Why cannot the MDM be removed completely from a BYOD and why is the phone still under the control of the MDM?

Question

My personal iPhone that was used to access work email via Outlook app had experienced extreme drain of battery and usage since last August when the work account security issue was reported.

1. Is it normal to ask for the unlocking code to a personal cell phone when accessing the work email via the Outlook app?

Whenever I accessed work email on the phone, the pop-up screen always asked for the unlocking code to my phone despite the fact that many other 2FAs exist.

2. Can a personal cell phone (BYOD) used to access work email via the Outlook app be changed to restricted or managed phone?

My cell phone experienced a complete lock down. Restriction seems to have been enabled from time to time to prevent using Face ID (other possible factors have been eliminated).

3. Why does the "wipe pending" stays for several months since the mobile device was wiped via the work email account after the Outlook app was already deleted from cell phone? The MicroSoft web site states that it would only take 5 minutes.
4. Why is the phone still appear to be controlled by MDM after the removal of the Outlook app, a cell phone factor-reset, and the MDM is not listed under "VPN & Mobile Device Management" on the personal iPhone?

Here are the same things that still happen to my cell phone:

There are still abnormal and extreme drain of battery from time to time.

The Face ID appears to be disabled from time to time.

Certain apps were disabled for a period of time or disappeared suddenly.

Phone screen suddenly became frozen during a call (work related and on work schedule) ......

5. How can this MDM be completely removed? Is there an MDM central server where the MDM profile is saved and controlled by an admin?
6. Can the MDM profile be removed by completely eliminating the work email account where the "wipe" is still pending?

Thank you.

Answer 1

@WKATCL, Thanks for posting in Q&A.

For your issue, here are some information you can refer to.

Q1. Is it normal to ask for the unlocking code to a personal cell phone when accessing the work email via the Outlook app?

A1. If you have deployed app protection policy to Outlook app, it is normal to ask for the unlocking code to a personal cell phone when accessing the work email via the Outlook app.

Q2. Can a personal cell phone (BYOD) used to access work email via the Outlook app be changed to restricted or managed phone?

A2. Yes, you can change the MDM profile to Automated device enrollment (ADE) or Apple Configurator and apply an app protection policy to achieve that.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados

Q3. Why does the "wipe pending" stays for several months since the mobile device was wiped via the work email account after the Outlook app was already deleted from cell phone? The MicroSoft web site states that it would only take 5 minutes.

A3. It could be a show error; you can contact your IT department to clear or cancel the pending wipe request and re-try the wipe action.

Q4. Why does the phone still appear to be controlled by MDM after removing the Outlook app, performing a factory reset, and not seeing MDM listed under "VPN & Mobile Device Management"?

A4. If the MDM profile was removed and you cannot find it under Settings > Tap General > Scroll down and select VPN & Device Management, it means the device was out of Intune control.

Q5. How can this MDM be completely removed? Is there an MDM central server where the MDM profile is saved and controlled by an admin?

A5. To remove an MDM profile:

Open Settings.

Tap General.

Scroll down and select VPN & Device Management.

If an MDM profile is present, tap on it to view the details.

Tap Remove Management.

Q6. Can the MDM profile be removed by completely eliminating the work email account where the "wipe" is still pending?

A6. Removing the work email account from your device doesn't necessarily remove the MDM profile. The MDM profile is a separate entity that manages device configurations, policies, and accounts. To ensure complete removal of the MDM profile, follow the steps mentioned above. If the "wipe pending" status persists on your organization's server, it's advisable to inform your IT department so they can update their records and ensure your device is no longer listed under their management.

Hope above information can help you.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Thank you for your response. The issues that I have been experiencing coincide with things happening to my work account- such as the account was not locked after over 50 failed sign-ins from places all over the world, my work computer's power button was locked, mouse became malfunction again and again (but worked on other computers), file formats were changed, real time actions messing documents I was working on, email sent out with altered information, and etc. After I realized that things happened to my cell phone appear to be related to work and learned about what MDM is and what it can do to your personal phone, I deleted the Outlook app and probably will never use it again on my phone. My research and information from other technicians have indicated that since the MDM is device specific, removing it from my cell phone cannot stop it from being manipulated, especially if this involves someone who might be working in the IT department.

I am not sure what you meant by saying that "if you have deployed app protection policy?" I am not an IT, but an end user. We used cell phone to access work schedule most of the time. It is not an institution with restrictions. We have a no tracking policy. But that does not stop anything that has been happening.

Thank you.