Hello, When we are retiring a iOS enrolled device ( BYOD MDM) from Endpoint portal, we have observed the below behavior. Please confirm below is the expected behavior or how to resolve it ? After retiring a iOS device from Endpoint portal, device Intune configuration and MDM profile was removed device. But users still able to see new and old emails from Outlook and it worked the same at least for 24 hours. After more than 24 hours, we have observed users got prompt "Data Removal" on Outlook app but when user is getting any new email for that account still able to get notification and when he click on email notification it routes on Outlook app but he didn't seen the new email. Is it possible that after retiring device the outlook and other O365 apps configuration must be removed from device and users should not get any new email notification and users should not be able to view old and new emails ? Regards, Surendra

The best approach in my opinion here would be to use Conditional Access and create a policy that requires devices to be marked as compliant when accessing email. This would block the user from accessing their email account if the device is not enrolled and compliant. https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune

@Surendrasingh Chaupawat (APMEA - iCORE-CIS) Thanks for posting in our Q&A. For remove outlook account, it shows that retire action will remove mail accounts that were provisioned by Intune on windows 10 devices. For iOS devices, if the microsoft app is protected by intune, when we do the retire action, the next time the app is launched, it will remove the protected work or school account data. For more details, please refer to the following article: https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#ios So, based on my understanding, if you deploy an app protection policy to the work or school account and add Outlook as managed app, when you retire the iOS device, it may also remove the account on Outlook. Hope it will give you some ideas. If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

@Surendrasingh Chaupawat (APMEA - iCORE-CIS) Thanks for your efforts to do some tests. For this issue, I have done the test as my said before. In my test, I didn't have the conditional access policy and I only deploy an app protection policy to my user group. Outlook is a managed app in the app protection policy. When I retire the iOS device successfully and wait for some time, I will get the message in Outlook and my account is removed from Outlook. When I try to send an email to the my account, I didn't get a new email notification. Hope it will help.

Not removing Outlook account from iOS device after retiring device from Endpoint Portal

Surendrasingh Chaupawat (APMEA - iCORE-CIS) 1

Hello,

When we are retiring a iOS enrolled device ( BYOD MDM) from Endpoint portal, we have observed the below behavior.

Please confirm below is the expected behavior or how to resolve it ?

After retiring a iOS device from Endpoint portal, device Intune configuration and MDM profile was removed device. But users still able to see new and old emails from Outlook and it worked the same at least for 24 hours.
After more than 24 hours, we have observed users got prompt "Data Removal" on Outlook app but when user is getting any new email for that account still able to get notification and when he click on email notification it routes on Outlook app but he didn't seen the new email.
Is it possible that after retiring device the outlook and other O365 apps configuration must be removed from device and users should not get any new email notification and users should not be able to view old and new emails ?

Regards,
Surendra

Surendrasingh Chaupawat (APMEA - iCORE-CIS) 1 Reputation point

2021-12-30T09:31:42.543+00:00
I am unable to see my 3rd point above, hence re-adding the 3rd point.

Is it possible that after retiring device the outlook and other O365 apps configuration must be removed from device and users should not get any new email notification and users should not be able to view old and new emails ?

Regards,
Surendra

3 answers

Timmy Andersson 411 Reputation points MVP

2021-12-30T11:06:28.657+00:00

The best approach in my opinion here would be to use Conditional Access and create a policy that requires devices to be marked as compliant when accessing email.
This would block the user from accessing their email account if the device is not enrolled and compliant.

https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune
Please sign in to rate this answer.
Surendrasingh Chaupawat (APMEA - iCORE-CIS) 1 Reputation point

2021-12-30T11:46:01.45+00:00

Hello,

The conditional access policy is already in placed, but still facing issue.

Below are the current configuration but still users is receiving new email notification on his ios device after retiring device from Endpoint portal.

Selected users group

Client Apps or actions - O365 apps

Conditions - a) Device Platform : Android and iOS b) Client apps : Browser and Mobile apps & Desktop client

Grant Control : 1. Required MFA 2. Required device to be compliant 3. Required approved clients 4. Required app protection policy 5. Required all the selected controls
Sign in to comment
Lu Dai-MSFT 28,346 Reputation points

2021-12-31T03:32:45.453+00:00

@Surendrasingh Chaupawat (APMEA - iCORE-CIS) Thanks for posting in our Q&A.

For remove outlook account, it shows that retire action will remove mail accounts that were provisioned by Intune on windows 10 devices.

For iOS devices, if the microsoft app is protected by intune, when we do the retire action, the next time the app is launched, it will remove the protected work or school account data. For more details, please refer to the following article:
https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#ios

So, based on my understanding, if you deploy an app protection policy to the work or school account and add Outlook as managed app, when you retire the iOS device, it may also remove the account on Outlook.

