question

JeroenF-4481 avatar image
0 Votes"
JeroenF-4481 asked Jason-MSFT answered

iPhone private(BYOD) phone can be wiped..

Hello,

Somehow when we want to enroll a personal device like an iPad or iPhone, and we are logging in to the Company Portal.
And see the (Device Management and your privacy) page CAN: Reset lost or stolen device to factory settings...

I really don't want to have that option in Intune to reset a full personal device..

Any ideas or solutions for this?

I cant find much about it.
Normally you could only wipe the company data, but not the whole device.

Regards Jeroen

mem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Any ideas or solutions for this?

Yes, don't enroll the device in MDM management and only use App Protection Policies (APP) -- aka Mobile Application Management (MAM). See https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered Jason-MSFT commented

@JeroenF-4481 Thanks for posting in our Q&A. From your description, did you mean that you want to only delete the company data and keep the personal date on iOS devices? If there is any misunderstanding, feel free to let us know.

Based on my understanding, the "Retire" action will meet the requirement. It will remove managed app data (where applicable), settings, and email profiles that were assigned by using Intune. And it will leave the user's personal data on the device. We can read the following article to get more detailed information:
leaves the user's personal data on the device.
https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#retire

Hope the above information will help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hee, thanks for the responses.

Somehow it just feels bad, that you need to configure it like that. And how is it possible that a Company portal(Intune) can controle your whole device like that. Yes i know the retire option, but i dont want to have people from the Servicedesk clicking the wrong button and the Doctor loses his whole phone stuff..

0 Votes 0 ·

@JeroenF-4481 Thanks for your quick response. I understand your concerns. Currently, there is no method to disable this setting in the company portal.

Given this situation, it is suggested to post our detailed requirement in intune uservoice. This is a place to collect customers' requirements and problems.
https://microsoftintune.uservoice.com/forums/291681-ideas

At the same time, I will also try my best to feedback.


@Jason-MSFT Did you have any idea? And whether there is a plan that disable factory reset button in company portal?

0 Votes 0 ·

You could possibly utilise RBAC in Intune and assign a custom role to SD with restrictive permissions on remote actions.

0 Votes 0 ·

Yes, but you cannot say they can Wipe Company devices, but not the Personal ones...

So it still stays a bit tricky tbh

0 Votes 0 ·
Show more comments

Somehow it just feels bad, that you need to configure it like that. And how is it possible that a Company portal(Intune) can controle your whole device like that.

Same answer as I've given above. Don't enroll the device and simply use MAM. This is explicitlt the purpose of MAM without enrollment.

Apple is working on a User Enrollment mode that is meant for BYOD type scenarios, but at this time, the solution is not very mature and we don't generally recommend its use (yet).

0 Votes 0 ·
JeroenF-4481 avatar image
0 Votes"
JeroenF-4481 answered JeroenFonferek-6454 commented

Thank you for your respons @LuDaiMSFT-0289

Also i dont understand why it needed a Managed Apple ID(Azure login) normally it would use the AppleID thats signed in to the Apple Store etc..

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JeroenF-4481 Could you please explain it more detailed? To facilitate the management of Q&A posts, if this issue is different with above, it is suggested to post another one.

Thanks for understanding. : )

0 Votes 0 ·

Hello,

I dont understand why i need to have a managed AppleID to use BYOD... I dont remember this from other MDM solutions to have a managed AppleID. So its a must to add the DEP to Azure if you want to use Byod.

0 Votes 0 ·

@JeroenF-4481 Thanks for your explain.

Please understand that we don't need to have a managed AppleID for BYOD enrollment. The managed AppleID is used in iOS with User Enrollment.

If we enroll the iOS device with device enrollment, it means that we don't configure the enrollment type profile or select "Device enrollment" enrollment type, we don't need a managed AppleID and only need a user with intune license.
117876-image.png

Hope it will help.


0 Votes 0 ·
image.png (37.4 KiB)
Show more comments

Azure AD and managed Apple IDs are two completely different things. All users that have any sort of management from Intune require an Azure AD account. User enrollment into Intune for device management using the Company Portal in no way requires a managed Apple ID. I don't really consider this BYOD though. Once again, you should be looking at App Protection Policies and not device enrollment for BYOD.

0 Votes 0 ·
Show more comments
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

No, there is no way to force cert enrollment when using APP although that's not normal for BYOD.

As for User Enrollment, as I initially called out, that's a newer enrollment method that Apple recently introduced that we don't generally recommend using yet because it lacks some capabilities and has some rough spots. The requirement of the managed Apple ID you see there is their requirement and not Intune's.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.