Forum Discussion
How to configure Intune to not allow remote wiping of personal devices
Intune is a MDM (Mobile Device Manager) it is meant to have as much capability to a device as possible so you can manage them remotely. All devices that are in intune require to be enrolled manually or automatically using autopilot. It is not as easy as just putting your device on the network and its on Intune.
To your first question, when a device is enrolled into Intune, the wipe permission is setup by default, however, stryker forgot to configure multi-admin approval for that command. Any feature in Intune such as wiping, retiring, sending scripts, etc. can all be configured where a specific admin (Whomever the approval is configured for) has to allow it. This forces two admin accounts needing to be compromised, which the likelihood is far less. This was not an Intune issue, this was a misconfiguration and not reading through Microsofts documentation issue.
BYOD devices do not get enrolled into Intune unless it is misconfigured, there is a setting called MDM Auto discovery, this needs to be disabled or else if its a brand new laptop and a user signs in with their work email, then it will pick up the Intune enrollment via autoenrollment and the laptop will be put into intune. Most experienced administrators turn this off because users sometimes sign into their work email on their new personal laptops.
Android and iOS it is basically impossible to accidentally get your BYOD device into intune without an administrator. iOS either needs to be bought from the company's Apple Business Manager, or a custom "Company Portal" app gets put on the phone manually and then you sign into your work email and it is enrolled.
The ditch intune is ridiculous for windows pcs, yes ditch intune when it comes to MacOS and iOS, but Intune is a very powerful tool that needs proper configuration, but when setup correctly it is one of the best MDM's on the market. As I said before this was not an intune problem with stryker, this was a misconfiguration on Strykers side. The multi-admin approval has been a Microsoft standard for intune for a while, but it has only started getting recognition after Stryker.
Intune has several features beyond just doing a sandbox, the sandbox idea tells me your friend doesn't work with intune much.
All of these features I mentioned such as the disabling MDM auto discovery, enabling mult admin approval, Company Portal app for mobile devices, restrictig BYOD, etc. These are all very easy to do, but the main issue is people take the stance of "Lets make this work" rather than "Whats the most secure way to make this work"
Thank you so much, jxsh42, that is fantastic detail, very helpful -- just what I was looking for.
jxsh42 spot on! To add:
MDM enrollment inherently grants powerful device actions, so controls like Multi‑Admin Approval are key to preventing single-admin abuse of wipe/retire actions. To further reduce the risk of “personal device wipe,” many orgs design BYOD around MAM/App Protection + selective wipe (or platform BYOD models like iOS account-driven user enrollment / Android work profile), so the “wipe” primitive targets work data rather than the entire device. On the admin-plane side, add least privilege with Intune RBAC + scope tags (limit who can initiate wipe and which devices they can target), plus Entra PIM (JIT) for privileged Intune roles/groups to reduce standing privilege. Finally, use Conditional Access to harden privileged access (phishing-resistant MFA, compliant admin device) and monitor both role activations and device actions via Entra/Intune audit signals to catch anomalous wipe attempts early.