If you would like to read the other parts in this article series please go to:
- Intune and Exchange ActiveSync (Part 1)
- Intune and Exchange ActiveSync (Part 2)
- Intune and Exchange ActiveSync (Part 3)
- Intune and Exchange ActiveSync (Part 4)
- Intune and Exchange ActiveSync (Part 5)
- Intune and Exchange ActiveSync (Part 6)
- Intune and Exchange ActiveSync (Part 7)
Introduction
Intune provides administrators with the option to selective wipe, full wipe, remote lock, and passcode reset capabilities for mobile devices being managed by Intune. As mobiles usually store sensitive corporate data and provide access to many corporate resources, if a device is lost or stolen, we can issue a remote device wipe command from Intune’s administrator console. Also, users can issue their own remote device wipe commands from Intune’s company portal app. To protect devices we can issue:
- A full wipe to restore the device to its factory settings (identical to what ActiveSync has been offering for years);
- A selective wipe to remove only company data;
- A remote lock to help secure a device that might be lost;
- Reset the device passcode.
Remote Wipe
When we want to secure a lost device or when we retire a device from active use, it is typical to issue a wipe command to the device. With Intune there are two types of wipe:
- Full Wipe restores the device to its factory defaults. This removes all company and user data and settings. We can do a full wipe on Windows Phone, iOS and Android devices;
- Selective Wipe only removes company data. The following table describes by platform what data is removed and the effect on data that remains on the device after a selective wipe.
Content Type |
Windows 8.1 (enrolled as a mobile device) and Windows RT 8.1 |
Windows RT |
Windows Phone 8 and 8.1 |
iOS |
Android |
Android Samsung KNOX |
Company apps and associated data installed by Intune |
Files protected by EFS will have their key revoked and the user will not be able to open the files. |
Will not remove company apps. |
Apps originally installed through the company portal are uninstalled. Company app data is removed. |
Apps are uninstalled. Company app data is removed. App data from Microsoft apps that use mobile app management is removed. The app is not removed. |
Apps and data remain installed. App data from apps that use mobile app management is removed. The app is not removed. |
Apps are uninstalled. App data from apps that use mobile app management is removed. The app is not removed. |
Settings |
Configurations that were set by Intune policy are no longer enforced and users can change the settings. |
|||||
Wi-Fi and VPN profile settings |
Removed |
Removed |
Not supported |
Removed |
Not supported |
Not supported |
Certificate profile settings |
Certificates removed and revoked. |
Certificates removed and revoked. |
Not supported |
Certificates removed and revoked. |
Certificates revoked, but not removed. |
Certificates revoked, but not removed. |
Management Agent |
Not applicable. Management agent is built-in. |
Not applicable. Management agent is built-in. |
Not applicable. Management agent is built-in. |
Management profile is removed. |
Device Administrator privilege is revoked. |
Device Administrator privilege is revoked. |
|
Removes email that is EFS enabled which includes the Mail app for Windows email and attachments. |
Not supported |
Email profiles that are provisioned through Intune are removed and cached email on the device is deleted. |
Email profiles that are provisioned through Intune are removed and cached email on the device is deleted. |
Not supported |
Email profiles that are provisioned through Intune are removed and cached email on the device is deleted. |
Azure Active Directory Unjoin |
No |
No |
AAD Record removed |
AAD Record removed |
AAD Record removed |
AAD Record removed |
Table 1
To initiate a remote wipe:
- In the Microsoft Intune administration console, click Groups > All Users:
Figure 1
- Click the name of the user whose mobile device you want to wipe, and then click View Properties:
Figure 2
- On the properties page for the user, click the Devices tab, and then click the name of the mobile device that you want to wipe:
Figure 3
- Click Retire/Wipe;
- A message appears, prompting you to confirm whether you want to retire the device:
- To perform a selective wipe which only removes company content, click Yes;
- To perform a factory reset on a device, select Wipe the device before retiring. This action applies to all platforms except Windows 8.1:
Figure 4
To monitor the retire/wipe:
- In the Microsoft Intune administration console, click Reports > Device History Reports;
- Provide a start and end date for the report, then click View Report. The report provides a list of retire, wipe and delete actions taken on each device, and who initiated them.
Figure 5
Wiping EFS-enabled content
Selective wipe of EFS-encrypted content is supported by Windows 8.1 and Windows RT 8.1. The following apply to a selective wipe of EFS-enabled content:
- Only apps and data that are protected by EFS using the same Internet domain as the Intune account are selectively wiped;
- If there are any changes made to the domain associated with EFS, the changes can take up to 48 hours before apps and data using the new domain can be selectively wiped;
- Each domain that is registered with Intune is the domain that will be wiped.
The data and apps that are currently supported by EFS selective wipe are:
- Mail app for Windows;
- Work Folders;
- Files and folders encrypted by EFS.
Passcode Reset
If a user forgets their passcode, we can remove the passcode from the device or force a new temporary passcode. The table below lists how passcode reset works on different mobile platforms:
Platform |
Passcode Reset |
iOS |
Supported for clearing the passcode from a device. Does not create a new temporary passcode. |
Android |
Supported and a temporary passcode is created. |
Windows Phone 8 and 8.1 |
Supported |
Windows RT 8.1 and Windows RT |
Not Supported |
Windows 8.1 |
Not Supported |
Table 2
To reset the passcode on a mobile device:
- In the Microsoft Intune administration console, click Groups > All Devices > All Mobile Devices;
- Click All Direct Managed Devices for devices enrolled with Intune or All Exchange ActiveSync Managed Devices. We can also navigate to a device by user. Click All Users and on the properties page for the user, click the Devices tab and then click the name of the mobile device that we want to wipe:
Figure 6
- In the list, we select the device or devices that we want to reset, and then on the taskbar click Remote Tasks and then Passcode Reset:
Figure 7
Remote Lock
If a user loses their device we can lock it remotely. The table below lists how remote lock works on different mobile platforms:
Platform |
Remote Lock |
iOS |
Supported |
Android |
Supported |
Windows Phone 8 and 8.1 |
Supported |
Windows RT 8.1 and Windows RT |
Supported if the current user of the device is the same user who enrolled the device. |
Windows 8.1 |
Supported if the current user of the device is the same user who enrolled the device. |
Table 3
To lock a mobile device remotely follow the previous steps but click on Remote Lock instead (in step 3).
Conclusion
In this final part of this Intune article series, we looked at Remote Wipe, Remote Lock and Passcode Reset.
If you would like to read the other parts in this article series please go to: