Not removing Outlook account from iOS device after retiring device from Endpoint Portal

Question

question

SurendrasinghChaupawatAPMEAiCORECI-4950 asked Dec 30, '21 LuDaiMSFT-0289 commented Jan 4, '22

Not removing Outlook account from iOS device after retiring device from Endpoint Portal

Hello,

When we are retiring a iOS enrolled device ( BYOD MDM) from Endpoint portal, we have observed the below behavior.

Please confirm below is the expected behavior or how to resolve it ?
1. After retiring a iOS device from Endpoint portal, device Intune configuration and MDM profile was removed device. But users still able to see new and old emails from Outlook and it worked the same at least for 24 hours.

After more than 24 hours, we have observed users got prompt "Data Removal" on Outlook app but when user is getting any new email for that account still able to get notification and when he click on email notification it routes on Outlook app but he didn't seen the new email.
Is it possible that after retiring device the outlook and other O365 apps configuration must be removed from device and users should not get any new email notification and users should not be able to view old and new emails ?

Regards,
Surendra

office-outlook-itpro mem-intune-enrollment mem-intune-application-management

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SurendrasinghChaupawatAPMEAiCORECI-4950 · Dec 30, 2021 at 09:31 AM

I am unable to see my 3rd point above, hence re-adding the 3rd point.

Is it possible that after retiring device the outlook and other O365 apps configuration must be removed from device and users should not get any new email notification and users should not be able to view old and new emails ?

Regards,
Surendra

0 ·

Answer 1 · 2021-12-30T11:06:28.657Z

TimmyAndersson answered Dec 30, '21 SurendrasinghChaupawatAPMEAiCORECI-4950 commented Dec 30, '21

The best approach in my opinion here would be to use Conditional Access and create a policy that requires devices to be marked as compliant when accessing email.
This would block the user from accessing their email account if the device is not enrolled and compliant.

https://docs.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SurendrasinghChaupawatAPMEAiCORECI-4950 · Dec 30, 2021 at 11:46 AM

Hello,

The conditional access policy is already in placed, but still facing issue.

Below are the current configuration but still users is receiving new email notification on his ios device after retiring device from Endpoint portal.

Selected users group

Client Apps or actions - O365 apps

Conditions - a) Device Platform : Android and iOS b) Client apps : Browser and Mobile apps & Desktop client

Grant Control : 1. Required MFA 2. Required device to be compliant 3. Required approved clients 4. Required app protection policy 5. Required all the selected controls

0 ·

Answer 2 · 2021-12-31T03:32:45.453Z

LuDaiMSFT-0289 answered Dec 31, '21 SurendrasinghChaupawatAPMEAiCORECI-4950 commented Jan 3, '22

@SurendrasinghChaupawatAPMEAiCORECI-4950 Thanks for posting in our Q&A.

For remove outlook account, it shows that retire action will remove mail accounts that were provisioned by Intune on windows 10 devices.

For iOS devices, if the microsoft app is protected by intune, when we do the retire action, the next time the app is launched, it will remove the protected work or school account data. For more details, please refer to the following article:
https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#ios

So, based on my understanding, if you deploy an app protection policy to the work or school account and add Outlook as managed app, when you retire the iOS device, it may also remove the account on Outlook.

Hope it will give you some ideas.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

image.png (53.2 KiB)

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 · Jan 03 at 06:57 AM

@SurendrasinghChaupawatAPMEAiCORECI-4950 Haven't heard from you for some time, I am checking this thread, if you have a chance to review this thread, please check if my reply is helpful. Thanks.

0 ·

SurendrasinghChaupawatAPMEAiCORECI-4950 LuDaiMSFT-0289 · Jan 03 at 08:32 AM

Hello,

Please find my below response and testing results.

1st Test case:

When i enroll iOS device in Intune and downloaded Outlook app from Intune app Catalogue\Store (Not from Apple App Store) and after some time i retire ios device from Endpoint portal.

