cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help with iOS and Intune config

mjanssen777
Copper Contributor

‎Oct 03 2023 02:22 PM

‎Oct 03 2023 02:22 PM

Need help with iOS and Intune config

Environment and Requirements:

 

  • Devices are personally owned with a corporate stipend
  • MDM needed to compliance check device-level PINs and to configure native iOS apps for executives and others who are approved
  • User enrollment with ABM federation seems overly complicated for what we are trying to do
  • I am a proponent for straight MAM and not allowing native apps, but was overruled

 

Ended up with a configuration that combines a conditional access rule that checks for device compliance, an enrollment type of device enrollment, a compliance policy, and an application protection policy.

 

Most things work as expected - logging into any Office app on mobile sends the user to enroll via the Company Portal. Once they are set up and pass compliance they can add accounts to Outlook, OneNote, M365 apps, etc. We got a group-based add for native apps to also be configured via an email configuration policy. We can successfully retire / selective wipe the apps from the Intune portal. We also offer the various mobile apps through Intune but realize that many users will already have these apps for personal M365 subscriptions, etc.

 

The one thing that seems strange is the user can remove the device from the Company Portal or delete the Company Portal app and the data stays put on the device. I would have expected it to selectively wipe company data. It does delete the native app configuration, but Outlook, OneNote, etc. are not wiped. Eventually the sign-in times out and the conditional access rule insists upon a complaint device to sign back in (so they have to go back through the process), but all the data synced when things were good just hangs around even if they remain signed out.

 

Is there a way to have a user-initiated removal of the device from Intune or deletion of the Company Portal app selectively wipe company data from these apps? My last job had a MAM config, but the one prior was MDM and I swear that is how I remember it working - that deleting the Company Portal app would wipe company data. Thoughts?

 

I've put in a few workarounds - require PIN via app policy if MDM PIN requirement goes away; delete corporate data if Azure AD account is disabled, etc. but I would love to have the data wipe if the user initiates either of those two actions. Thanks for any help!

Labels:
1,027 Views
0 Likes
4 Replies
Reply
4 Replies
LeonPavesic

‎Oct 04 2023 01:39 AM

‎Oct 04 2023 01:39 AM

Re: Need help with iOS and Intune config

Hi @mjanssen777,

to selectively wipe company data from apps when the user removes the device from the Company Portal or deletes the Company Portal app on iOS devices you can try to use the Selective wipe for apps feature in Intune.

To enable selective wipe for apps, follow these steps:

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Go to Devices > Configuration profiles > Create profile.
  3. Select Custom profile.
  4. In the Platform drop-down list, select iOS/iPadOS.
  5. In the Profile name box, enter a name for the profile.
  6. In the Description box, enter a description for the profile.
  7. Under Settings, go to Apps > Selective wipe for apps.
  8. Click Add.
  9. In the App drop-down list, select the app that you want to wipe when the device is no longer managed by Intune.
  10. Click OK.
  11. Repeat steps 9 and 10 to add any additional apps that you want to wipe.
  12. Click Save.
  13. Click Deploy.
  14. Select the devices to which you want to deploy the profile.
  15. Click Deploy.

Once the profile is deployed, company data from the selected apps will be wiped when the user removes the device from the Company Portal or deletes the Company Portal app.

You can use this as a reference:

*Selective wipe for apps is only supported for Intune-managed apps.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

0 Likes
Reply
mjanssen777

‎Oct 04 2023 11:44 AM

‎Oct 04 2023 11:44 AM

Re: Need help with iOS and Intune config

@LeonPavesic This seems so close but I am not able to find the setting in the device configuration profiles. Things are a bit off from the instructions once you click to add a new profile. It wants me to select platform (iOS/iPadOS) and then a Profile type - (Settings catalog or Templates - with several to choose from). I couldn't find anything related to selective wipe or retiring a device unfortunately.

0 Likes
Reply
rahuljindal-MVP

‎Oct 04 2023 01:01 PM

‎Oct 04 2023 01:01 PM

Re: Need help with iOS and Intune config

Once the user deletes the device from company portal or uninstalls company portal, then corporate data should get removed. You can also initiate a selective wipe from apps or retire the enrolled devices in Intune as admin actions.
0 Likes
Reply
mjanssen777

‎Oct 04 2023 02:35 PM

‎Oct 04 2023 02:35 PM

Re: Need help with iOS and Intune config

I would have thought so too, but that isn't what is happening. If a user removes the device via the portal or dumps the company portal app a selective wipe does not kick off on the iOS devices I have and am testing with (an iPad and iPhone both on iOS 17). The data hangs out. Eventually the sign-in times out and they don't get any new data.

Retire and app selective wipe from the portal work fine.
0 Likes
Reply