This blog will be about when and why you need to perform a retire or a (selective) wipe when an employee exits the company or when their device is stolen.
In one of my last blogs, I explained why it’s important you need to configure App protection policies. I want to dedicate this blog to the methods available how you could make sure when a user exits the company there is no company data or/and apps left on the mobile device.
In my opinion, it really depends on which enrollment was configured, like if the devices are personally owned or corporate-owned? I don’t think the employee would be very happy if you wiped his personally owned mobile device?
We have got these options:
- Selective Wipe
- App Protection Disabled Account Wipe
With this first option, you will restore the factory defaults of the device, it will remove all personal and company data. This option is intended to be used on corporate-owned devices only. Like I told you earlier, you don’t want to wipe personally owned devices.
Of course, you could block the possibility to enrol personally owned devices to make sure only corporate-owned devices could be enrolled. I know there could be a lot of good reasons why you would only allow corporate device but in my opinion, when app protection is configured properly, there is no reason to block it.
It’s a good thing personally owned android devices with a work profile can’t be wiped. Google doesn’t allow factory resetting of personally owned work profile devices from the MDM provider.
When you want the option to wipe the device, you need to configure corporate android devices with a work profile.
But looking at a personal enrolled IOS device, you will notice you can wipe it!!. It’s not greyed out?
The default enrollment is device-based instead of user-based. User-based enrollment (UBE) is way better for personal devices because it removes the option to wipe the device. UBE restricts the permissions that Intune has when managing the device.
But every advantage has its disadvantage, you will need to set up the Apple business manager and provide a DUNS number before you can make use of the user enrollment option, that’s a shame because it can take some time before you have received the duns number and configured ABM.
When you have personally owned devices, this is maybe one of the best options you have as it removes managed application data (where applicable), settings and email profiles that were assigned by Intune. It will make sure the user’s personal data will be untouched!
IOS: When you choose to retire an IOS device this is what will happen:
Apps installed using Company Portal: Apps that are pinned to the management profile, all app data and the apps are removed. These apps include apps originally installed from App Store and later managed as company apps unless the app is configured to not be uninstalled on device removal.
Microsoft apps that use App Protection Policies and were installed from App Store: When a Retire action is initiated against an enrolled device, Intune also initiates a selective wipe for apps (including those installed from the App Store) that have work or school account data protected by an app protection policy. The next time the app is launched, the selective wipe removes the protected work or school account data. In order for the selective wipe to occur, an App Protection Policy check-in must occur between the MDM enrollment and retire events. Personal app data and the apps are not removed after a selective wipe.
Android: When you choose to retire an Android enterprise personally owned device with a workprofile, this is what will happen:
It will remove all the data, apps and settings in the work profile on the personally owned android device. It will also remove the whole work profile from the device.
Just like with IOS, retiring an Android device will leave the personal data intact.
If you only (selective) want to remove the company data from the device and not the apps, this is the option you need. You don’t want to remove all of the apps when the device is an employee owned device. Maybe the employee has configured his personal Outlook account and really don’t want to see that removed?
The only requirement to perform a selective wipe on IOS and android: you need to have App protection policies configured. If you don’t have app protection policies configured, selective wipe will not be possible.
How to perform a selective wipe?
The wipe may take up to 30 minutes and the user must open the app for the wipe to take place
You can monitor a retire or wipe action in the Microsoft endpoint admin center audit logs.
4. App protection Disabled account Wipe
I have been blogging about this option a week ago. Please read my short blog about
It’s really important we all know the differences between each method to make sure data on the employee old device is removed.
*Please use the retire or selective wipe (app protection) method on personally owned devices (BYOD) when the user leaves the company.
*Please use Wipe when the device get’s stolen (if it’s possible).