Hi team, we have apps that can be download from company portal and we also have the possibility to download directly from iOS app store.
We can then login to app and company portal validates whether device is managed.
Problem is when we remove the device to be managed by company portal, it does not automatically delete the app, which results in user accessing app when device is unmanaged.
Would you kindly advise how this could be resolved pls?
@Dreddy-0825 Thanks for posting in our Q&A.
Generally, if we want to unenroll the managed devices and delete the managed app, we will do "retire" action in intune portal.
https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#retire
If you just want to remove devices in company portal app, it is needed to configure the setting "Uninstall on device removal" to "Yes" under the target app's assignments. When the device is not managed by intune, the apps will be uninstalled.
Hope it will help.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Dreddy-0825 I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.
Hi, thx ! What you mentioned is already in place. Somehow if we download the app directly from app store, before company portal was downloaded then when device is not managed it is not deleting the app automatically.
@Dreddy-0825 Thanks for your update. If the apps are installed from app store, not deployed by intune, the apps will not be removed when the device is not managed by intune. Based on my understanding, it is an expected behavior.
It cant be, because when user has enrolled the device this app (which we downloaded outside) is seen as managed apps.
Problem we have is, once we access the app, credentials are remembered for 90 days. If user removed the device to be managed, it removes everything but for this app. User can still access company resources. Red flag on compliance.
@Dreddy-0825 If the app is protected by an app protection policy and even if the app is installed from app store, we also called it a managed app. It is suggested to try to do the retire action. It will wipe the work or school account data protected by an App Protection Policy.
https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#ios
I have done the test in my lab. I add outlook in an app protection policy and deploy the policy to my user. When I retire the iOS device successfully and wait for some time, I will get the message in Outlook and my account is removed from Outlook. 
Hope it will help.
@LuDaiMSFT-0289 I am checking this thread, if you have a chance to review this thread, please check if my reply is helpful. Thanks.
Hi, thank you for checking on me. When a device is not managed anymore, it wont be possible to perform retire action. I was told by azure expert that he cant see the anymore as being managed but i m able to access the data.
@Dreddy-0825 Yes, you're right. Retire action only can be performed when the device is managed by intune.
Currently, there is no method to make the Azure AD account sign out from the app when the device is unmanaged. I'll share with you two alternatives, maybe one of them will meet your requirements.
Method 1: App protection policy can wipe account and data.
If the device is unmanaged, please try to deploy an app protection policy to the target user. Please set "Device types" to "unmanaged" and set "offline grace period" to 1 wipe day. 
When the app run offline more than one day, it will perform a selective wipe of the users' account and data. For more details, please read the content about "Offline grace period" in the following link:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#conditional-launch
Method 2: Conditional access policy will make the end user to re-enroll the device and then we can do retire action.
It is suggested to try to deploy a conditional access policy to the target user, add the target app in the setting "cloud apps or actions", select "Require device to be marked as compliant" in Grant. For more details about creating conditional access policy, we can refer to the following article:
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create
When you use the taget user to sign in the target app on the unmanaged device, it may ask you to enroll the device. Then we can try to do the retire action as I said before.
Hope it will give you some ideas.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
10 people are following this question.
