Forum Discussion
[New Blog Post] Selective Wipe Corporate Data on unmanagmed devices (iOS/iPadOS and Android)
1. Introduction
This blog aims to detail the Mobile Application Management for un-managed iOS/iPadOS devices and un-managed Android devices. This blog is intended to demonstrate how to utilize selective wipe corporate data. When a device is stolen, or lost or an employee leaves the company, you want to be sure there is no corporate data left on the device. This can be achieved by performing a selective wipe. After the selective wipe is requested, the corporate data will be removed from the app. This will be performed the next time the app is started. This guide will touch on three aspects as follow:
- Conditional Launch
- Device based wipe request (Stolen/Lost device)
- User based wipe request (Employee leave the company)
- How to initiate a wipe
There are two ways to initiate a selective wipe. The selective wipe can be performed as part of the Conditional Launch in the App protection policy or by manually initiating a wipe request (Device based wipe and User base wipe).
2.1. Conditional launch
When you configure an app protection policy a selective wipe will be configured. This is part of the conditional launch. One of the default settings is “Offline grace period -> 180 days”. After 180 days offline you need to reconnect to the network and successfully authenticate. If the user successfully authenticates nothing will happen, but if the user fails, a selective wipe will be performed.
2.2. Manually initiate a wipe request
Here are two ways to manually initiate a wipe request. There is a device based wipe request and a user based wipe request. To initiate a wipe select in the MEM admin center “Apps” -> “App selective wipe” or press here. In the top of the app selective wipe blade, you can select “Wipe request” (device based wipe) or “User-Level Wipe” (user based wipe).
2.2.1. Device based wipe request
With a device based wipe request a wipe can be initiated for each user device registered with an app protection policy. If a user has lost the device and a new device is in use. Then a device based wipe can be used to only wipe the previous device.
- Press the button “Create wipe request” in top of the page.
2. Press “Select user” to select the user of which you want to wipe a device. After the user has been selected the devices belonging to the user will be displayed. Select the device you want to wipe and press “Create”.
3. The wipe request will be sent to the device to remove corporate data from applications protected with an app protection policy. You will return to the app selective wipe blade where you can monitor the removal process of the user. Pending requests can be deleted by right-clicking the request and selecting “Delete wipe request”.
4. After successfully performing a wipe, the device will be removed from the device overview that was display on step 2.
Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request has been made.
2.2.2. User based wipe request
When performing a user-based wipe request a wipe request will be sent to all apps on all the devices. This wipe you may want to perform when a user leaves the company and you want to be sure that all data is removed from all devices associated with the user.
- In the app selective wipe page select “User-level wipe” and press “add” to select the user for which you want to perform a user-level wipe.
2. Now the user has been selected wipe requests will be sent to all the devices of the user. As long as the user is on the list. The user will continue to get wipe commands at every check-in from all devices. To allow sign-in on a device you first need to remove the user from the list.
1. The wipe action can be monitored using the User report (“Apps” -> “Monitor” -> “Reports”) or click here.
Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.
Author
Shady Khorshed is a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals.
Hello ShadyKhorshed Thank you for you post, do we have any option to get a report for wiped unmanaged device applications using app protection policy with conditional launch.
ShadyKhorshed Thank you for this post. The issue I'm running into is that I have some stuck in pending for ages. Is there a way to brute force the removal of company data?
- WhitWilliams
Microsoft
DavidPuffer, I wanted to add some detail just in case. My understanding is that user wipes will always be "Pending" because they're basically always running. The wipe, I think, runs anytime a user attempts to sign into one of the apps with org credentials on any device. If your device-specific wipe request is still in "Pending", it may be that the device has not been online in some time and has not checked in. Once it does, the wipe should run.
Hi DavidPuffer,
The device has to been connected online to take an effect. However, you cannot enforce it if the device is offline.
if you found my answer helpful, please mark it as Best!
Best Regards
Shady Khorshed
- #IntuneFLWEnhancements #microsoft #azure #business #ipad #iphone #intune #ios #android #mobiledevicemanagement #monitor #defender #endpointsecurity #endpointmanagement #endpointprotection #endpoint