Configuration -
1. On Endpoint portal Conditional access and MAM is already configured for Outlook app.
2. Enrolled ios device in Intune
3. Download Outlook app from Intune app Catalogue\Store (Not from Apple App Store)
4. Configured account in Outlook app and able to see Emails. MAM policy confirmation status also came on device after configuring Outlook app on device.
5. After some time from Endpoint portal, i have Retire enroll device.

Results:
1. Device entry was removed from Endpoint portal in after few minutes.
2. Intune app and his configuration removed from device.
3. MDM profile was removed from device
4. Outlook configuration was removed automatically after sometimes when we launched Outlook app 2 times.
5. After automatically Outlook configuration removed from iOS device, we have sent 2 test email on the same id and we didn't received any email notification on Retire device.

0 ·

SurendrasinghChaupawatAPMEAiCORECI-4950 SurendrasinghChaupawatAPMEAiCORECI-4950 · Jan 03 at 08:33 AM

2nd Test Case:
When i downloaded Outlook app from Apple App store (Not from Intune app Catalogue\Store) before enrolling iOS device in Intune.

Configuration -
1. On Endpoint portal Conditional access and MAM is already configured for Outlook app.
2. Downloaded Outlook app from Apple App store (Not from Intune app Catalogue\Store)
3. Enrolled ios device in Intune
4. After enroll device in Intune, Open Intune app > Click on Outlook app to Install > It prompts to Manage app (It prompt to manage already downloaded Outlook app)
5. Configured account in Outlook app and able to see Emails. MAM policy confirmation status also came on device after configuring Outlook app on device.
6. After some time from Endpoint portal, i have Retire enroll device.

Results:
1. Device entry was removed from Endpoint portal in after few minutes.
2. Intune app and his configuration removed from device.
3. MDM profile was removed from device
4. Outlook configuration was removed automatically after sometimes when we launched Outlook app 2-3 times.
5. After automatically Outlook configuration removed from iOS device, we have sent 2 test emails on the same id but this time we have received email notification on Retire device even after outlook configuration removed. (We are unable to see email subject and contain, while clicking on notification.)

0 ·

outlook-notification-screenshot.jpg (66.4 KiB)

Answer 3 · 2022-01-04T07:04:40.91Z

LuDaiMSFT-0289 answered Jan 4, '22 LuDaiMSFT-0289 commented Jan 4, '22

@SurendrasinghChaupawatAPMEAiCORECI-4950 Thanks for your efforts to do some tests.

For this issue, I have done the test as my said before. In my test, I didn't have the conditional access policy and I only deploy an app protection policy to my user group. Outlook is a managed app in the app protection policy.

When I retire the iOS device successfully and wait for some time, I will get the message in Outlook and my account is removed from Outlook. When I try to send an email to the my account, I didn't get a new email notification.

Hope it will help.

image.png (71.6 KiB)

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SurendrasinghChaupawatAPMEAiCORECI-4950 · Jan 04 at 07:07 AM

Hello,

I have mentioned the 2 test scenario, could you please confirm have you tested the both scenario ? Could you please confirm the outlook app you have downloaded from Intune app store after enrolling your device or Outlook app was already installed on your device before enrolling device in Intune ?

0 ·

LuDaiMSFT-0289 SurendrasinghChaupawatAPMEAiCORECI-4950 · Jan 04 at 07:55 AM

@SurendrasinghChaupawatAPMEAiCORECI-4950 I have done the two test scenarios. In my environment, whether I download Outlook first or enroll the device first, the test results are the same.

Honestly, for the different results of your tests, there is no any helpful idea that I can share with you. With Q&A limitation, it is suggested to create an online support ticket to find the root cause. It is free. Here is the support link:
https://docs.microsoft.com/en-us/mem/get-support

Thanks for understanding.

0 ·

SurendrasinghChaupawatAPMEAiCORECI-4950 LuDaiMSFT-0289 · Jan 04 at 07:59 AM

Thanks for your Great support. I will raise a support ticket and try to get fix of my issue.

0 ·

Show more comments

question