Is there a way to prevent iOS from capturing the MDM profiles, pushed mail profile and the mail data, etc during the iOS backup process, the MDM profiles, certs, etc that are pushed to the phone upon enrollment. Currently if we perform a backup on the phone, and then wipe the phone, upon restore from the backup, the phone is instantly reconnecting (non DEP Device) back into our console.
I want to prevent the iOS backup from storing company mail that is pushed to it so is there a way or profile setting i can change to prevent the Managed settings and data from being included in the iOS backup ?
You can do per-app management exclusions and disable the application layer backups. There's no way to stop the backup from capturing system content and the profiles are in that partition, from my understanding.
I am curious that your wiped device is just re-enrolling itself though. A component of the enterprise wipe procedure is to break the MDM pairing between the device and WS1. That doesn't sound right and may warrant a case with VMware.
The question was asked by our management:
Do iOS backups capture emails when we push our corporate mail profile to the native email app on enrolled devices ?
So i performed a backup on the iOS device in question, then i performed a erase all content and settings. Once that activity completed i setup the phone by restoring from the backup. What i have found was that even though email wasn't backed up in the iOS backup, the certs and profile information was, allowing the phone to reach back out to the airwatch console and begin re-syncing the email, etc.
I believe this was able to happen because of two things:
1.) Whatever grace period that is in place for cert expiration, etc I was still within the window
2.) The device was still "active and enrolled" from a console perspective.
Later when i performed the test again, i deleted the device from the console after i had performed the erase all content and settings and the device did not reconnect.
To further mitigate it if you want, you can also supervise the device (if you own it*) and then restrict pairing to only recognized managed PCs, also within Restrictions. You can also disable iCloud backups completely. This will naturally really suck for the user if they need to move between devices, but it keeps the data dead at-rest on the phone if its stolen and appropriately encrypted.