Jump to content


anyweb

Removing company data from Endpoint Manager enrolled phones

Recommended Posts

Introduction

I wanted to better understand the options available for removing company data from phones enrolled within Endpoint Manager (formally known as Intune) so some research and testing was in order and that's exactly what me and my colleague did, additionally I wanted to get proof of the actions via the Auditing ability within Endpoint Manager. The phones involved in the testing were Company Owned iPhone and Android Fully Managed devices. There were a number of ways of removing company data shown below, and in this blog post I'll focus on the first two options, if you'd like to automate it with PowerShell then see my 2 links at the bottom of this blog post for information on how you can do that.

  • User Actions on the phone itself
  • Remote actions from within Endpoint Manager
  • Remote actions using PowerShell via Graph

User actions on the phone

On the phone itself (iPhone) the user has a number of options available. They can open the Company Portal app, select the device from the list of devices and click on the 3 dots (elipse) to see actions available and those include

  • Remove Device
  • Factory Reset

cp_ios_unenroll_after_1804_001.png

When you unenroll your device from Intune by selecting Remove Device, here's what happens:

  • Your device won't appear in the Company Portal anymore.

  • You can't install apps from the Company Portal anymore.

  • Any settings that were changed on your device when you added it (for example, disabling the camera, or requiring a certain password length) will no longer apply.

  • You might not have access to some company resources, such as file shares or internal web sites, on your device anymore.

  • You can't use company apps and company data on your device anymore.

  • You might not be able to connect to your company network using Wi-Fi or a virtual private network (VPN) anymore.

  • Company email profiles are removed from the device.

  • Devices that are configured for email only won't appear in the Company Portal app or website anymore.

  • Apps are uninstalled. Company app data is removed.

The process above is described here for iOS devices. https://docs.microsoft.com/en-us/mem/intune/user-help/unenroll-your-device-from-intune-ios

Choosing the Factory Reset option prompts you to use the factory reset option within the iPhone settings app, and the result is that the phone is factory reset, company data is wiped, in fact everything  is wiped including personal data, settings, etc, but the device is not immediately removed from Intune.

Choosing this method should also prompt the end user for their icloud password to confirm that they were going to reset the phone, in addition they would receive an email from Apple indicating that 'find my' Iphone has been disabled.

find my disabled.png

As regards Intune auditing of the events above, nothing was recorded as the phone was reset from the phone side and not via the Intune side (which reports on actions related to wipe, delete, retire performed via the console or via a PowerShell script).

Removing the device management profile

In addition, we tried removing device management, via Settings, General, Device Management and removed the MDM device management profile,  this did not reset the phone but removed access to company resources and removed all apps associated with the company. The users personal data remained unchanged. The device (shortly after) showed as non-compliant in Intune/Endpoint Manager and could be automatically removed via the device cleanup ability. Using this method again did not record anything in Auditing.


device cleanup days.PNG

 

Note: Device cleanup rules aren't available for Android Enterprise scenarios like Fully Managed, Dedicated, and Corporate-Owned with Work Profile.

 

Using actions from within the Endpoint Manager console

In Microsoft Endpoint Manager, you have additional options to remove company data from enrolled phones, and these are as follows:

  • Wipe
  • Retire
  • Delete

Let's look at each action to see how it relates to the device in question.

Wipe

This option completely factory resets the phone, does NOT prompt for the users icloud password and all user data and company data is removed. The phone reboots as part of the process. Below is a typical display of what you'd see when you initiate the Wipe action from within Endpoint Manager.

Quote

The Wipe action restores a device to its factory default settings. The user data is kept if you choose the Retain enrollment state and user account checkbox. Otherwise, all data, apps, and settings will be removed.

wipe.png

As this action took place from within Endpoint Manager, it will be recorded in the Audit Logs. You can find these logs in Tenant Administration, Audit Logs as shown below.

