This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Hello,
Somehow when we want to enroll a personal device like an iPad or iPhone, and we are logging in to the Company Portal.
And see the (Device Management and your privacy) page CAN: Reset lost or stolen device to factory settings...
I really don't want to have that option in Intune to reset a full personal device..
Any ideas or solutions for this?
I cant find much about it.
Normally you could only wipe the company data, but not the whole device.
Regards Jeroen
Any ideas or solutions for this?
Yes, don't enroll the device in MDM management and only use App Protection Policies (APP) -- aka Mobile Application Management (MAM). See https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
@Jeroen F Thanks for posting in our Q&A. From your description, did you mean that you want to only delete the company data and keep the personal date on iOS devices? If there is any misunderstanding, feel free to let us know.
Based on my understanding, the "Retire" action will meet the requirement. It will remove managed app data (where applicable), settings, and email profiles that were assigned by using Intune. And it will leave the user's personal data on the device. We can read the following article to get more detailed information:
leaves the user's personal data on the device.
https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#retire
Hope the above information will help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hee, thanks for the responses.
Somehow it just feels bad, that you need to configure it like that. And how is it possible that a Company portal(Intune) can controle your whole device like that. Yes i know the retire option, but i dont want to have people from the Servicedesk clicking the wrong button and the Doctor loses his whole phone stuff..
@Jeroen F Thanks for your quick response. I understand your concerns. Currently, there is no method to disable this setting in the company portal.
Given this situation, it is suggested to post our detailed requirement in intune uservoice. This is a place to collect customers' requirements and problems.
https://microsoftintune.uservoice.com/forums/291681-ideas
At the same time, I will also try my best to feedback.
@Jason Sandys Did you have any idea? And whether there is a plan that disable factory reset button in company portal?
You could possibly utilise RBAC in Intune and assign a custom role to SD with restrictive permissions on remote actions.
Yes, but you cannot say they can Wipe Company devices, but not the Personal ones...
So it still stays a bit tricky tbh
I think you can using scope tags. You will need to create 2 different custom roles then. 1 for personal devices and a corresponding scope tag and then similarly another for corporate owned devices.
Somehow it just feels bad, that you need to configure it like that. And how is it possible that a Company portal(Intune) can controle your whole device like that.
Same answer as I've given above. Don't enroll the device and simply use MAM. This is explicitlt the purpose of MAM without enrollment.
Apple is working on a User Enrollment mode that is meant for BYOD type scenarios, but at this time, the solution is not very mature and we don't generally recommend its use (yet).
Thank you for your respons @Lu Dai-MSFT
Also i dont understand why it needed a Managed Apple ID(Azure login) normally it would use the AppleID thats signed in to the Apple Store etc..
@Jeroen F Could you please explain it more detailed? To facilitate the management of Q&A posts, if this issue is different with above, it is suggested to post another one.
Thanks for understanding. : )
Hello,
I dont understand why i need to have a managed AppleID to use BYOD... I dont remember this from other MDM solutions to have a managed AppleID. So its a must to add the DEP to Azure if you want to use Byod.
@Jeroen F Thanks for your explain.
Please understand that we don't need to have a managed AppleID for BYOD enrollment. The managed AppleID is used in iOS with User Enrollment.
If we enroll the iOS device with device enrollment, it means that we don't configure the enrollment type profile or select "Device enrollment" enrollment type, we don't need a managed AppleID and only need a user with intune license.
Hope it will help.
Hee thanks,
I do know this part, but then you going to manage fully a personal device.. Dont think thats called Byod..
But the User Enrollment looks better like a byod. But then you do need a managed AppleID... (And the Device Enrollment gives you the option to wipe a personal device.. Thats really a no go to have that option.
In the past what i remember when we had Citrix.
And you installed SecureHub, and login with your company mail, you do get a Byod profile, with some apps and wifi settings and it used the current AppleID (Private account) to install the apps etc. Do dont understand why its needed at Intune a Managed AppleID to use Byod like a User Enrollement.
Azure AD and managed Apple IDs are two completely different things. All users that have any sort of management from Intune require an Azure AD account. User enrollment into Intune for device management using the Company Portal in no way requires a managed Apple ID. I don't really consider this BYOD though. Once again, you should be looking at App Protection Policies and not device enrollment for BYOD.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 46%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Hee Jason,
I understand your point. Im new to Intune so its a bit of searching for me for whats best.
So i created a App Protection policys for apps.
But i wont be able to get something like Wifi Certificates on these kind of devices i guess?
And about the Managed Apple ID, when i use the Enrollment as a User Device im getting this when i enroll.
No, there is no way to force cert enrollment when using APP although that's not normal for BYOD.
As for User Enrollment, as I initially called out, that's a newer enrollment method that Apple recently introduced that we don't generally recommend using yet because it lacks some capabilities and has some rough spots. The requirement of the managed Apple ID you see there is their requirement and not Intune's.