Wouldn’t it be nice if an employee leaves the organization, that you can remove only your corporate data from their iPad or iPhone, but yet leave all their personal data alone? It absolutely would, especially if that employee was using the native (built-in) mail app in iOS. Look no further, because Microsoft 365 has the capability to perform a selective wipe on the device and remove corporate data, including data from the native mail app.
So how is this possible?
Intune will remove data that is tied to your Azure Active Directory identity. So, if I am logged into the native mail app on my iPhone with my Azure AD credentials for my Office 365 mailbox, Intune associates that as “corporate data”. If the device is enrolled into Intune Mobile Device Management (MDM) and the selective wipe command is issued (or the user manually performs a selective wipe via the Company Portal App) then the Office 365 data will be removed from the native ail app.
What are the requirements for this to work?
- The iOS device is enrolled into Intune MDM.
- An Intune iOS Device Configuration Profile is configured and assigned to the user or device, that is pushing a mail profile.
- The user is signed into the native mail app using their Azure AD credentials to access their Office 365 Mailbox.
- iOS Enrollment has been properly configured in Intune and a iOS device compliance policy has been configured and assigned.
- User has an Office 365 Exchange Online Mailbox
How do I configure it?
This is really made possible by having a mail profile configured in the Device Configuration Profile in Microsoft Intune. Let’s take a look at how to do that. From within the Intune blade in the Azure Portal, select Device Configuration -> Profiles -> and create a new Profile for iOS platform with a profile type of Email:
Next, click Settings and configure the email profile. See my screenshot below of how I setup my email profile for Office 365 based on my organization’s requirements (note, your configuration parameters may be different). When finished click OK.
Click Save to save the email profile. Next, click Assignments and assign the new profile to All Users, or All Devices, or Selected Groups. For my environment, I am going to assign to a security group that sales and marketing employees belong to. When finished, click Save:
How do I test it?
Using my iPhone test device, I am going to enroll it into Intune MDM using the Company Portal App from the App Store. If you aren’t familiar with this process, see my blog: Intune: MDM Enrollment Experience (complete device management)
Important: Make sure the user or device that is enrolling, is a member of the security group above! Or the Device Configuration Policy was assigned to that user or device!
You may be prompted to enter the password for the Exchange account (Office 365):
After tapping Edit Settings and entering my password, I’m going to launch the native mail app, and notice my email profile is now configured and my mailbox is visible in the app:
Now, we need to perform the selective wipe and only remove the corporate data. This can be performed two ways either from the Azure portal or from the Company Portal App on the iOS device.
Important: Selective Wipe in Intune is referred to as Retire. More information on differences between Wipe and Retire can be found here.
From within Intune I am going to click my iOS device (Megan’s iPod Touch):
Then I will choose Retire and click Yes at the warning:
The Retire request will be submitted and the status will change to Pending:
Wait a few moments for the Retire command to be sent to the device, then on the iOS device launch the native mail app:
The corporate data (Office 365 mailbox) and cached email will be removed, and the app will be returned to the sign in screen:
That’s it! While this is simple to setup, ensure you have met the requirements and that your mail profile in Intune has been properly configured and assigned. Note, if you are looking to perform the selective wipe or Retire on Android – this will require Android Enterprise. More information here.
Providing a work environment where users can bring their own personal device and use it for their day jobs can be very empowering for employees. For me personally, having access to all of my company data such as email, files, and internal applications on my smartphone allows for a better work/life balance. However, this presents a challenge for IT – when an employee is terminated how do you remove only the company’s data and not wipe the entire device to it’s factory defaults so the employee still has access to their personal apps and data? Well, Microsoft Intune and EMS to the rescue!
When a mobile device is enrolled in Microsoft Intune and the entire device is managed (MDM), it’s possible to remove only the company’s data while leaving everything else intact. Let’s take a look at how to do this:
Note: Refer to the technical documentation for more information on Intune, MDM and removing company data.
Using the Microsoft Intune portal in Azure, I’m going to navigate to Devices and then All Devices
Filter on the employee in question:
Next, I will single click on their entry and select Remove Company Data:
I will now be prompted to confirm I’d like to remove company data. I’ll click Yes to submit the request:
On the employee’s device, where they once had Outlook installed – it’s now deleted. Only the Company Portal app remains:
Launching the company portal app I am presented with a message indicating the device is no longer managed by my IT admin and my email and access has been removed:
Upon tapping OK I am presented with the Sign in screen:
Back in the Intune console, notice that employee’s entry is now missing. Their device have been removed completely:
Hang on, what if the employee isn’t terminated but doesn’t want their device to be managed anymore?
