use the "restore from backup" option in the initial set up steps (which I would recommend you hide/skip when applying DEP settings).

It's not an ideal solution, I understand! 

@jared_f, @Melissa

Just to be thorough, I tried the same steps with a backup and restore via iTunes instead of iCloud, and ended up with the same results.  Restore of unsupervised phone to the iPhone 8 ended up not being supervised.

Thank you so much for sharing your experience! That's really interesting that you were able to restore from (and unsupervised) backup to an iphone 6s and have supervision persist. It sounds like you're right about the iphone 8 maybe having a restriction built in. I'll see what I can find out about that!

I love the thorough analysis 🙂 I wouldn't have thought to mix models!! 

To be clear - once the device is supervised, you should be able to use the "restore from backup" feature in future wipes/factory reset and have that supervision persist on the device. It's just an issue when first applying supervision to a device that's already out in the field/being used. 

@CherylA I reached out to another community of Apple admins about your issue and I am going to see if anyone lets me know they are seeing the same thing. Just to make sure, did you go into Meraki and verify settings were assigned under DEP for that device that forced supervsion and made MDM mandatory?

@jared_f Yes, I verified the settings.  I tried all of these things multiple times.  If I did the setup without a restore, the device was supervised.  If I wiped the device and did the setup with a restore, the device was no longer supervised (restoring from an unsupervised backup).

@jared_f why don't you do a YouTube video of the process so people can see before and after and the whole process ...