Audit logs in tenant administration.png

After a Wipe is performed in Endpoint Manager, the action (and more details) are recorded in the Audit logs as shown here. You can click an individual action to get a details pane.

audit logs.png

 

In the screenshot above, the Activity details refers to an ObjectID and that is actually the Intune Device ID as shown here.

intune device id is the object id in the audit report.png

 

So if you want to trace a phones removal from Endpoint Manager, then make sure you've a backup of this information so you can co-relate the Intune Device ID with the ObjectID listed in the audit log. Here you can see the same info relating to the Intune Device ID in the console and the Object ID in the exported CSV file for an Android phone when it's Wiped. You can export the audit log (up to a months data in the console or 1 year via PowerShell Graph) to a CSV file.

wipe android phone.png

Remember, take note of the Intune Device ID before you Wipe a phone as once it's wiped the data will also be removed from Intune. In the screenshot below you can see the details remaining for a phone that was just wiped, notice how it states 'not found' and the Hardware node is greyed out, in the hardware node you'd normally find the Intune Device ID but now that the device is wiped, the data is gone.

cannot see intune device id any more.png

Retire

The Retire option removes company data, keeps personal data and does not reboot the device. Below is the prompt received when you select to Retire an iPhone.

Quote

 

The Retire action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management. This happens the next time the device checks in and receives the remote Retire action. The device still shows up in Intune until the device checks in. If you want to remove stale devices immediately, use the Delete action instead.

Retire leaves the user's personal data on the device.

 

retire phone.png

And below you can see how the Retire option is audited (via the exported CSV file), and again i'm pointing out the Intune Device ID in the console as it's the Object ID in the audit log.

 

comparing the intune device id with the object id via the xl csv.png

Interesting to note that the Intune Device ID (object ID in the audit log) changes every time you enroll the device.

In the console itself the device is removed as soon as the next device check in occurs.

Note: If you are using Fully Managed for your Android devices then you won't see a Retire option at all.

no retire option.png

 

 

Delete

Quote

If you want to remove devices from the Intune portal, you can delete them from the specific device pane. The next time the device checks in, any company data on it will be removed.

Selecting Delete will prompt the admin with something similar to below for iPhone.

delete phone.png

and the delete action is audited also.

delete managed device.png

However when I did the Delete action for an Android Fully Managed device, it reset the phone (factory reset) which goes against the popup prior to the action.

Bulk Device Actions

There is one other way of doing this but it's more risky as it applies to all devices, and that is the ability to choose the available actions (thanks @JeffGilb

Bulk Device Actions.PNG

You can then select the type of device and the action available, here are the options available for iOS/iPadOS

select device action.png

and below are the actions for Android (Fully Managed)

bulk device action android.png

Summary

Deciding which path to take should be based on your security needs and the ultimate destination of the phones after they go EOL. If your company phones are all iPhone based, you may want to choose either Retire or Delete from the Endpoint Manager console (or using a PowerShell script to connect to Intune using the Graph API), as these actions will be logged in the Audit logs (which can be exported for up to one year), and both of these actions are least disruptive to the users phone, as the users data (photos/apps/etc) will remain on the phone but all company data will be removed. This would be suitable in a scenario such as where personnel are giving the option to buy back the company device after it's EOL.

Take note however that the Delete option on Android Fully Managed phones also factory resets the device (all data personal and company is removed). That is not expected based on the popup shown to the admin.

If for security reasons you want to remove all company data and all personal data AND remove corporate logon details then you should choose the Wipe option as this does a factory reset on both iphone and Android (fully managed) phones, and this will be audited in the audit logs.

This method however will not prompt iphone end users to sign out of icloud meaning that after the reset,  the phone will be locked to the apple ID of the previous user (as shown below).

activation lock.png

To resolve this problem you could ask the user to sign out of icloud prior to Wiping the phone (not ideal) or use Apple Business Manager (DEP) to manage the phone, that way you'll get an Activation Bypass lock code which you can use to bypass this activation lock. Below is how that code would appear for a device (obfuscated details) in Intune.

bypass code.png

Of course this also means that you'll need a script to pull the Activation lock bypass code from Intune regularly (scheduled task) so that you have the data before it gets removed from Intune.

Speaking of ABM enabled iPhones, once they are added into ABM you'll see additional options displayed in Intune such as those shown here, the additional options include (and more depending on the device and capabilities):

Disable activation lock

Lost mode (supervisor only)

Rename device (supervisor only)

Restart (supervisor only)

dep device options.png

 

Finally, if you get your users to remove the device management or factory reset their phones using options available on the phone itself, then there will be no record of that action in Intune so you won't be able to report on it.

I hope this helps you understand the options available today in Endpoint Manager for removing company data on enrolled phones.

Recommended Reading

cheers

niall

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.