Oct 03 2023 02:22 PM
Environment and Requirements:
Ended up with a configuration that combines a conditional access rule that checks for device compliance, an enrollment type of device enrollment, a compliance policy, and an application protection policy.
Most things work as expected - logging into any Office app on mobile sends the user to enroll via the Company Portal. Once they are set up and pass compliance they can add accounts to Outlook, OneNote, M365 apps, etc. We got a group-based add for native apps to also be configured via an email configuration policy. We can successfully retire / selective wipe the apps from the Intune portal. We also offer the various mobile apps through Intune but realize that many users will already have these apps for personal M365 subscriptions, etc.
The one thing that seems strange is the user can remove the device from the Company Portal or delete the Company Portal app and the data stays put on the device. I would have expected it to selectively wipe company data. It does delete the native app configuration, but Outlook, OneNote, etc. are not wiped. Eventually the sign-in times out and the conditional access rule insists upon a complaint device to sign back in (so they have to go back through the process), but all the data synced when things were good just hangs around even if they remain signed out.
Is there a way to have a user-initiated removal of the device from Intune or deletion of the Company Portal app selectively wipe company data from these apps? My last job had a MAM config, but the one prior was MDM and I swear that is how I remember it working - that deleting the Company Portal app would wipe company data. Thoughts?
I've put in a few workarounds - require PIN via app policy if MDM PIN requirement goes away; delete corporate data if Azure AD account is disabled, etc. but I would love to have the data wipe if the user initiates either of those two actions. Thanks for any help!
Oct 04 2023 01:39 AM
Hi @mjanssen777,
to selectively wipe company data from apps when the user removes the device from the Company Portal or deletes the Company Portal app on iOS devices you can try to use the Selective wipe for apps feature in Intune.
To enable selective wipe for apps, follow these steps:
Once the profile is deployed, company data from the selected apps will be wiped when the user removes the device from the Company Portal or deletes the Company Portal app.
You can use this as a reference:
*Selective wipe for apps is only supported for Intune-managed apps.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Oct 04 2023 11:44 AM
@LeonPavesic This seems so close but I am not able to find the setting in the device configuration profiles. Things are a bit off from the instructions once you click to add a new profile. It wants me to select platform (iOS/iPadOS) and then a Profile type - (Settings catalog or Templates - with several to choose from). I couldn't find anything related to selective wipe or retiring a device unfortunately.
Oct 04 2023 01:01 PM
Oct 04 2023 02:35 PM