Upgrading to New Device Allows Unmanaged Access
I'm new to Intune and have confirmed with my 3rd party vendor the "feature" I'm about to describe is currently functioning properly. In my opinion this needs to change.
I don't know the behavior with Android yet, this was only just discovered with an iPhone device.
User gets new phone, backs up old phone, activates new phone, performs restore.
The management policy did not get loaded to the new device, but Outlook app was installed. User was only asked for credentials and was then allowed unmanaged access to corporate email.
I'm sure there are issues with how iPhones do restores at work here, but I think the issue should be addressed by Microsoft at a higher level.
If the company is licensed to use Intune for its MDM, there should be an option in Exchange to only allow access through a managed app. Turning on ActiveSync turns on access. I guess that is great for companies not using Intune, but for those that are, there should be greater control. The user should be forced to re-enroll the new device before the device is allowed to connect to corporate services.
Kieran Gupta, Microsoft Intune commented
Hi Brad - when you restore an iOS device from a previous backup, Apple does not restore the management information on the device. We have a bug opened on this, and are looking at ways to workaround the issue.