Add a policy to prevent device unenrollment from Company portal
Companies provide devices to their employees and generally wants to make sure that these devices will always remain managed through Intune. It could be interesting to have a policy that prevent users to unenroll a device identified as a company device from the Intune company portal.
The PMs involved have been talking about how best to give you a way to disable the “remove device” action. They think rather than focusing on platform enrollment types (iOS, Android, Windows), they could allow you to disable based on corporate vs personal ownership. I said I’d ask if that would work for you. :-)
Would that get you want you need?
Minh H. commented
We would need to have that feature. We don't want user to be able to remove the profile that approves access of Intune to manage the device. Otherwise, corporate device may become personal device. However we should be able to remove profile only by using some kind of admin account (but not the current local admin account). Can you suggest something to implement that?
Anything new about this? Seems like a sorely needed feature!
Jo Below commented
any progress on this? If corporate (company) owned, I think only domain admins or InTune admins should be able to unenroll (disconnect) the service.
Is this still on-going, it would be great to have this in place for our company with >3000 managed devices.
Odd, If you are speking of iOS devices and you are using DEP this is already baked in.
Device enrollment - Apple enrollment
Enrollment program tokens
(YOUR PROFILE) - Profiles
(YOUR PROFILE NAME) - Properties
Device Management Settings
If you are not using or did not purchase your devices through DEP, then you can have a DEP setup then add the devices manually using a Mac OS device such as a Mac Mini. iOS 11+ required along with Mojave and Apple Configurator 2.9+.
@Cathy would be a good solution - any updates about this?
Rob de Roos commented
@Cathy, that would indeen be briliant! I can imagine however that in some cases (testing for example) you have to be able to exclude devices.
Alexander Kanakaris commented
We are stalling the deployment of Intune for MDM of iOS and Android due to this huge security hole!
This needs to be fixed ASAP as it poses a major security risk because the end users can even send a Refresh or Reset command via their mobile phone’s Company Portal app to their Corporate owned system in the office!
I have an open case with Intune about this.
Can we have a update?
Florian L. commented
It's a joke ? Clap clap ...
Jegan Devabalan commented
We have 3000 devices about to get enrolled with Intune but its leaving a risk were user can un-enroll the device on their own. I would like microsoft to come with a solution as soon as they can . Also i want to be keep posted about this.
Darwis Fransida commented
Yes, that will work for us to control/restrict the ability to remove device from InTune Comp Portal if the device ownership is set to Corporate.
Has this been implemented?
Actually it would be great if there would be an option to the user to remove his onmicrosoft.com account from the info. I personally broke the Intune enrollment when I removed the user and added a new one within the same session.
Intune sees the device as unenrolled and even when I put back the original user the enrollment didn't recover.
This is a known issue in the way intune manages shared devices that are used by different users as so far Intune has only one possible user assigned to the device
Dan goodwin commented
Hi guys i have found a way round it if you have knox devices.
Instead of enrolling android enterprise, enrol just android.
Android enterprise- if you uninstall the company portal, knox deployment will not force the enrolment again.
Android- if you uninstall the company portal, knox deployment will force the user to go through the deployment again which involves installing and enrolling the company portal. During this time they are unable to use the back button, home button or split button.
So I think rolling out the devices as personal will ensure the devices are still managed
Disabling corporate vs personal would be an option. It may also be nice to have some sort of policy set that us as admins could deploy. As admins you could test with multiple devices and if it automatically did not allow removal of the portal app, that could hinder testing from our side. If you could deploy it as a policy set it could allow use to point this to specific groups or collections. A case for this would be that my company has some outward facing Android devices that we manage. We can not use DEP since thats iOS. There would be an administrative burden to always verify the Android devices are always imported via manual efforts to verify they are "company owned." We get in hundreds of these devices that a specific group of individuals use. The company wants these individual users to enroll vs an enrollment administrator. If you could target a policy to these people which would remove the ability in the app to be removed, it would be beneficial.
Stephen B commented
This is a very basic MDM requirement for company owned devices.
Please make this available ASAP!!
What is the point of advertising Intune as MDM if this is not a feature. AirWatch ( a MDM solution ) provides this capability.