User profile for user: cuneytkorkmaz
cuneytkorkmaz Author
User level: Level 1
10 points

Preventing Quick Start data transfer on Intune

Preventing Quick Start Session Copy with Intune Managed Devices


Hello Apple Community,


We are currently using Mobile Application Management (MAM) with Microsoft Intune for device management. We've noticed that Apple's Quick Start feature allows users to transfer all current sessions and app data from one iPhone to another without requiring device enrollment in Intune.


This creates a potential security concern as managed apps and data could be accessed on a new device without proper control.


We are looking for guidance on:

  • How to prevent users from copying sessions and app data via Quick Start.
  • How to detect or monitor if a user has used Quick Start to transfer managed apps/data.


Any insights, best practices, or recommended configurations to address this would be greatly appreciated.


Thank you!

Posted on Dec 4, 2025 2:53 AM

Reply
Question marked as Top-ranking reply
User profile for user: SravanKrA
SravanKrA
Community+ 2025
User level: Level 10
430,590 points

Posted on Dec 4, 2025 3:20 AM


Use MDM enrollment instead of MAM-only


Quick Start moves the 'boxes' but not the 'keys'.


The apps move.

The Intune protection stays.

The corporate data stays encrypted.

The user still must authenticate.

An unmanaged device is still blocked.


If devices are corporate-owned or should be tightly controlled:


  • Enforce Company Portal enrollment
  • Use ADE (Automated Device Enrollment) with supervision
  • Force MDM enrollment before the user can sign in


This is the only reliable method to avoid Quick Start auto-start.



Harden App Protection Policies


Key settings to require:


  • Require PIN or biometric for managed apps
  • Require the device to be marked as compliant
  • Block access on jailbroken devices
  • Disable backup to iCloud
  • Restrict cut/copy/paste
  • Require conditional access with device compliance


This way, even if Quick Start transfers data, the Managed data remains locked down and unusable without compliance.

View in context
4 replies
Question marked as Top-ranking reply
User profile for user: SravanKrA
SravanKrA
Community+ 2025
User level: Level 10
430,590 points

Dec 4, 2025 3:20 AM in response to cuneytkorkmaz


Use MDM enrollment instead of MAM-only


Quick Start moves the 'boxes' but not the 'keys'.


The apps move.

The Intune protection stays.

The corporate data stays encrypted.

The user still must authenticate.

An unmanaged device is still blocked.


If devices are corporate-owned or should be tightly controlled:


  • Enforce Company Portal enrollment
  • Use ADE (Automated Device Enrollment) with supervision
  • Force MDM enrollment before the user can sign in


This is the only reliable method to avoid Quick Start auto-start.



Harden App Protection Policies


Key settings to require:


  • Require PIN or biometric for managed apps
  • Require the device to be marked as compliant
  • Block access on jailbroken devices
  • Disable backup to iCloud
  • Restrict cut/copy/paste
  • Require conditional access with device compliance


This way, even if Quick Start transfers data, the Managed data remains locked down and unusable without compliance.

Reply
User profile for user: amaraamara
amaraamara
User level: Level 1
20 points

Dec 4, 2025 4:04 AM in response to SravanKrA

We are using MAM not MDM, also not using app protection policy.

We are using CA Policy to enforce enrollment.

But token transferred through Quick Migration and its bypasses Microsoft contact while accessing apps Google related.

In Intune there is no record of this new device, or sign in logs.


Even if user tries to logout from apps google related still can relogin to them without contacting Microsoft.

Reply

Preventing Quick Start data transfer on Intune

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up