[New Blog Post] Selective Wipe Corporate Data on unmanagmed devices (iOS/iPadOS and Android)

Iron Contributor

ShadyKhorshed_0-1693481272024.png

 



1.  Introduction

This blog aims to detail the Mobile Application Management for un-managed iOS/iPadOS devices and un-managed Android devices. This blog is intended to demonstrate how to utilize selective wipe corporate data. When a device is stolen, or lost or an employee leaves the company, you want to be sure there is no corporate data left on the device. This can be achieved by performing a selective wipe. After the selective wipe is requested, the corporate data will be removed from the app. This will be performed the next time the app is started. This guide will touch on three aspects as follow:

  • Conditional Launch
  • Device based wipe request (Stolen/Lost device)
  • User based wipe request (Employee leave the company)

 

  1. How to initiate a wipe

There are two ways to initiate a selective wipe. The selective wipe can be performed as part of the Conditional Launch in the App protection policy or by manually initiating a wipe request (Device based wipe and User base wipe).

2.1. Conditional launch

When you configure an app protection policy a selective wipe will be configured. This is part of the conditional launch. One of the default settings is “Offline grace period -> 180 days”. After 180 days offline you need to reconnect to the network and successfully authenticate. If the user successfully authenticates nothing will happen, but if the user fails, a selective wipe will be performed.

ShadyKhorshed_1-1693481272034.png

 

2.2.   Manually initiate a wipe request

Here are two ways to manually initiate a wipe request. There is a device based wipe request and a user based wipe request. To initiate a wipe select in the MEM admin center “Apps” -> “App selective wipe” or press here. In the top of the app selective wipe blade, you can select “Wipe request” (device based wipe) or “User-Level Wipe” (user based wipe).

ShadyKhorshed_2-1693481272038.png

 

2.2.1.  Device based wipe request

With a device based wipe request a wipe can be initiated for each user device registered with an app protection policy. If a user has lost the device and a new device is in use. Then a device based wipe can be used to only wipe the previous device.

  1. Press the button “Create wipe request” in top of the page.ShadyKhorshed_3-1693481272041.png

     

    2.    Press “Select user” to select the user of which you want to wipe a device. After the user has been selected the devices belonging to the user will be displayed. Select the device you want to wipe and press “Create”.ShadyKhorshed_4-1693481272049.png

     

    3.   The wipe request will be sent to the device to remove corporate data from applications protected with an app protection policy. You will return to the app selective wipe blade where you can monitor the removal process of the user. Pending requests can be deleted by right-clicking the request and selecting “Delete wipe request”.ShadyKhorshed_5-1693481272053.png

     

    4.   After successfully performing a wipe, the device will be removed from the device overview that was display on step 2.

ShadyKhorshed_6-1693481272056.png

 

Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request has been made.

ShadyKhorshed_7-1693481272062.png

 

2.2.2.    User based wipe request

 When performing a user-based wipe request a wipe request will be sent to all apps on all the devices. This wipe you may want to perform when a user leaves the company and you want to be sure that all data is removed from all devices associated with the user.

  1. In the app selective wipe page select “User-level wipe” and press “add” to select the user for which you want to perform a user-level wipe.ShadyKhorshed_8-1693481272065.png

     

    2.   Now the user has been selected wipe requests will be sent to all the devices of the user. As long as the user is on the list. The user will continue to get wipe commands at every check-in from all devices. To allow sign-in on a device you first need to remove the user from the list.ShadyKhorshed_9-1693481272070.png

     

    1.   The wipe action can be monitored using the User report (“Apps” -> “Monitor” -> “Reports”) or click here.

ShadyKhorshed_10-1693481272073.png

 

Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.

ShadyKhorshed_11-1693481272079.png

 

 

Author

Shady Khorshed is a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals.

 

 

3 Replies
#IntuneFLWEnhancements #microsoft #azure #business #ipad #iphone #intune #ios #android #mobiledevicemanagement #monitor #defender #endpointsecurity #endpointmanagement #endpointprotection #endpoint

@ShadyKhorshed Thank you for this post. The issue I'm running into is that I have some stuck in pending for ages. Is there a way to brute force the removal of company data? 

Hi @DavidPuffer

 

The device has to been connected online to take an effect. However, you cannot enforce it if the device is offline. 

if you found my answer helpful, please mark it as Best! 

Best Regards

Shady Khorshed