Wipe Email Off Devices

PMG2023 0 Reputation points
2023-04-09T08:46:06.2966667+00:00

Hi Everyone I am using Endpoint Manager on a small O365 tenant and I am pretty new to MDM, I would appreciate some guidance on the below situation. I have some iphones that will be corp devices and some that are personal, I need to be able to wipe the emails off the devices for both corp owned devices and personal ones if the phone is lost or in the case of personal devices, if the person leaves the company. I see if I enrol the device into endpoint manager and get users to download outlook from my list of available apps I can use selective wipe to remove the email. But for personal devices, I cant get them to do this as its not a managed device. Someone said app protection policies can serve my purpose but I dont see how I can use this to get Outlook on their device from endpoint manager as its not a managed device and therefore not enrolled, with this being the case, how could I wipe the email off it? I can see I could use conditional access to stop them logging into Outlook with their company email account if they download Outlook manually themselves but I cant see how I can get them access to their email and yet be able to wipe the email off on a personal de3vice. So in essence my question is: How can I wipe corporate email off a personal phone when someone leaves? Thanks very much.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,489 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Khaled El-Sayed Mohamed 1,160 Reputation points
    2023-05-23T09:57:04.3366667+00:00

    There are a few ways to wipe corporate email off a personal phone when someone leaves. One way is to enroll the device in Endpoint Manager and then use selective wipe to remove the email. However, as you mentioned, this is not possible if the device is not a managed device.

    Another way to wipe corporate email off a personal phone is to use app protection policies. App protection policies allow you to control how users can access corporate data on their personal devices. For example, you can create an app protection policy that prevents users from accessing corporate data from any app other than Outlook. This will prevent users from accessing corporate email from any other app, including the native mail app on their phone.

    If you want to allow users to access corporate email from the native mail app on their phone, you can create an app protection policy that requires users to enter their corporate credentials before they can access corporate data. This will prevent users from accessing corporate email without first authenticating with their corporate credentials.

    Once you have created an app protection policy, you can assign it to users or groups. When a user or group is assigned an app protection policy, they will be prompted to install the app protection policy when they next open Outlook. Once the app protection policy is installed, users will be required to enter their corporate credentials before they can access corporate data.

    If a user leaves the company, you can revoke their access to corporate data by removing them from the app protection policy. This will prevent them from accessing corporate email from Outlook or any other app.

    Here are the steps on how to create an app protection policy in Endpoint Manager:

    1. In the Endpoint Manager console, go to Devices > All Devices.
    2. Select the device that you want to create an app protection policy for.
    3. Click App Protection Policies.
    4. Click Create Policy.
    5. In the Name field, enter a name for the app protection policy.
    6. In the App field, select Outlook.
    7. In the Allowed Apps section, select the apps that you want users to be able to use to access corporate data.
    8. In the Blocklisted Apps section, select the apps that you want to block users from using to access corporate data.
    9. In the Required Authentication section, select whether you want users to be required to authenticate with their corporate credentials before they can access corporate data.
    10. Click Create.

    Once you have created the app protection policy, you can assign it to users or groups. To assign the app protection policy to users or groups, follow these steps:

    1. In the Endpoint Manager console, go to Devices > All Devices.
    2. Select the device that you want to assign the app protection policy to.
    3. Click App Protection Policies.
    4. Select the app protection policy that you want to assign.
    5. Click Assign.
    6. In the Assign To section, select the users or groups that you want to assign the app protection policy to.
    7. Click Assign.

    Once you have assigned the app protection policy to users or groups, they will be prompted to install the app protection policy when they next open Outlook. Once the app protection policy is installed, users will be required to enter their corporate credentials before they can access corporate data.

    0 comments No comments

  2. Khaled El-Sayed Mohamed 1,160 Reputation points
    2023-05-23T09:59:53.68+00:00

    in general:

    To achieve your goal of wiping corporate email off personal phones when someone leaves the company, you can utilize Mobile Application Management (MAM) and Conditional Access policies within Microsoft Endpoint Manager. Here's a suggested approach:

    1. Implement Mobile Application Management (MAM) policies: MAM allows you to manage and protect the corporate data within specific applications on a device, without the need to fully enroll the device into Mobile Device Management (MDM). With MAM policies, you can apply app protection policies to the Outlook app on personal devices.
    2. Configure app protection policies for Outlook: Create an app protection policy in Endpoint Manager that applies to the Outlook app. Within the policy, you can set requirements such as requiring a PIN or fingerprint to access the app, preventing data sharing with non-managed apps, and enabling data encryption. This ensures that corporate data within Outlook remains secure on personal devices.
    3. Enable selective wipe through MAM: With MAM policies, you can perform a selective wipe of the corporate data within the Outlook app without affecting any personal data on the device. This means that when an employee leaves the company, you can initiate a selective wipe to remove the corporate emails and associated data from the Outlook app on their personal device.
    4. Implement Conditional Access policies: Conditional Access allows you to define access rules based on various conditions, including device compliance and enrollment status. You can create a policy that restricts access to company email through Outlook on personal devices that are not enrolled in Endpoint Manager. This ensures that even if employees manually download Outlook on their personal devices, they won't be able to access company email after leaving the organization.

    By combining MAM policies, selective wipe, and Conditional Access, you can effectively manage and secure corporate email on both corporate-owned and personal devices, allowing you to wipe corporate email off personal phones when someone leaves the company.

    It's important to note that the specific steps and options may vary based on your organization's configuration and the version of Microsoft Endpoint Manager you're using. I recommend referring to the official Microsoft documentation or seeking assistance from the Microsoft support team for detailed guidance tailored to your specific environment.

    0 comments No comments