Jun 28 2022 09:00 AM
Jun 28 2022 09:00 AM
We are looking to migrate to Intune for MDM on our phone but are having an issue with iOS.
With Android, if you try to un-enroll your device it forces you to wipe the work profile. This means that the phone is always managed and can be wiped if the employee leaves or it is wiped automatically if the employee decides to remove the Company Portal app from their device.
With iOS, you can remove the device management profile under settings and you can remove the Company Portal and Authenticator app from the device without it also removing the applications like Outlook and Teams which were installed and managed by Intune. There must be a configuration somewhere to force these applications to be removed if a phone is un-enrolled from Intune. Otherwise, there is no way to wipe corporate data off a device since it is no longer managed. Even if you manually block active sync for email, change their password or remove their account all that cached data is still present on the device.
Jun 28 2022 10:16 AM
Hi @JD1234535, Can you share a little more details on your scenario?
Jun 28 2022 10:42 AM
BYOD. No we do not use Apple Business Manager. After speaking with Apple this didnt seem to work for BYOD and was really for corp owned devices.
Jun 29 2022 12:41 AM
I'm guessing here but please fill me in with more info along the way so we can help you better.
Do you have an app protection policy (APP) configured for managed apps? I assume you do, since you mentioned apps are installed using Intune (therefore are managed apps) and you're not able do do a wipe (assuming you mean a wipe on app level). When a user removes the management profile, authenticator and Intune company portal app, the device becomes unmanaged and with that, the applications are now unmanaged too. I did not test this fully but I believe that's the reason you're not able to do a selective wipe using the app protection policy, because it was targeting managed apps.
Since these are personal devices, what you can consider is not to install the outlook app using Intune, but have the user install it from the store. Where am I going with this you may ask...
Well, if the apps are unmanaged, you can use app protection policies for unmanaged apps. This way, the device state does not matter (basically falling back to MAM and not MDM) . However, you're still able to have the devices MDM managed if that is a requirement. Now, in this scenario, if devices become unmanaged, the app is still managed. And this gives you options like selective wipe or conditional launch to automatically wipe corporate data under certain conditions. What ever comes first.
Please note that in the example below I've deliberately set some settings to 1 minute/day...
What I did not try is to create an APP for managed and unmanaged apps, and see if the app picks up the APP for unmanaged apps after becoming an unmanaged app/device. (still with me?) You could give that a try too.
Hope this helps but if this does not meet your business requirements, please give as much information as you can.
Jun 29 2022 04:47 AM
Jun 29 2022 06:33 AM
Q: I don’t see how to create an App protection policy and distinguish between managed and non managed app
A: When you create an APP, you can choose between managed and unmanaged device. So you distinguish on device level:
Q: Is there a way to use an app protection policy to force an immediate wipe?
A: the only thin I can think of is conditional launch disabled account; (and maybe device threat level but I never worked with that). However, you'll have to test with disabling an account and then see when the policy kicks in. It will be on next authentication check.
And what you can always do is a user/device based selective wipe when ever you need to:
Intune > Apps > App selective wipe
hope this helps.
Jul 03 2022 08:30 AM
Hi @JD1234535, I was wondering if you had time to have a look at this? Any updates? Thx and have a great Sunday