Remove Supervision Message in Settings for Released Device

Hello!

I am needing to release an iPhone that’s currently registered in ABM and assigned to a MDM server. I know I can remove it from the MDM and the management will fall off it and then I can release it in ABM, but the issue is that I can’t get rid of, “This iPhone is supervised and managed by Company” in Settings.

The user currently using it can’t erase their device and set it up as new again as it has data on it. Backing up the device after remotely removing the MDM from it and removing it from ABM and then restoring it from that backup does everything expected except remove the message in Settings.

The MDM is gone, the MDM profile is gone in Settings as it should be, the only issue is that that pesky message keeps getting saved into the backup, even though during activation, the iPhone checks and knows it doesn’t belong to an organisation anymore.

Has anyone found if there is a way to fix this or is this just another one of the weird bugs Apple hasn’t figured out a proper solution for regarding devices transitioning between corporate and personal ownership?

Thanks in advance!

I’m seeing the same thing now with our devices. That text seems to be saved in the backup itself, as literally nothing else ties it back to ABM or Intune.

Release it from ABM. Wait a few. Factory reset device. Problem solved!

This sounds like it may be an app related issue. Sideloaded applications or work related apps may be causing this message to display without a management certificate installed.

Here is an example of this: https://www.reddit.com/r/ios/comments/131vdcm/suddenly_says_iphone_is_supervised_and_managed/

You mentioned that the phone has data that needs to be backed up. Is that data related to any work related applications? If you remove any work related applications, will this also delete the data you need to retain? If not, then remove the work related apps one by one checking if the management notification is removed after each uninstall. Once the notification disappears, created your new backup.

At what point are you restoring the backup? In the enrollment-screen or when you’re already on the private’s phone homescreen?

That’s what I did but when restoring from a backup, the backup is containing the message. That would work fine if I restored from a backup that didn’t have the message or set up as a new device, though. Thank you!

I’m not thinking this particular one is an app issue because the behaviour I described is happening on a test device as well. I set the device up as a brand new device that was enrolled in ABM and MDM, then released it from the MDM entirely after setup, saw the MDM profile delete itself, then removed it from ABM, and then backed it up to iCloud. Any work apps are downloaded through a helper app that comes with the MDM; some are voluntary and some get force-installed, but they all get deleted once the MDM profile is removed. So any work data is removed as soon as the MDM supervision is removed from it and the MDM isn’t included in the backup at all. And if I’m not mistaken, the message in Settings that I’m having trouble with, I believe is added to the device if its enrolled in Apple Business Manager, not by the MDM, no? Thank you!

Apple mobile devices can’t be restored from a backup after they’re setup, so the only way to restore an iCloud Backup is to do so on the Apps & Data screen during device setup, which comes after the device activates itself through Apple’s Activation Servers, so at that point, the device already knows it’s not ABM-enrolled anymore. Thus, I believe that the issue of the wording in Settings not going away is caused by that text being saved into the backup itself, and I’m not sure how to get it out.

Ah, so you’re trying to backup a supervised device, release from ABM, and restore backup to the now-unsupervised device?

Huh, never considered that. if that’s possible I’d be impressed. Usually we take pains to prevent that from being possible.

Is there a company/certificate listed under Settings > General > VPN & Device Management? I would assume no, but if there is you should be able to manually delete it as there shouldn’t be any policies preventing you from doing so.

I’m guessing that “enrollment” (read: the notification that you are enrolled) is only removed after the device is factory restored and then checks to see if there is a valid MDM certificate connected to ABM upon setup. Which means that this device is likely going to retain that “enrollment” notification in settings until this step is reached, which it doesn’t sound like that will happen as you can’t factory restore the phone due to the data that would be lost in the process. Seems as though you are at a bit of a stalemate.

