Add a policy to prevent device unenrollment from Company portal
Companies provide devices to their employees and generally wants to make sure that these devices will always remain managed through Intune. It could be interesting to have a policy that prevent users to unenroll a device identified as a company device from the Intune company portal.
I can confirm that we have this on our plan for early in 2020/ Thanks for your patience!
All 3 of the following uservoice ideas appear to relate to the same issue:
Can these be linked and the aggregate votes be viewed as one?
At the company I work for, the discovery that a user is able to deactivate the Company Portal as a device administrator and delete it from the device in as little as six screen taps has caused all Android devices to be recalled. Removing the company portal removes visibility / device management / security capability but does not remove the corporate email configuration which can be accessed up to 24 hours later with the Compliance status validity period set to its minimum value of 1 day in which time users can install any kind of software (e.g. social media apps, dating apps, proxy's, ToR browser etc...) and leak corporate data via these apps undetected.
We are now trialling Blackberry UEM instead of Intune since this appears to secure Android devices better than Intune can.
As a result this year's 9.5K Intune licenses will not be renewed when they expire.
Users with corporately owned Android devices (not Android for Work) are able to deactivate and uninstall the Intune Company Portal which turns off all security controls configured via Intune.
Other apps (e.g. Zscaler SecureAgent) have the DEACTIVATE button greyed out so that the App can't be deactivated as a device administrator and a centrally managed uninstall password.
Please do the same for the Intune Company Portal for managed Android devices.
Need to prevent users from deactivating then uninstalling the Intune company portal on Corporate owned Android devices. This is easily done within a couple of minutes and gives the user full access to install whatever they want whilst maintaining email access to Corporate Exchange. Can block the Settings app from launching via KNOX but this blocks user from being able to join WiFi networks etc...
This option is essential on entreprise owner devices
what about the personal devices that enrolled through the Company APP portal, can I do the same or prevent the users from accessing the email once he be UN-enrolled?
Ian, Apple and Intune already have this feature for iOS, the service is called the Apple Device Enrollment Program, supervised iOS devices enrolled using this service cannot be de-enrolled from their MDM: https://www.apple.com/business/dep/
Ian Marshall commented
We need this feature in our environment. We provide iOS devices to users and have found that they can un-enrol their device and we lose sight of the device from inTune.
I'm not sure what you're asking for - do you mean the user shouldn't be able to uninstall the Company Portal from the device, or the user shouldn't be able to sign out of the Company Portal, or something else?
Once signed in the Company Portal, the end users of a company owned device shouldn't be able to unassign from the Company Portal
Android users are able to deactivate the Company Portal App after having used it to enroll their devices so as to access their email. Once the app is deactivated, the device disappears from the MDM module in O365 and the users are still able to send/receive email on their devices.
We have a policy in the WP 8.1 to stop the user unenroll but if they access the company portal on the web they can remove the device that way.
This a good solution.