My feedback

1. Add a policy to prevent device unenrollment from Company portal

   1,060 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   91 comments  ·  Ideas » Mobile Device Management (general)  ·  Flag idea as inappropriate…Flag idea as inappropriate…  ·  Delete…  ·  Admin →
   planned  ·  AdminCathy Moya (Intune UserVoice Admin, Microsoft Intune) responded

   I can confirm that we have this on our plan for early in 2020/ Thanks for your patience!

   An error occurred while saving the comment
   Anonymous commented  ·  Sep 27, 2019  ·  Edit…  ·  Delete…

   Cathy Moya, here is what I have personally witnessed with the relationship between Intune and Apple devices.

   • The device must be built as a new device, not from an iCloud or iTunes backup to be a supervised device. Unless you use a ridiculous third device work-around.
   o Apple design – restoring from a backup makes it an un-supervised device
   • Un-supervised devices are treated as BYOD. The user has the ability to remove the management profile from the device.
   o Settings > General > Device Management > Management Profile
   o If the device is un-supervised, the user has the ability to remove the profile using “Remove Management”
   • Supervised devices, built as a new device, can be defeated by restoring the device in iTunes, then restoring it from a personal backup.
   o The device will become un-supervised and vulnerable to the above issues

   How can we secure our smartphone environment when users have the ability to remove a corporate owned DEP enrolled device from our control?

   Save Submitting...