Freigeben über


Leaving the org? Wipe Only Corporate Data from Native Mail App in iOS (Microsoft 365)

Wouldn't it be nice if an employee leaves the organization, that you can remove only your corporate data from their iPad or iPhone, but yet leave all their personal data alone? It absolutely would, especially if that employee was using the native (built-in) mail app in iOS. Look no further, because Microsoft 365 has the capability to perform a selective wipe on the device and remove corporate data, including data from the native mail app.

So how is this possible?

Intune will remove data that is tied to your Azure Active Directory identity. So, if I am logged into the native mail app on my iPhone with my Azure AD credentials for my Office 365 mailbox, Intune associates that as "corporate data". If the device is enrolled into Intune Mobile Device Management (MDM) and the selective wipe command is issued (or the user manually performs a selective wipe via the Company Portal App) then the Office 365 data will be removed from the native ail app.

What are the requirements for this to work?

  1. The iOS device is enrolled into Intune MDM.
  2. An Intune iOS Device Configuration Profile is configured and assigned to the user or device, that is pushing a mail profile.
  3. The user is signed into the native mail app using their Azure AD credentials to access their Office 365 Mailbox.
  4. iOS Enrollment has been properly configured in Intune and a iOS device compliance policy has been configured and assigned.
  5. User has an Office 365 Exchange Online Mailbox

How do I configure it?

This is really made possible by having a mail profile configured in the Device Configuration Profile in Microsoft Intune. Let's take a look at how to do that. From within the Intune blade in the Azure Portal, select Device Configuration -> Profiles -> and create a new Profile for iOS platform with a profile type of Email:

Next, click Settings and configure the email profile. See my screenshot below of how I setup my email profile for Office 365 based on my organization's requirements (note, your configuration parameters may be different). When finished click OK.

 

 

Click Save to save the email profile. Next, click Assignments and assign the new profile to All Users, or All Devices, or Selected Groups. For my environment, I am going to assign to a security group that sales and marketing employees belong to. When finished, click Save:

 

 

 

How do I test it?

Using my iPhone test device, I am going to enroll it into Intune MDM using the Company Portal App from the App Store. If you aren't familiar with this process, see my blog: Intune: MDM Enrollment Experience (complete device management)

Important: Make sure the user or device that is enrolling, is a member of the security group above! Or the Device Configuration Policy was assigned to that user or device!

You may be prompted to enter the password for the Exchange account (Office 365):

 

After tapping Edit Settings and entering my password, I'm going to launch the native mail app, and notice my email profile is now configured and my mailbox is visible in the app:

 

 

Now, we need to perform the selective wipe and only remove the corporate data. This can be performed two ways either from the Azure portal or from the Company Portal App on the iOS device.

Important: Selective Wipe in Intune is referred to as Retire. More information on differences between Wipe and Retire can be found here.

From within Intune I am going to click my iOS device (Megan's iPod Touch):

Then I will choose Retire and click Yes at the warning:

The Retire request will be submitted and the status will change to Pending:

Wait a few moments for the Retire command to be sent to the device, then on the iOS device launch the native mail app:

 

The corporate data (Office 365 mailbox) and cached email will be removed, and the app will be returned to the sign in screen:

 

Conclusion:

That's it! While this is simple to setup, ensure you have met the requirements and that your mail profile in Intune has been properly configured and assigned. Note, if you are looking to perform the selective wipe or Retire on Android – this will require Android Enterprise. More information here.

Comments

  • Anonymous
    February 14, 2019
    And what if we prefer Outlook app (it support policy), but do not configure native Mail app (we do not restrict it for MDM) and user create profily manually. It will be supported when the mail profile is not pushed from server? Because if we configure both, the user see notifications and else twice...
    • Anonymous
      February 14, 2019
      @Kazzsn - I configure the native profile to maintain the ability to selectively wipe it and instruct the end use can go to settings -> passwords & accounts -> company mail profile and toggle mail, contacts, calendars, etc. off if they choose to use the mobile Outlook app. Another option is a conditional access policy that blocks the native mail client if you are EM+S licensed and your IT dept strictly doesn’t support native mobile mail clients.
    • Anonymous
      February 16, 2019
      @Kazzan, if you prefer the Outlook App and you don't use MDM, then I recommend you consider creating a Conditional Access Policy to prevent users from using the native mail app on their unmanaged devices, and then use Intune Mobile Application Management to selectively wipe the Outlook App. This configuration I'm describing is possible with Azure AD P1 (for the conditional access bits) and Intune (or EMS E3 or M365 E3) licensing. Here are the instructions to set this up: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-conditional-access
      • Anonymous
        February 21, 2019
        Hi, we totally using these for some with Conditional Access. But what about different. We do not configure mail profile to be deployed as stated above. When user using Outlook, it will trigger MAM scenario. If he using native app, it require MDM. But will the wipe also work in that case for native app?