Azure AD personal device enrollment without remote wipe / erase.

Question

Azure AD personal device enrollment without remote wipe / erase.

Andrew Wilkins 1

Hi
I have azure AD and have the endpoint security which allows anyone in my company to join a personal windows PC or mac if they install the company portal app.

This enforces security setting that most staff are comfortable with, but remote wipe is something most people are not comfortable with and i can't say i blame them.
I am never going to wipe anyone's personal device deliberately, so i would much rather this was never an option.

Is there a way i can setup a profile or policy so that permissions to remote wipe / erase is never set on a personal devices?
I am particularly interested in doing this for MacOS but it would also be useful on windows too.

2 answers

Your answer

Answer 1

@Andrew Wilkins Thanks for reaching out and we understand your concern.

When endpoint security allows you to push down certain policies, files, email profile , certificates etc, it keeps a secure option of removing everything it pushed in case user leaves company or the device gets stolen. That Retire option comes by default and never really touches the personal files and settings of the users.

There is no policy which you can create to remove that Retire option. You can try to educates users, that endpoint security will not touch any of their files.
The retire option only does the following on a MAC OS :

Feel free to raise this as a idea at our feedback page here. Other people can upvote your idea and if many people need this idea, may be the Product group can check further to work towards this.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

Answer 2

Andrew Wilkins 1

Thank you
The retire option sound perfect, i'm happy to keep that as an option. What I am after is being able to have a policy where remote wipe is not an option.
What i am after is getting rid of the wipe option on windows and erase on macOS, these seem to be there by default.

I have taken over this domain from someone else so it is possible they have set something which means we don't have the default polices but i could not see anywhere on any of the polices we have that mention anything about remote wipe to enable / disable it, nor could i see how to setup any new polices which would not have it.

VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee

2021-06-02T13:17:51.06+00:00

@Andrew Wilkins It is not possible currently to remove the WIPE option from Device blade. There is a user voice for this already, https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/16727287-allow-organizations-to-remove-the-full-wipe-option

I will try to get the status on that, but for now there is no such option to get rid of it. I understand the situation and apologies as there is no way around it for now.
Andrew Wilkins 1 Reputation point

2021-06-02T13:24:09.183+00:00

Thanks thats great you have saved me a lot of time continuing to look for a feature that isn't there.
I'll add an up vote to the suggestion.

Share via

Azure AD personal device enrollment without remote wipe / erase.

2 answers

Your answer