Completely separate the "Remove company data" and "Factory reset" buttons far enough apart to avoid accidental full device wipe.
Completely separate the "Remove company data" and "Factory reset" buttons far enough apart to avoid accidental full device wipe. Currently these buttons are right next to one another and it is very easy to accidentally perform a full device wipe (factory reset) on a user's personal device - losing all data, versus the intent of just wiping the company data. Consider putting the "Factory reset" button in the "..." more section -- away from the primary choices.
I agree, this action should be a specific RBAC assignment. It is the single biggest question we have regarding full MDM on a BYO device. I'd love to be able to say that our helpdesk/support staff role can only issue company data wipes. Alternatively, you could grey out the option for Factory Reset if the device ownership is set to Personal.
I'd augment this request to require a different RBAC assignment so it can be locked down further, including a requirement for multi-person approval in the workflow to do a reset.
Otherwise, BYOD policies are just silly. Who would possibly allow their own personal device to be reset by any third party, no matter how beneficent their intentions are as stated in a paper policy?
There needs to be separate controls for Reset Device and multiple levels of management (perhaps the Department Manager of the terminated employee, AND the HR Director, AND the IT Manager, all who must logon to Intune with their own accounts and affirmatively approve a BYOD full reset.
Otherwise, BYOD is a terrible risk to the employee and, at least in our company, will be DOA.
What employee would willingly offer up a personal device exposed to the risk that Intune permits today just to save its company the expense of providing corporate-owned devices (which would not have such complications)?
Additionally, please consider renaming the "Factory reset" button to something like "Full device wipe" or "Remove All Device Data".
Garrett Nelson commented
Otherwise, making the "are you sure" process a little harder to accidentally bypass would be good. For example, make it ask if you are really sure you want to do this, type the word wipe into the box below to confirm and click OK.