Today we are discussing the importance of enabling the Improving iOS Backup Security with the Force Encrypted Backup Policy in Intune. In organizations, protecting data on managed devices is a part of mobile security. Since employees often use their devices for both work and personal tasks, it is important to make sure that all stored and backed-up information remains safe from unauthorized access.
Backups help to keep copies of a device’s data such as emails, application data, and credentials. If these backups are not properly protected, they can become an easy for attackers. An unencrypted backup can expose sensitive organizational data, which is why enforcing encryption is a necessary step for supervised devices used in the workplace.
The “Force Encrypted Backup” policy in Microsoft Intune ensures that every backup created from a supervised iPhone or iPad is encrypted and protected by a password. This means users cannot make unencrypted backups, and only someone with the correct password can restore or view the data.
By enforcing encrypted backups on supervised devices, organizations can maintain strong control over sensitive data. In the Restriction setting category Configure the Restrictions payload to enable or disable features on devices. These configurations can be used prevent users from accessing a specific app, service or function on enrolled devices.
Table of Contents
Improving iOS Backup Security with the Force Encrypted Backup Policy in Intune
Force Encrypted Backup policy on supervised iOS and iPadOS devices setting helps organizations protect sensitive information, prevent unauthorized access, and maintain a secure and compliant device environment. So, let’s look how to deploy this policy Configuration through Intune.
- Review Office365 Backup Solution from Altaro – Part 2
- Allow or Block VPN Roaming Over Cellular in Connectivity using Intune Policy
- How to Configure Windows Backup and Restore in Microsoft Intune
Impact of Supervised Devices
When this setting is turned on for supervised iPhones and iPads, all device backups are automatically locked with encryption and a password. This means users cannot make unprotected backups, keeping company and personal data safe even if someone gets access to the backup file.
Only the person who knows the password can open or restore that backup. It adds a small extra step for users, but it gives much better protection for important data and helps the organization follow security and privacy rules.
Create a Profile
To deploy a policy for iOS or iPadOS devices, first sign in to the Microsoft Intune admin center. Go to Devices and select Configuration profiles. Then click Create profile to open the profile creation window. Under Platform, choose iOS/iPadOS, and for the Profile type, select Settings catalog. After that, click Create to begin configuring your new policy.
Basic Tab
After this, you will be directed to the Basics tab. In this section, you need to provide a name and description for the policy to clearly identify its purpose. For example, you can name it iOS Force Encrypted Backup Policy and add a description such as “Ensures iOS and iPadOS device backups are encrypted for enhanced data protection.”
- Entering these details helps in managing and recognizing the policy easily later. Once the information is entered, click Next to move on to the next step of the configuration.
Configuration Settings
Next, you will be in the Configuration settings tab. In this section, click on Add settings to open the settings picker window. In the search bar, type Backup or select the Restrictions category from the list. Once you search for backup, you will find 3 related policies: Allow Cloud Backup, Allow Enterprise Book Backup, and Force Encrypted Backup. Select all three settings to include them in your configuration.
Configure the Settings
After selecting the policy, you will be on the Configuration Settings page. Here, all the backup policies are displayed. By default, Allowed Backup and Enterprise Book Backup are already enabled, while Force Encrypted Backup is disabled. To enforce encrypted backups, first disable the Allowed Backup and Enterprise Book Backup options, then enable Force Encrypted Backup, and click Next.
If needed, you can re-enable Allowed Backup or Enterprise Book Backup later. These settings do not interfere with the Force Encrypted Backup option.
| Policy | Information |
|---|---|
| Allow Cloud Backup | If false, disables backing up the device to iCloud. Requires a supervised device. Available in iOS 5 and later. |
| Allow Enterprise Book Backup | If false, disables backup of Enterprise books. Available in iOS 8 and later. Also available for user enrollment. |
| Force Encrypted Backup | If true, encrypts all backups. Available in iOS 4 and later. Also available for user enrollment. |
What is Scope Tag
After configuring the settings, click Next. You will then reach the Scope Tag section. Scope tags help you organize and filter policies based on departments, locations, or roles. They make it easier to manage and assign policies to the right groups. If you want to add a scope tag for your policy, you can easily do that. Once done, click Next to continue further.
Assignments
After the Scope Tags, you will reach the Assignment section. In this section, you can assign the policy to specific groups. Assignments ensure that the policy is applied only to the devices or users, helping maintain control and compliance. To assign a group, click Add Group, select HTMD Supervised Devices – iOS iPadOS Group, then click Next to continue.
Review + Create page
After Assignments, you will reach the Review + Create page. Here, you can review all the information and settings you have entered. If everything looks correct, click Create to proceed. If you need to make any changes, you can go back to the previous tabs and edit the configurations. Once you click Create, the policy will be successfully created and ready for deployment.
How to Check on End User Device
After completing Review + Create, the policy is successfully created. The end result is that the policy is now ready for deployment and will automatically apply to the assigned groups. You can verify its status and deployment progress in the policy overview or monitoring section, ensuring that your configurations are correctly enforced.
End users can verify the applied policy directly from their iPhone or iPad by navigating to Settings > General > VPN & Device Management > Restrictions. Under the list of enforced settings, the message Encrypted backups enforced will be displayed, confirming that the Intune policy has been successfully applied.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc