iOS Devices can manually unenroll and still access corporate resource (Outlook app not removed)

Question

We are looking to migrate to Intune for MDM on our phone but are having an issue with iOS.

With Android, if you try to un-enroll your device it forces you to wipe the work profile. This means that the phone is always managed and can be wiped if the employee leaves or it is wiped automatically if the employee decides to remove the Company Portal app from their device.

With iOS, you can remove the device management profile under settings and you can remove the Company Portal and Authenticator app from the device without it also removing the applications like Outlook and Teams which were installed and managed by Intune. There must be a configuration somewhere to force these applications to be removed if a phone is un-enrolled from Intune. Otherwise, there is no way to wipe corporate data off a device since it is no longer managed. Even if you manually block active sync for email, change their password or remove their account all that cached data is still present on the device.

Thanks

oktay sari · Answer

Hi&nbsp;JD1234535, Can you share a little more details on your scenario?&nbsp;Are we talking corp owned or BYOD?Do you by any chance use Apple Business Manager (DEP) or Apple Configurator to MDM enroll corp iOS devices? If you do, you can set your iOS devices to supervised mode. In this mode, un-enrollment can be blocked. That should solve your problem.&nbsp;&nbsp;&nbsp;&nbsp;

jd1234535 · Answer

Oktay Sari&nbsp;BYOD.&nbsp; No we do not use Apple Business Manager.&nbsp; After speaking with Apple this didnt seem to work for BYOD and was really for corp owned devices.&nbsp;

oktay sari · Answer

Hi JD1234535I'm guessing here but please fill me in with more info along the way so we can help you better.What is the reason to MDM enroll and Intune manage personal devices?Do you have a conditional access policy requiring devices to be compliant (forced enrollment)?How do users enroll? (if not because of CA.. Q2 above)Finally;Do you have an app protection policy&nbsp;(APP) configured for managed apps? I assume you do, since you mentioned apps are installed using Intune (therefore are managed apps) and you're not able do do a wipe (assuming you mean a wipe on app level). When a user removes the management profile, authenticator and Intune company portal app, the device becomes unmanaged and with that, the applications are now unmanaged too. I did not test this fully but I believe that's the reason you're not able to do a selective wipe using the app protection policy, because it was targeting managed apps.&nbsp;Since these are personal devices, what you can consider is not to install the outlook app using Intune, but have the user install it from the store. Where am I going with this you may ask...&nbsp;Well, if the apps are unmanaged, you can use&nbsp;app protection policies for unmanaged apps. This way, the device state does not matter (basically falling back to MAM and not MDM) . However, you're still able to have the devices MDM managed if that is a requirement. Now, in this scenario, if devices become unmanaged, the app is still managed. And this gives you options like selective wipe or conditional launch to automatically wipe corporate data under certain conditions. What ever comes first.&nbsp;&nbsp;Please note that in the example below I've deliberately set some settings to 1 minute/day...&nbsp;What I did not try is to create an APP for managed and unmanaged apps, and see if the app picks up the APP for unmanaged apps after becoming an unmanaged app/device. (still with me?) You could give that a try too.&nbsp;Hope this helps but if this does not meet your business requirements, please give as much information as you can.&nbsp;RegardsOktay&nbsp;

jd1234535 · Answer

Oktay thanks for the quick reply!1. We do a stipend instead of Corp devices. We want to be able to remote wipe and have access control to corporate data for DLP and HIPAA reason.2. Yes we have a CAE in place to require a device is marked as compliant and require use of an approved app. This policy is set to iOS and Android and for All Cloud Apps.3. Users enroll using the Company Portal AppYes we have app protection policy. One policy is target to iOS and MS Apps. We have conditions set for Offline grace period, disabled account and Jailbroken.Your thought about relying on app protection MAM is interesting. I am going test using the conditional launch to see if that helps.I don’t see how to create an App protection policy and distinguish between managed and non managed apps. All I can do is select either MS built in apps or Public apps (where the MS apps are already selected).Is there a way to use an app protection policy to force an immediate wipe? If someone is unmanaged and leaves the company the best we could do is wipe the data after 1 day?ThanksJohn

oktay sari · Answer

Hi JD1234535,&nbsp;Q: I don’t see how to create an App protection policy and distinguish between managed and non managed appA: When you create an APP, you can&nbsp; choose between managed and unmanaged device. So you distinguish on device level:&nbsp;Q: Is there a way to use an app protection policy to force an immediate wipe?A:&nbsp; the only thin I can think of is&nbsp;conditional&nbsp;launch disabled account; (and maybe device threat level but I never worked with that). However, you'll have to test with disabling an account and then see when the policy kicks in. It will be on next authentication check.And what you can always do is a user/device based selective wipe when ever you need to:Intune &gt; Apps &gt; App selective wipe&nbsp;&nbsp;hope this helps.&nbsp;

Forum Discussion

iOS Devices can manually unenroll and still access corporate resource (Outlook app not removed)

6 Replies

Resources