Microsoft

Microsoft Endpoint Manager Intune Feedback

Suggestion box powered by UserVoice

How can we improve Microsoft Endpoint Manager Intune?

← Ideas

Add a policy to prevent device unenrollment from Company portal

Companies provide devices to their employees and generally wants to make sure that these devices will always remain managed through Intune. It could be interesting to have a policy that prevent users to unenroll a device identified as a company device from the Intune company portal.

819 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google Microsoft Intune
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Jean-Baptiste Frossard shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
needs more info  ·  AdminCathy Moya (Intune UserVoice Admin, Microsoft Intune) responded  · 

The PMs involved have been talking about how best to give you a way to disable the “remove device” action. They think rather than focusing on platform enrollment types (iOS, Android, Windows), they could allow you to disable based on corporate vs personal ownership. I said I’d ask if that would work for you. :-)

Would that get you want you need?

82 comments

Sign in
(thinking…)
Sign in with: Facebook Google Microsoft Intune
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    As already mentioned this is available in AirWatch. We desperately need to be able to prevent users from un-enrolling devices.

  • JoeC commented  ·   ·  Flag as inappropriate

    For supervised iOS devices, we should be able to see the status of the Company Portal installation and initiate the installation of Company Portal if the app has been removed.

    We use DEP and VPP to manage devices and push the Company Portal installation when a phone has completed setup assistant.

    Once a user has been enrolled in Company Portal and receives the profiles (Restrictions, Mail, Wifi, etc), if Company Portal is later uninstalled, those profiles should be removed.

  • Michael van Ee commented  ·   ·  Flag as inappropriate

    This would save a lot of time and irritation in the ICT department. There are always users who don't like "ICT" or need extra space on there smartphone, and just delete the company / work-apps. And sometimes updates can also cause problems with the membership of Intune. This policy would be a nice gift for the holidays.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Agree this prevention is required, and concur this needs to be implemented for supervised corporate devices.

    In addition to the comments already made, as I can't see this specific item mentioned (specific to iOS):
    There also needs to be a policy to prevent a user from removing the Comp Portal app at all. We can stop icons from being re-arranged but not uninstalled. System apps such as Messages & Photos can't be removed (General > iP* Storage > Comp Portal > Delete app)

    In our example, we remove the ability to factory reset, so if the user removes the portal app, the device can no longer be reset (or at least not very easily). For some of our kiosk devices this effectively bricks a device.

    Please include this as part of the above functionality.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Cathy Moya, here is what I have personally witnessed with the relationship between Intune and Apple devices.

    • The device must be built as a new device, not from an iCloud or iTunes backup to be a supervised device. Unless you use a ridiculous third device work-around.
    o Apple design – restoring from a backup makes it an un-supervised device
    • Un-supervised devices are treated as BYOD. The user has the ability to remove the management profile from the device.
    o Settings > General > Device Management > Management Profile
    o If the device is un-supervised, the user has the ability to remove the profile using “Remove Management”
    • Supervised devices, built as a new device, can be defeated by restoring the device in iTunes, then restoring it from a personal backup.
    o The device will become un-supervised and vulnerable to the above issues

    How can we secure our smartphone environment when users have the ability to remove a corporate owned DEP enrolled device from our control?

  • Alan B commented  ·   ·  Flag as inappropriate

    This is a critical feature for maintaining a mobile estate which is demonstrably compliant to a given governance standard. Tech support just point me to this thread.. I hope this is a priority on the Intune roadmap.

  • Jason Lazerus commented  ·   ·  Flag as inappropriate

    Any updates on this? For corporate devices, this is a must. Removal should be doable at the console level.

  • Minh H. commented  ·   ·  Flag as inappropriate

    We would need to have that feature. We don't want user to be able to remove the profile that approves access of Intune to manage the device. Otherwise, corporate device may become personal device. However we should be able to remove profile only by using some kind of admin account (but not the current local admin account). Can you suggest something to implement that?

  • Jo Below commented  ·   ·  Flag as inappropriate

    any progress on this? If corporate (company) owned, I think only domain admins or InTune admins should be able to unenroll (disconnect) the service.

  • Dylan commented  ·   ·  Flag as inappropriate

    Is this still on-going, it would be great to have this in place for our company with >3000 managed devices.

  • Justin commented  ·   ·  Flag as inappropriate

    Odd, If you are speking of iOS devices and you are using DEP this is already baked in.

    Home
    Microsoft Intune
    Device enrollment - Apple enrollment
    Enrollment program tokens
    (YOUR PROFILE) - Profiles
    (YOUR PROFILE NAME) - Properties
    Device Management Settings

    Locked Enrollment

    If you are not using or did not purchase your devices through DEP, then you can have a DEP setup then add the devices manually using a Mac OS device such as a Mac Mini. iOS 11+ required along with Mojave and Apple Configurator 2.9+.

  • Rob de Roos commented  ·   ·  Flag as inappropriate

    @Cathy, that would indeen be briliant! I can imagine however that in some cases (testing for example) you have to be able to exclude devices.

  • Alexander Kanakaris commented  ·   ·  Flag as inappropriate

    We are stalling the deployment of Intune for MDM of iOS and Android due to this huge security hole!

    This needs to be fixed ASAP as it poses a major security risk because the end users can even send a Refresh or Reset command via their mobile phone’s Company Portal app to their Corporate owned system in the office!

    I have an open case with Intune about this.

  • Jegan Devabalan commented  ·   ·  Flag as inappropriate

    We have 3000 devices about to get enrolled with Intune but its leaving a risk were user can un-enroll the device on their own. I would like microsoft to come with a solution as soon as they can . Also i want to be keep posted about this.

← Previous 1 3 4 5

Ideas: Mobile Device Management (general)

Categories

Feedback and Knowledge Base

(thinking…)