05-15-2020 03:11 AM
05-15-2020 03:11 AM
I am investigating the unexplained wipe of a DEP enrolled device. This is the 3rd case of this.
From the logs, I can see nothing obvious except for an AD password change synced via AADC.
So, if the password was changed in AD and synced to AA, surely the Intune Company Portal would recognize the password change and prompt for the new password?
And what if the user entered the old / wrong password multiple times? Would the DEP device wipe?
Info greatly appreciated.
05-15-2020 09:54 AM
@Stuart King Do you have the "Number of sign-in failures before wiping device" setting configured in the iOS restrictions profile? I suspect that the end-user entered the device passcode incorrectly too many times, especially if there's no log of it in Endpoint Manager. Failed authentication attempts against the AAD account would not cause the device to wipe.
05-15-2020 02:14 PM
"Failed authentication attempts against the AAD account would not cause the device to wipe." - Even on the Intune Company Portal app? Do you have a reference to that info?
I have loads of Sign-in failures against the Intune Company Portal app around the same time as the password change, then the device re-enrolling.
05-18-2020 02:45 PM
@Stuart King Yes, the Microsoft Intune and Intune Company Portal apps do not define this, it is a configuration that can be deployed to managed devices that leverages the existing built-in OS feature. Once the config is deployed, it is the device itself that evaluates the failed device password (passcode) attempts, not the MDM agent. Failed sign-in attempts to the Company Portal would only affect the user account (eg. lock the account, block additional sign-ins from this device, whatever your organization has defined...). Do you have any compliance actions set that would be contributing to this behaviour?
05-19-2020 05:49 AM
Many thanks for your reply.
I can't see anything in Device Compliance that would cause this.
There is Device Config setting, wipe after 6 incorrect PIN attempts.
Apart from that, I can see no obvious reason why this DEP device, the 3rd separate one has suddenly wiped.
05-19-2020 08:30 PM
On further investigation of the iOS Device Compliance and Configuration policies, I have noticed the following setting:
Password expiration (days): = 90
As roll-out was approx mid-February, 90 days would take it to mid-May, when the reset occurred.
Could this be the culprit?