Add a policy to prevent device unenrollment from Company portal
Companies provide devices to their employees and generally wants to make sure that these devices will always remain managed through Intune. It could be interesting to have a policy that prevent users to unenroll a device identified as a company device from the Intune company portal.
I can confirm that we have this on our plan for early in 2020/ Thanks for your patience!
what about the personal devices that enrolled through the Company APP portal, can I do the same or prevent the users from accessing the email once he be UN-enrolled?
Ian, Apple and Intune already have this feature for iOS, the service is called the Apple Device Enrollment Program, supervised iOS devices enrolled using this service cannot be de-enrolled from their MDM: https://www.apple.com/business/dep/
Ian Marshall commented
We need this feature in our environment. We provide iOS devices to users and have found that they can un-enrol their device and we lose sight of the device from inTune.
I'm not sure what you're asking for - do you mean the user shouldn't be able to uninstall the Company Portal from the device, or the user shouldn't be able to sign out of the Company Portal, or something else?
Once signed in the Company Portal, the end users of a company owned device shouldn't be able to unassign from the Company Portal
Android users are able to deactivate the Company Portal App after having used it to enroll their devices so as to access their email. Once the app is deactivated, the device disappears from the MDM module in O365 and the users are still able to send/receive email on their devices.
We have a policy in the WP 8.1 to stop the user unenroll but if they access the company portal on the web they can remove the device that way.
This a good solution.