DEP & Pre-stage Enrollment or iCloud Restore

CairoJXP
Contributor

Has anyone had any luck using the OTA pre-stage enrollment successfully while also restoring the iPad from an iCloud backup? My experience is that you cannot do it at all. Either you do the OTA enrollment and start all over, or you forgo the OTA and just restore the iPad from an iCloud backup. This in was could potentially cause an issue in the future I'm thinking.

28 REPLIES 28

peineke
New Contributor III

When I asked Apple I got this back after I asked. Maybe this info will help you.

We have now completely disabled iCloud restore in our pre-stage enrollment because of the issues we had with it.



Engineering is aware that this is the behavior and have said, “This is as designed.”

If you make a backup of a device that was supervised with DEP, you can restore that backup to the same device without issue. The issue only appears when you restore the backup of a device that is either unsupervised or supervised with something other than DEP to the same device.

Long story short, you have three choices:

  1. Don’t use DEP. Keep doing things the way you were doing them for devices that are already deployed.
  2. Use DEP and iCloud, but make sure that the students are getting a different device before they do the restore.
  3. Educate your users on how to backup their stuff in Google Drive, Dropbox, One Drive, etc and suppress the iCloud Restore screen in the Setup Assistant so they can’t use an iCloud Restore. Once the device has been supervised by DEP you can change the activation record so that if it goes through the setup assistant again you can use iCloud Backups going forward.

cdenesha
Valued Contributor II

This is a very helpful thread.

I am assuming that we are really talking about supervised devices and the supervision certificate that is installed when a device is supervised?

Given that a Supervised iCloud backup cannot be applied to a device that is unsupervised or supervised by another Configurator, we should not be able to switch to a Supervised DEP model without starting fresh with a new start..

Thus I have a question on choice 2 'Use DEP and iCloud, but make sure that the students are getting a different device before they do the restore.' Does it matter whether it is the same device or another one - IF it was supervised by Configurator and not DEP?

Do I understand it correctly? I have not had time to properly read up on DEP and we are collecting iPads in 2 weeks.

Thank you!

chris

CairoJXP
Contributor

So we've had an interesting experience with iCloud restore during pre-stage enrollment, so I hope this info is helpful. In general, we got iPads enrolled in DEP and had an attached profile to push out to the iPads after you do the reset and they pick up the pre-stage enrollment. I do an initial setup with the pre-stage to be sure they get the proper profiles installed (supervision, MDM and any other profile we push out first) initially. I then do a full erase and run through the setup again and choose the iCloud restore and it goes through. It reboots into the setup screen and lets you finish the iCloud restore process by putting in the iTunes password again and it's good to go with the profiles etc.

We had a unique situation where we had 6th grade iPads that had been supervised through configurator. The laptop with configurator we used totally crapped out on us and we couldn't recover it at all. So the iPads with that configuration/supervision couldn't be hooked up to our new setup because they'd been supervised by another machine, so we needed a way to clean the supervision off, but the iCloud backup had that supervision profile in it, so here's what we ended up doing:

  1. have 6th graders do an iCloud backup on their iPads
  2. Take an iPad that'd been successfully enrolled in DEP and had the profiles installed that we wanted (supervision via DEP, MDM and another that were all unable to be removed by students), erase it so it goes through the setup, and do a restore from that 6th grader's iCloud backup
  3. We did an iCloud restore on the iPad that was enrolled because the new profiles (already installed from DEP/pre-stage) would trump the ones from the 6th grader's iCloud backup, but we could still retrieve all the other associated data from that backup
  4. Once restored, we did a new backup so that it would have the correct profiles on it (we hoped originally that after enrolling 6th grade iPads in DEP that the new profiles would trump the ones in the iCloud restore, but that wasn't the case because the restore occurred before it went to the pre-stage enrollment install and never got to the new profiles to install them).
  5. With the old data restored and the new profiles there as well, we could then go back to the original 6th grade iPad and do the restore and it retrieved both the data and the new profiles and successfully went through.

