Share via

Intune MDM does not delete managed app

D reddy 1 Reputation point
2022-04-19T10:16:48.173+00:00

Hi team, we have apps that can be download from company portal and we also have the possibility to download directly from iOS app store.

We can then login to app and company portal validates whether device is managed.

Problem is when we remove the device to be managed by company portal, it does not automatically delete the app, which results in user accessing app when device is unmanaged.

Would you kindly advise how this could be resolved pls?

Microsoft Security | Intune | Configuration
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lu Dai-MSFT 28,511 Reputation points
    2022-04-20T01:25:32.12+00:00

    @D reddy Thanks for posting in our Q&A.

    Generally, if we want to unenroll the managed devices and delete the managed app, we will do "retire" action in intune portal.
    https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#retire
    194491-image.png

    If you just want to remove devices in company portal app, it is needed to configure the setting "Uninstall on device removal" to "Yes" under the target app's assignments. When the device is not managed by intune, the apps will be uninstalled.
    194501-image.png

    Hope it will help.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. D reddy 1 Reputation point
    2022-04-22T04:10:16.303+00:00

    Hi, thx ! What you mentioned is already in place. Somehow if we download the app directly from app store, before company portal was downloaded then when device is not managed it is not deleting the app automatically.

  3. Lu Dai-MSFT 28,511 Reputation points
    2022-04-22T09:35:10.25+00:00

    @D reddy If the app is protected by an app protection policy and even if the app is installed from app store, we also called it a managed app. It is suggested to try to do the retire action. It will wipe the work or school account data protected by an App Protection Policy.
    https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#ios
    195503-image.png

    I have done the test in my lab. I add outlook in an app protection policy and deploy the policy to my user. When I retire the iOS device successfully and wait for some time, I will get the message in Outlook and my account is removed from Outlook.
    195489-image.png

    Hope it will help.

  4. D reddy 1 Reputation point
    2022-04-25T04:08:44.127+00:00

    Hi, thank you for checking on me. When a device is not managed anymore, it wont be possible to perform retire action. I was told by azure expert that he cant see the anymore as being managed but i m able to access the data.

    0 comments
  5. Lu Dai-MSFT 28,511 Reputation points
    2022-04-25T07:26:06.85+00:00

    @D reddy Yes, you're right. Retire action only can be performed when the device is managed by intune.

    Currently, there is no method to make the Azure AD account sign out from the app when the device is unmanaged. I'll share with you two alternatives, maybe one of them will meet your requirements.

    Method 1: App protection policy can wipe account and data.
    If the device is unmanaged, please try to deploy an app protection policy to the target user. Please set "Device types" to "unmanaged" and set "offline grace period" to 1 wipe day.
    195908-image.png

    196032-image.png

    When the app run offline more than one day, it will perform a selective wipe of the users' account and data. For more details, please read the content about "Offline grace period" in the following link:
    https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#conditional-launch

    Method 2: Conditional access policy will make the end user to re-enroll the device and then we can do retire action.
    It is suggested to try to deploy a conditional access policy to the target user, add the target app in the setting "cloud apps or actions", select "Require device to be marked as compliant" in Grant. For more details about creating conditional access policy, we can refer to the following article:
    https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create

    When you use the taget user to sign in the target app on the unmanaged device, it may ask you to enroll the device. Then we can try to do the retire action as I said before.

    Hope it will give you some ideas.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.