A customer asked me about this last week so I decided to test it. What happens when an unenrolled BYOD device is lost or stolen but is protected by Intune App Protection Policies? Can the corporate data be wiped? He was specifically talking about Android and iOS devices. The answer is yes. That can be achieved using the Selective Wipe feature of Intune, which will wipe corporate data from Intune managed apps. These are apps which have been integrated with the Intune SDK.
How does it work? To selectively remove company app data, create a wipe request. If the device is not enrolled then a user-level wipe is required. This will wipe all corporate data from all devices.
In the Intune admin center, select Apps > App selective wipe.
Choose User-level Wipe.
Select Add and choose the user whose app data you would like to wipe. Choose Select.
After the request is finished, the next time the app runs on the device, corporate data is removed from the app. On the device, the user sees this as a notification.The Outlook corporate profile has been removed.
There are a few things to be aware of with this solution.
1. Corporate data is not just automatically removed. The apps have to be launched first. If the user is using the app when selective wipe is initiated, the Intune App SDK checks every 30 minutes for a selective wipe request from the Intune MAM service. It also checks for selective wipe when the user launches the app for the first time and signs in with their work or school account.
Does it really matter though? A bad guy can't get access to corporate data without launching the apps and this will initiate the wipe. In my test, it took more than 30 minutes for the wipe to be initiated on the device.
2. For non enrolled devices, the selective wipe is user based and will remove corporate apps and data on all devices where you have the apps installed, not just the one you've lost. This works well in the leaver scenario, but can be a problem if you've just lost one device. You'll have to re-install on the others. Perhaps that's a small price to pay to keep you corporate data safe. Note that you'll have to remove the wipe request in the Intune admin center before the user can use the apps again. How long should you leave it before removing the wipe request? You have no way of knowing if the request has been successful on the lost device.
3. Contacts synced directly from the app to the native address book are removed. Any contacts synced from the native address book to another external source can't be wiped. Currently, this only applies to the Microsoft Outlook app.
4. You must have an app protection policy already assigned to the app and user. This means that you must have an APP broker app installed in advance, that's the Intune Company Portal on Android devices and the Microsoft Authenticator app on iOS devices.
In addition, you can also configure a selective wipe of your company data as a new action when the conditions of Application Protection Policies (APP) Access settings are not met. This feature helps you automatically protect and remove sensitive company data from applications based on pre-configured criteria.
I hope this was helpful. Until next time.....