Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Prevent user removal of profile on iOS BYOD

%3CLINGO-SUB%20id%3D%22lingo-sub-3193734%22%20slang%3D%22en-US%22%3EPrevent%20user%20removal%20of%20profile%20on%20iOS%20BYOD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3193734%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20looking%20at%20using%20Intune%20to%20manage%20mobile%20devices%20for%20a%20client%20who%20uses%20personal%20devices%20for%2090%25%20of%20their%20users%20-%20their%20users%20are%20not%20directly%20employed%20by%20them.%20I%20am%20working%20on%20Intune%20in%20a%20test%20tenant%20and%20have%20some%20issues%20with%20iOS%20devices.%20Our%20SKU%20is%20Microsoft%20365%20Business%20Premium%20and%20I%20am%20using%20Outlook%20as%20an%20example%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20pushed%20Microsoft%20Outlook%20to%20the%20device%20and%20configured%20it%20with%20the%20company%20account%20and%20I%20can%20do%20a%20selective%20wipe%20from%20the%20dashboard.%20But%20the%20issue%20is%20that%20the%20end%20user%20can%20remove%20the%20MDM%20profile%20from%20the%20iOS%20settings%20app%20and%20leave%20all%20of%20the%20data%20stored%20on%20their%20device%20completely%20unmanaged.%20The%20App%20Protection%20Policies%20no%20longer%20apply%20so%20they%20don't%20even%20get%20prompted%20for%20the%20PIN%20defined%20within%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20remove%20set%20the%20app%20to%20be%20removed%20when%20the%20device%20is%20removed%20from%20management%20but%20this%20isn't%20ideal%20because%20the%20user%20could%20be%20using%20Outlook%20(or%20whatever%20supported%20app%20is%20in%20question)%20for%20their%20personal%20activities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20I%20can%20use%20conditional%20access%20to%20require%20devices%20to%20be%20enrolled%20but%20that%20would%20only%20prevent%20them%20connecting%20and%20downloading%20new%20emails%2C%20it%20would%20do%20nothing%20to%20protect%20the%20data%20that%20is%20already%20synched.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3193734%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3194420%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20user%20removal%20of%20profile%20on%20iOS%20BYOD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3194420%22%20slang%3D%22en-US%22%3EOK%20So%20I%20understand%20now%20that%20the%20App%20Protection%20Policies%20are%20enforced%20by%20the%20apps%20themselves.%20I%20thought%20I'd%20seen%20somewhere%20that%20it%20was%20enforced%20by%20the%20Company%20Portal%20app%2C%20so%20I%20still%20have%20some%20control.%20Still%20trying%20to%20understand%20how%20it%20can%20be%20that%20I%20cannot%20prevent%20the%20user%20from%20manually%20removing%20the%20MDM%20policy.%20Surely%20there%20is%20a%20way%20to%20do%20it%3F%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

We are looking at using Intune to manage mobile devices for a client who uses personal devices for 90% of their users - their users are not directly employed by them. I am working on Intune in a test tenant and have some issues with iOS devices. Our SKU is Microsoft 365 Business Premium and I am using Outlook as an example app.

 

I have pushed Microsoft Outlook to the device and configured it with the company account and I can do a selective wipe from the dashboard. But the issue is that the end user can remove the MDM profile from the iOS settings app and leave all of the data stored on their device completely unmanaged. The App Protection Policies no longer apply so they don't even get prompted for the PIN defined within that.

 

I can remove set the app to be removed when the device is removed from management but this isn't ideal because the user could be using Outlook (or whatever supported app is in question) for their personal activities.

 

I know I can use conditional access to require devices to be enrolled but that would only prevent them connecting and downloading new emails, it would do nothing to protect the data that is already synched.

 

Regards

1 Reply
OK So I understand now that the App Protection Policies are enforced by the apps themselves. I thought I'd seen somewhere that it was enforced by the Company Portal app, so I still have some control. Still trying to understand how it can be that I cannot prevent the user from manually removing the MDM policy. Surely there is a way to do it?