Yep, so the device is currently supervised and I need to restore the backup on the device unsupervised. When I release it from the MDM, the MDM profile disappears and it deleted any corporate data when its removed (as you’d expect) leaving the device only with the data that is already unsupervised. So when its backed up, it only contains the unsupervised data and the MDM is removed, so it doesn’t back up the MDM profile either. But removing it from the MDM, and then from ABM, doesn’t remove the message in Settings, and that message is getting coded into the backup. So the trouble is that I can’t find a way to restore the backup without it including the message in Settings. Since the MDM server profile deleted itself before the backup, it doesn’t get restored so the device never becomes “re-managed” or anything. That stupid message just won’t go away.

Is there a company/certificate listed under Settings > General > VPN & Device Management? I would assume no, but if there is you should be able to manually delete it as there shouldn’t be any policies preventing you from doing so.

Nope. The MDM profile that would be there deletes itself after the device is removed from the MDM server. I’m pretty sure the message in Settings gets its info from ABM.

I’m guessing that “enrollment” (read: the notification that you are enrolled) is only removed after the device is factory restored and then checks to see if there is a valid MDM certificate connected to ABM upon setup. Which means that this device is likely going to retain that “enrollment” notification in settings until this step is reached, which it doesn’t sound like that will happen as you can’t factory restore the phone due to the data that would be lost in the process. Seems as though you are at a bit of a stalemate.

Agreed. The thing is, there’s no issue factory erasing it. I can do that. I just have to restore from a backup. So when I do that, erasing it and setting it up again forces it to re-activate, so it has to contact Apple’s Activation Servers and ask if it’s in an ABM account or not. And the servers tell it no, so it continues with personal setup. But after I restore from the backup, the message coming back still makes me think that it’s encoded in the backup itself. I was thinking maybe if I back the device up to a PC, I could try to find a way to inspect the backup and remove the message myself and restore the device from the altered backup. But otherwise, yep, it would seem I’m stuck.

Great planning on this one, to both me and Apple lol.

Alright, 3 more questions just for clarification:

Do you use a manage Apple ID on this device while it was active?

Did you create your backups using iTunes for Windows or a different method?

Did you encrypt the backup? (if yes, is this absolutely necessary?)

No.

Only iCloud.

Yes; yes.

I think we have your answer, unfortunately it won’t help fix your issue unless you are able to perform an unencrypted backup.

This article sheds quite a bit of light on the topic of our discussion: https://support.apple.com/guide/deployment/back-up-and-restore-devices-depd44f045b4/web

The first thing that stood out to me was this mention in the article:

When a device is backed up, the management configuration is contained in the backup. This configuration describes, among other things, whether a device is supervised or a Shared iPad. Backups must be encrypted when using profile-based Device Enrollment or Automated Device Enrollment for the MDM enrollment profile to be included.

This leads me to believe that the iCloud encryption is automatically including the management configuration that existed on the phone when you created the backup. You removed the device from your MDM and AMB, but the configuration still existed on the phone when the backup was created so it is going to reappear on every restore from this particular backup. Backups created in iCloud are always encrypted, so using this backup method will always ensure that the management configuration remains when using this backup to restore a device.

It’s honestly starting to look like you need to weigh out which of these two items is more important:

1) Removing the erroneous management notification

OR

2) Having an encrypted backup to restore from

If option 2 is more important, then you are stuck with the erroneous management notification. If option 1 is more important then you should be able to use iTunes on a Mac to create an unencrypted backup which should exclude your management configuration and remove the management notification upon restore. If the device is in your possession I would highly recommend at least testing this to see if the management configuration gets removed on restore.

Note: unencrypted backups do not include the following information:

  • Any saved passwords
  • Call history
  • Health data
  • Website history
  • Wi-Fi settings

Final note: I’m unsure of whether or not this device is still considered as “owned by an organization”, so it might be best to create your unencrypted backup on a Mac. Per Apple:

Neither Apple Devices for Windows nor iTunes for Windows should be used for backups of devices owned by an organization.