It was a pain, but it worked; again however, this was a unique situation where even apple enterprise support said we were in the worst situation for this.

jutz4244
New Contributor

This discussion was very informative and helpful. I did an "erase all content and settings" on a previously deployed device that had also been supervised in AC. After setting up a Pre-Enrollment Profile with the restore option enabled I was able to restore an iCloud back-up (from another device) and the Pre-enrollment Supervision profile was successfully installed. As predicted above, this did not work with an iCloud restore from the same device.

rstegner
New Contributor

CairoJXP - Do I understand your first paragraph to mean you were able to take an unsupervised device, Backup to iCloud, Erase it, enroll in with DEP and restore the backup to the same device?

CairoJXP
Contributor

@rstegner - not exactly. We had iPads that had been supervised through configurator on an older laptop. That laptop crashed, so we couldn't unsupervise those iPads with another machine that had configurator. In order to get rid of the supervision we had to use a 2nd iPad that was in the DEP to restore to, make a new iCloud backup that didn't have the original supervision we couldn't get rid of, then use that backup and restore it on the original. I know it's all a bit convoluted. I hope this clears it up a bit more.

rstegner
New Contributor

Thanks for the response. Looks like I am rotating devices this fall.

dah0041
New Contributor

hi guys
today i faced a little problem when a costumer bring me his iphone with receipt and asked me to remove icloud by my gsx admin but i tried in end nothing so anyone knows the method to disable icloud by gsx acess?

Simmo
Contributor II
Contributor II

@dah0041 Do you have GSX access?
If so, open an escalation and there is the option of "Find my iPhone Unlock Request" as the issue type.

dah0041
New Contributor

@Simmo yes i have sir after opened an escalation andselected the option of "Find my iPhone Unlock Request " what must i do?

Simmo
Contributor II
Contributor II

@dah0041 Not really sure how much I can say here due to Apple's NDA.
In the top right corner of GSX is a question mark, click on that, go through the options until you are able to find the 'Contact Apple' button at the bottom, go from there.

dah0041
New Contributor

@Simmo thanks sir can you give me your skype id may be u can help me when i find some issues pls here is my own skype id dahbi0041
thanks

St0rMl0rD
Contributor III

I tried setting up a new device over DEP with iCloud backup yesterday 3 times, each time worked no problem.

stwrz
New Contributor II

Is there any update on this issue? I still cannot get a DEP device to prompt for iCloud Restore during the setup process.

bentoms
Release Candidate Programs Tester

@stwrz do you have that as an option in your prestage?

stwrz
New Contributor II

@bentoms I have the option to select and de-select it, but even when I choose not to skip "Restore", it still doesn't happen during the setup process.

bentoms
Release Candidate Programs Tester

@stwrz odd. We see it.

Is the AppleID option enabled?

stwrz
New Contributor II

@bentoms Yup. Weird, right?

kirkwatts
New Contributor

Not sure if it's better to create a new thread at this stage, but my interpretation, is that in the scenario where we have a brand new device, staged for DEP (with supervision), and the user has an old unsupervised, unenrolled iOS device, it would be safe to restore from iCloud backup (from the old unenrolled device) as part of the setup assistant for the DEP'd device? The outcome we want is for the user to have their data from the old device, but also be fully enrolled and supervised as is normal during DEP for us without the iCloud restore. We don't want any activation lock complexities in the future, as we understand that the iCloud account is a personal one.

blackholemac
Valued Contributor III

I'm gonna bump this one as I want to hear how folks respond to @kirkwatts . We have the same thing. We also have an iPad that may go out for service and we hand the kid a replacement. I want to make sure that we have a way to get his/her data back onto their new device.

jqcampbell
New Contributor II

From what we have seen in our environment the enrollment process will not complete successfully if your iCloud backup source device is unsupervised and the target device is supervised (DEP enrollment). The restore will complete and it will attempt to go through the enrollment process in the setup assistant after the reboot. The device will then hang at the enrollment screen and only allow the user to go "Back". When you select "back" it will briefly show the login screen for the Apple ID used for the restored backup, go to the apple logo and restart the setup assistant. This loop will continue until you force the device into recovery mode and reinstall iOS. This has been tested over multiple devices. Applecare Enterprise Support has confirmed that this is happening as a result of an unsupervised backup being applied to a supervised device. I believe this is by design to keep from having the issues with unsupervised/unmanaged devices resulting from this situation which I believe happened with the early onset of DEP.

