Forum Discussion
iOS Devices can manually unenroll and still access corporate resource (Outlook app not removed)
BYOD. No we do not use Apple Business Manager. After speaking with Apple this didnt seem to work for BYOD and was really for corp owned devices.
Hi JD1234535
I'm guessing here but please fill me in with more info along the way so we can help you better.
- What is the reason to MDM enroll and Intune manage personal devices?
- Do you have a conditional access policy requiring devices to be compliant (forced enrollment)?
- How do users enroll? (if not because of CA.. Q2 above)
Finally;
Do you have an app protection policy (APP) configured for managed apps? I assume you do, since you mentioned apps are installed using Intune (therefore are managed apps) and you're not able do do a wipe (assuming you mean a wipe on app level). When a user removes the management profile, authenticator and Intune company portal app, the device becomes unmanaged and with that, the applications are now unmanaged too. I did not test this fully but I believe that's the reason you're not able to do a selective wipe using the app protection policy, because it was targeting managed apps.
Since these are personal devices, what you can consider is not to install the outlook app using Intune, but have the user install it from the store. Where am I going with this you may ask...
Well, if the apps are unmanaged, you can use app protection policies for unmanaged apps. This way, the device state does not matter (basically falling back to MAM and not MDM) . However, you're still able to have the devices MDM managed if that is a requirement. Now, in this scenario, if devices become unmanaged, the app is still managed. And this gives you options like selective wipe or conditional launch to automatically wipe corporate data under certain conditions. What ever comes first.
Please note that in the example below I've deliberately set some settings to 1 minute/day...
What I did not try is to create an APP for managed and unmanaged apps, and see if the app picks up the APP for unmanaged apps after becoming an unmanaged app/device. (still with me?) You could give that a try too.
Hope this helps but if this does not meet your business requirements, please give as much information as you can.
Regards
Oktay
- JD1234535Jun 29, 2022Copper ContributorOktay thanks for the quick reply!
1. We do a stipend instead of Corp devices. We want to be able to remote wipe and have access control to corporate data for DLP and HIPAA reason.
2. Yes we have a CAE in place to require a device is marked as compliant and require use of an approved app. This policy is set to iOS and Android and for All Cloud Apps.
3. Users enroll using the Company Portal App
Yes we have app protection policy. One policy is target to iOS and MS Apps. We have conditions set for Offline grace period, disabled account and Jailbroken.
Your thought about relying on app protection MAM is interesting. I am going test using the conditional launch to see if that helps.
I don’t see how to create an App protection policy and distinguish between managed and non managed apps. All I can do is select either MS built in apps or Public apps (where the MS apps are already selected).
Is there a way to use an app protection policy to force an immediate wipe? If someone is unmanaged and leaves the company the best we could do is wipe the data after 1 day?
Thanks
John- Oktay SariJun 29, 2022Iron Contributor
Hi JD1234535,
Q: I don’t see how to create an App protection policy and distinguish between managed and non managed app
A: When you create an APP, you can choose between managed and unmanaged device. So you distinguish on device level:
Q: Is there a way to use an app protection policy to force an immediate wipe?
A: the only thin I can think of is conditional launch disabled account; (and maybe device threat level but I never worked with that). However, you'll have to test with disabling an account and then see when the policy kicks in. It will be on next authentication check.
And what you can always do is a user/device based selective wipe when ever you need to:Intune > Apps > App selective wipe
hope this helps.
- Oktay SariJul 03, 2022Iron Contributor
Hi JD1234535, I was wondering if you had time to have a look at this? Any updates? Thx and have a great Sunday