Hope it will give you some ideas.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Lu Dai-MSFT 28,346 Reputation points

2022-01-03T06:57:53.497+00:00

@Surendrasingh Chaupawat (APMEA - iCORE-CIS) Haven't heard from you for some time, I am checking this thread, if you have a chance to review this thread, please check if my reply is helpful. Thanks.

Surendrasingh Chaupawat (APMEA - iCORE-CIS) 1 Reputation point

2022-01-03T08:32:15.19+00:00

Hello,

Please find my below response and testing results.

1st Test case:

When i enroll iOS device in Intune and downloaded Outlook app from Intune app Catalogue\Store (Not from Apple App Store) and after some time i retire ios device from Endpoint portal.

Configuration -

On Endpoint portal Conditional access and MAM is already configured for Outlook app.

Enrolled ios device in Intune

Download Outlook app from Intune app Catalogue\Store (Not from Apple App Store)

Configured account in Outlook app and able to see Emails. MAM policy confirmation status also came on device after configuring Outlook app on device.

After some time from Endpoint portal, i have Retire enroll device.

Results:

Device entry was removed from Endpoint portal in after few minutes.

Intune app and his configuration removed from device.

MDM profile was removed from device

Outlook configuration was removed automatically after sometimes when we launched Outlook app 2 times.

After automatically Outlook configuration removed from iOS device, we have sent 2 test email on the same id and we didn't received any email notification on Retire device.

Surendrasingh Chaupawat (APMEA - iCORE-CIS) 1 Reputation point

2022-01-03T08:33:57.887+00:00

2nd Test Case:
When i downloaded Outlook app from Apple App store (Not from Intune app Catalogue\Store) before enrolling iOS device in Intune.

Configuration -

On Endpoint portal Conditional access and MAM is already configured for Outlook app.

Downloaded Outlook app from Apple App store (Not from Intune app Catalogue\Store)

Enrolled ios device in Intune

After enroll device in Intune, Open Intune app > Click on Outlook app to Install > It prompts to Manage app (It prompt to manage already downloaded Outlook app)

Configured account in Outlook app and able to see Emails. MAM policy confirmation status also came on device after configuring Outlook app on device.

After some time from Endpoint portal, i have Retire enroll device.

Results:

Device entry was removed from Endpoint portal in after few minutes.

Intune app and his configuration removed from device.

MDM profile was removed from device

Outlook configuration was removed automatically after sometimes when we launched Outlook app 2-3 times.

After automatically Outlook configuration removed from iOS device, we have sent 2 test emails on the same id but this time we have received email notification on Retire device even after outlook configuration removed. (We are unable to see email subject and contain, while clicking on notification.)
Sign in to comment
Lu Dai-MSFT 28,346 Reputation points

2022-01-04T07:04:40.91+00:00

@Surendrasingh Chaupawat (APMEA - iCORE-CIS) Thanks for your efforts to do some tests.

For this issue, I have done the test as my said before. In my test, I didn't have the conditional access policy and I only deploy an app protection policy to my user group. Outlook is a managed app in the app protection policy.

When I retire the iOS device successfully and wait for some time, I will get the message in Outlook and my account is removed from Outlook. When I try to send an email to the my account, I didn't get a new email notification.

Hope it will help.
Please sign in to rate this answer.
Surendrasingh Chaupawat (APMEA - iCORE-CIS) 1 Reputation point

2022-01-04T07:07:59.687+00:00

Hello,

I have mentioned the 2 test scenario, could you please confirm have you tested the both scenario ? Could you please confirm the outlook app you have downloaded from Intune app store after enrolling your device or Outlook app was already installed on your device before enrolling device in Intune ?

Lu Dai-MSFT 28,346 Reputation points

2022-01-04T07:55:35.5+00:00

@Surendrasingh Chaupawat (APMEA - iCORE-CIS) I have done the two test scenarios. In my environment, whether I download Outlook first or enroll the device first, the test results are the same.

Honestly, for the different results of your tests, there is no any helpful idea that I can share with you. With Q&A limitation, it is suggested to create an online support ticket to find the root cause. It is free. Here is the support link:
https://learn.microsoft.com/en-us/mem/get-support

Thanks for understanding.

Surendrasingh Chaupawat (APMEA - iCORE-CIS) 1 Reputation point

2022-01-04T07:59:09.267+00:00

Thanks for your Great support. I will raise a support ticket and try to get fix of my issue.

Lu Dai-MSFT 28,346 Reputation points

2022-01-04T08:05:27.777+00:00

@Surendrasingh Chaupawat (APMEA - iCORE-CIS) You're welcome. I'm glad to discuss with you about this issue. Hope everything goes well with you.
Sign in to comment