plawrence
Contributor II

We've had success in backing up unsupervised iPads to iCloud and restoring them to a DEP device. The first part for us was ensuring that they were two different physical devices, otherwise the restore would also be unsupervised. This process is explained here: https://support.apple.com/en-au/HT202977

We did run into some issues at the DEP activation stage for some iPads, but managed to resolve those by removing the MDM profile and any certificates from the original iPad then running an iCloud backup/restore again.

mpermann
Valued Contributor II

Just to second what @plawrence stated above, we've had good luck restoring an unsupervised backup from iCloud to a new DEP enabled iPad. The trick for us has been to remember to removed the MDM profile, backup the device in iCloud then restore the iCloud backup on the new device. Since the new device is in DEP it will be automatically enrolled and supervised.

jqcampbell
New Contributor II

Good to know. I'll have to give that a whirl with one of the affected users I have here with me. I'll let you know what I see as well.

CairoJXP
Contributor

Looks like the thread has changed a bit! I haven't done it lately, but last I recall, I had restored a backup of an unsupervised device to a device properly enrolled in DEP with a prestage. For our 1:1 iPads, we use the require authentication piece in our prestage. I got the option to restore from backup in the setup and it completed the restore, went to the authentication piece, and that device was still supervised with all the data from the backup still intact, so it does work in my experience.

Sandy
Valued Contributor II

We have new iPads 7,5 and we are migrating staff from iPad Airs 2015.
Old and new are 32 GB.

Just beginning the process and having issues with iCloud restores.
Example:

Old iPad was at 11.2.6, lots of free space, newly created backup.
New was at 11.3.
Both devices are managed and supervised through DEP, using different pre-stages. Authentication required

Restore on new iPad has failed multiple times.
Restore did work to successfully restore the old iPad, which was inadvertently wiped before verifying the restore on new.

Have tried a newly created backup, nope
Have tried a newly created backup after updating both iPads to 11.3.1, nope.
Have tried restoring to a different NEW iPad which also failed.
During this last attempt, restore was chosen, Apple ID & PW entered, and it just skipped over the restore and was a pristine new activation.

Does anyone have any ideas about what else to try?
Are there new RULES about what iCloud will or won't do?
Might be crying wolf about one anomaly, or heading into fun...
sandy

thejenbot
Contributor III

@Sandy - was the iPad you are attempting to restore onto in the JSS ahead of time? I.E. does it exist as a device before you try to restore from backup on it? I ask because I have noticed that devices need to be in good standing with the JSS in order for an iCloud restore to work. If something gets hosed on a device and I need to DFU restore - the JSS doesn't know that. It thinks the device just isn't on WiFi and can't get commands right now, so commands will pile up and if I try to restore from iCloud backup in that state it doesn't work. I need to go through the setup assistant and set up as a new device, then send a wipe command through the JSS, then go back through the setup assistant and THEN I can restore from iCloud backup. Does that make sense?

Sandy
Valued Contributor II

Hi Jenny!

In order to upload Asset Tag #s, I am pre-activating w/ AC2, uploading asset tags, and then wiping from the JSS, so the new devices have records but JSS recognizes them as unmanaged.
I have migrated 4 staff members so far as part of our mini-pilot and seen 4 different scenarios to eventual success...

One important and annoying truth is that the iPads have to be at precise same iOS version to get an iCloud or itunes restore, at least so far in my experience. Sadly our new ones arrived with 11.3.0 and the day after I boxed and sent them to the schools iOS 11.3.1 was released...
We have also tried backing up in iTunes which did eventually work for the person whose cloud was too full to do a backup.
We use managed Apple IDs for our 1 to 1 students but not for staff since they all have purchased apps tied to their Apple IDs.

Also Apple Configurator 2 has a couple really annoying "Features" right now... I was able to download and put the iOS 11.3.1 ipsw in the correct spot so it now works. Every time I open Apple Configurator I get an error: Apple Configurator 2 Failed to initialize Global Restore Data. My current workaround is to delete everything Configurator item in the ~/Library/Containers folder.