หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
This article describes a behavior that causes the backup of an Intune-managed iOS device to be automatically encrypted.
Symptoms
When you try to back up an Intune-managed iOS device by using iTunes, the Encrypt local backup option is automatically selected and you can't deselect it.
Cause
This issue occurs if an Intune certificate profile was deployed to the device.
When certain items are on the iOS device, such as the certificates that are embedded in profiles (as payloads), iTunes automatically turns on backup encryption. The behavior is by design.
More information
To understand Apple security concepts in more detail, see Keychain data protection and Keybags for Data Protection on the Apple Platform Security website. The following information is a summary of concepts relevant to this scenario.
The backup payload that's created is referred to as a backup keybag that contains the keychain items that are created by iOS. For these keychain items, the following class protection objects are flagged as nonmigratory:
- VPN certificates Always, nonmigratory
- Bluetooth keys Always, nonmigratory
- Apple Push Notification service token Always, nonmigratory
- iCloud certificates and private key Always, nonmigratory
- iMessage keys Always, nonmigratory
- Certificates and private keys installed by a configuration profile Always, nonmigratory
- SIM PIN Always, nonmigratory
The security goal is for the objects that are flagged as Always, nonmigratory keychain items to remain wrapped by using the UID-derived key. This goal allows them to be restored to only the device that they were originally backed up from, and renders them inaccessible on a different device. This behavior is why the backups are forced to be encrypted.