Forum Discussion
How to configure Intune to not allow remote wiping of personal devices
I’m a journalist seeking to do a story around best practices for configuring Intune, in the wake of last week’s destructive attack against Michigan-based medical device maker Stryker. It looks like attackers gained admin-level access to Intune and used it to wipe employees’ personal devices that were enrolled in Intune.
I was speaking with someone who has recent Intune administration experience, and his take is that like other UEM/BYOD/endpoint management tools, none of this software should be configured with the ability to fully wipe a personal device. Instead, it should be only placing sandboxed apps or directories onto a device. Only this sandboxed stuff should be remotely nuke-able. His supposition is that if personal data can be wiped, then either the Intune admins set it up incorrectly, or their documentation for employees who self-configure didn’t specify how to add their device but not give Intune full wiping capabilities.
My questions:
1) Is it possible to configure Intune so that it doesn’t have overly broad permission to wipe an entire, personally owned device?
2) How exactly would one do that (on either Android or iOS)?
There’s lots of “ditch Intune” chatter on Reddit now, supposedly tied to CISOs/executives reacting to the Stryker attack. So I’m seeking clarity around whether the tool can be configured to not remotely wipe personal data, even if other defenses that should be in place (such as requiring multiple admins’ approval before wiping devices, setting alerts if more than a few devices get remotely wiped at once, and so on) aren’t there.
1 Reply
Intune is a MDM (Mobile Device Manager) it is meant to have as much capability to a device as possible so you can manage them remotely. All devices that are in intune require to be enrolled manually or automatically using autopilot. It is not as easy as just putting your device on the network and its on Intune.
To your first question, when a device is enrolled into Intune, the wipe permission is setup by default, however, stryker forgot to configure multi-admin approval for that command. Any feature in Intune such as wiping, retiring, sending scripts, etc. can all be configured where a specific admin (Whomever the approval is configured for) has to allow it. This forces two admin accounts needing to be compromised, which the likelihood is far less. This was not an Intune issue, this was a misconfiguration and not reading through Microsofts documentation issue.
BYOD devices do not get enrolled into Intune unless it is misconfigured, there is a setting called MDM Auto discovery, this needs to be disabled or else if its a brand new laptop and a user signs in with their work email, then it will pick up the Intune enrollment via autoenrollment and the laptop will be put into intune. Most experienced administrators turn this off because users sometimes sign into their work email on their new personal laptops.
Android and iOS it is basically impossible to accidentally get your BYOD device into intune without an administrator. iOS either needs to be bought from the company's Apple Business Manager, or a custom "Company Portal" app gets put on the phone manually and then you sign into your work email and it is enrolled.
The ditch intune is ridiculous for windows pcs, yes ditch intune when it comes to MacOS and iOS, but Intune is a very powerful tool that needs proper configuration, but when setup correctly it is one of the best MDM's on the market. As I said before this was not an intune problem with stryker, this was a misconfiguration on Strykers side. The multi-admin approval has been a Microsoft standard for intune for a while, but it has only started getting recognition after Stryker.
Intune has several features beyond just doing a sandbox, the sandbox idea tells me your friend doesn't work with intune much.
All of these features I mentioned such as the disabling MDM auto discovery, enabling mult admin approval, Company Portal app for mobile devices, restrictig BYOD, etc. These are all very easy to do, but the main issue is people take the stance of "Lets make this work" rather than "Whats the most secure way to make this work"
