Intune and Exchange ActiveSync (Part 8)

By /

If you would like to read the other parts in this article series please go to:

Introduction

Intune provides administrators with the option to selective wipe, full wipe, remote lock, and passcode reset capabilities for mobile devices being managed by Intune. As mobiles usually store sensitive corporate data and provide access to many corporate resources, if a device is lost or stolen, we can issue a remote device wipe command from Intune’s administrator console. Also, users can issue their own remote device wipe commands from Intune’s company portal app. To protect devices we can issue:

  • A full wipe to restore the device to its factory settings (identical to what ActiveSync has been offering for years);
  • A selective wipe to remove only company data;
  • A remote lock to help secure a device that might be lost;
  • Reset the device passcode.

Remote Wipe

When we want to secure a lost device or when we retire a device from active use, it is typical to issue a wipe command to the device. With Intune there are two types of wipe:

  1. Full Wipe restores the device to its factory defaults. This removes all company and user data and settings. We can do a full wipe on Windows Phone, iOS and Android devices;
  2. Selective Wipe only removes company data. The following table describes by platform what data is removed and the effect on data that remains on the device after a selective wipe.

Content Type

Windows 8.1 (enrolled as a mobile device) and Windows RT 8.1

Windows RT

Windows Phone 8 and 8.1

iOS

Android

Android Samsung KNOX

Company apps and associated data installed by Intune

Files protected by EFS will have their key revoked and the user will not be able to open the files.

Will not remove company apps.

Apps originally installed through the company portal are uninstalled. Company app data is removed.

Apps are uninstalled. Company app data is removed.

App data from Microsoft apps that use mobile app management is removed. The app is not removed.

Apps and data remain installed.

App data from apps that use mobile app management is removed. The app is not removed.

Apps are uninstalled.

App data from apps that use mobile app management is removed. The app is not removed.

Settings

Configurations that were set by Intune policy are no longer enforced and users can change the settings.

Wi-Fi and VPN profile settings

Removed

Removed

Not supported

Removed

Not supported

Not supported

Certificate profile settings

Certificates removed and revoked.

Certificates removed and revoked.

Not supported

Certificates removed and revoked.

Certificates revoked, but not removed.

Certificates revoked, but not removed.

Management Agent

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Management profile is removed.

Device Administrator privilege is revoked.

Device Administrator privilege is revoked.

Email

Removes email that is EFS enabled which includes the Mail app for Windows email and attachments.

Not supported

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Not supported

Email profiles that are provisioned through Intune are removed and cached email on the device is deleted.

Azure Active Directory Unjoin

No

No

AAD Record removed

AAD Record removed

AAD Record removed

AAD Record removed

Table 1

To initiate a remote wipe:

  1. In the Microsoft Intune administration console, click Groups > All Users:

Image
Figure 1

  1. Click the name of the user whose mobile device you want to wipe, and then click View Properties:

Image
Figure 2

  1. On the properties page for the user, click the Devices tab, and then click the name of the mobile device that you want to wipe:

Image
Figure 3

  1. Click Retire/Wipe;
  2. A message appears, prompting you to confirm whether you want to retire the device:
    • To perform a selective wipe which only removes company content, click Yes;
    • To perform a factory reset on a device, select Wipe the device before retiring. This action applies to all platforms except Windows 8.1:

Image
Figure 4

To monitor the retire/wipe:

  1. In the Microsoft Intune administration console, click Reports > Device History Reports;
  2. Provide a start and end date for the report, then click View Report. The report provides a list of retire, wipe and delete actions taken on each device, and who initiated them.

Image
Figure 5

Wiping EFS-enabled content

Selective wipe of EFS-encrypted content is supported by Windows 8.1 and Windows RT 8.1. The following apply to a selective wipe of EFS-enabled content:

  • Only apps and data that are protected by EFS using the same Internet domain as the Intune account are selectively wiped;
  • If there are any changes made to the domain associated with EFS, the changes can take up to 48 hours before apps and data using the new domain can be selectively wiped;
  • Each domain that is registered with Intune is the domain that will be wiped.

The data and apps that are currently supported by EFS selective wipe are:

  • Mail app for Windows;
  • Work Folders;
  • Files and folders encrypted by EFS.

Passcode Reset

If a user forgets their passcode, we can remove the passcode from the device or force a new temporary passcode. The table below lists how passcode reset works on different mobile platforms:

Platform

Passcode Reset

iOS

Supported for clearing the passcode from a device. Does not create a new temporary passcode.

Android

Supported and a temporary passcode is created.

Windows Phone 8 and 8.1

Supported

Windows RT   8.1 and Windows RT

Not Supported

Windows 8.1

Not Supported

Table 2

To reset the passcode on a mobile device:

  1. In the Microsoft Intune administration console, click Groups > All Devices > All Mobile Devices;
  2. Click All Direct Managed Devices for devices enrolled with Intune or All Exchange ActiveSync Managed Devices. We can also navigate to a device by user. Click All Users and on the properties page for the user, click the Devices tab and then click the name of the mobile device that we want to wipe:

Image
Figure 6

  1. In the list, we select the device or devices that we want to reset, and then on the taskbar click Remote Tasks and then Passcode Reset:

Image
Figure 7

Remote Lock

If a user loses their device we can lock it remotely. The table below lists how remote lock works on different mobile platforms:

Platform

Remote Lock

iOS

Supported

Android

Supported

Windows Phone 8 and 8.1

Supported

Windows RT 8.1 and Windows RT

Supported if the current user of the device is the same user who enrolled the device.

Windows 8.1

Supported if the current user of the device is the same user who enrolled the device.

Table 3

To lock a mobile device remotely follow the previous steps but click on Remote Lock instead (in step 3).

Conclusion

In this final part of this Intune article series, we looked at Remote Wipe, Remote Lock and Passcode Reset.

If you would like to read the other parts in this article series please go to:

About The Author

Nuno Mota is an Exchange MVP working as a Microsoft Messaging Specialist for a financial institution. He is passionate about Exchange, Lync, Active Directory, PowerShell, and Security. Besides writing his personal Exchange blog, LetsExchange.blogspot.com, he regularly participates in the Exchange TechNet forums and is the author of the book “Microsoft Exchange Server 2013 High Availability.”

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top