That’s a great question and a neat self service capability the employee has! From within the Intune application on their device, tap the button that has the name of their device. In my case Megan’s iPad:
On the dialog box, I’m going to tap Remove:
And confirm that I wish to remove the device from IT management:
Intune management has now been removed, tapping the flag icon will confirm this (I’m still signed into the Company Portal app, but no access to data/resources).
Going back to my home screen, all corporate apps have been removed with the exception of Company Portal which I can remove on my own. If I wish to regain access to corporate apps and data, I can simply re-enroll through the company portal app.
Conclusion: As you can see this is a quick way to remove just company data from a user’s device and preserve their own personal data. Enjoy!
Introduction: The purpose of this blog post is to walk the IT administrator through how to configure Mobile Application Management (MAM) for the Microsoft Teams app.
In this blog post we will cover the following MAM topics:
- How to assign Intune licenses to end-users.
- How to configure Mobile Application Management using the Intune console in the Azure portal.
- The user experience with MAM applied (examples include cut/copy/paste, require PIN,etc).
- How to wipe data from the Microsoft Teams app only selective wipe) using MAM (and not wiping the device).
- The user experience when wiping data from the Microsoft Teams app only.
- MAM for other Microsoft mobile applications.
What is MAM? Mobile Application Management (MAM for short) offers the capability to manage only the app, and its data without having to manage the physical device itself. This is very important, as you do not need to enroll the device into Intune at all and do not need to manage the device itself, just the app. The management of the app and the data within the application is all handled through in-band provisioning (i.e. Mobile Application Management) when the user signs in to the application. This provides the following benefits:
- When management of the device itself is not possible and/or not necessary (enrolling the device into a mobile device management solution)
- Enable user liable (personal) devices to connect to enterprise resources without having to manage the device (device enrollment).
- If you want to manage apps separately from the device (for example, different device management solutions).
MAM is a capability of Intune App Protection, and is covered in more detail here: Protect app data using app protection policies with Microsoft Intune.
Requirements: MAM has the following requirements:
- Microsoft Intune license assigned to each user that MAM will be applied to. (Either Intune standalone, EMS E3, EMS E5 license SKUs).
- iOS version 8.1 or later.
- Android 4 or later.
- Windows 10
Note: There are specific prerequisites if configuring for Windows 10. See Get ready to configure app protection policies for Windows 10 for more information
Assign Intune licenses to end-users:
Before we get started with configuring Intune, we first need to assign the Intune license to the end-user(s) who the MAM policies will be applied to. For demonstration purposes, I will be assigning the license to a single user. However to assign licenses to multiple users (i.e. the entire organization, or groups of users) you can follow these articles for automated ways of doing so: Assign licenses to users by group membership in Azure Active Directory (or use PowerShell or other methods).
Within the Office 365 Admin Portal, I will assign the license to my test user Megan:
Configure Mobile Application Management for Microsoft Teams:
Navigate to http://portal.azure.com and login. On the left side, at the bottom click Intune App Protection:
On the Intune App Protection blade, under the App Management category click App Policy:
Click Add a policy:
On the Add a Policy blade, I will give the policy a name and for this specific policy I will apply it to the iOS platform. I will then click Apps and place a check mark next to Microsoft Teams and then click Select:
Note: You must create a separate policy per platform if there are multiple platforms you wish to support (i.e. one for iOS and one for Android)
Back on the Add a policy blade, click Settings. For demonstration purposes, I will configure the following two policy settings: Restrict cut, copy, paste with other apps to Policy managed apps and Require PIN for access to Yes.
When finished click OK:
Note: For a description of each one of these settings and what they do, see the following articles:
Back on the Add a policy blade, click Create:
Once the policy has been created, it needs to be deployed (Notice the Deployed column shows No) Click the name of the policy:
On the Microsoft Teams blade, click Assignments:
MAM policies must be assigned to a group of users. For demonstration purposes, I will use a security group titled Retail Employees. Click Select groups, and place a check mark next to Retail Employees then click Select:
Close the Assignments blade. Close both Microsoft Teams blades and you will be returned to the list of policies. Notice the Deployed column now shows Yes.
Clicking Overview on the left side will provide me with a dashboard to see MAM status across my apps:
User experience with MAM applied:
IMPORTANT: It may take up to an hour for the policy to be applied after creating it.
Now that the MAM policy has been created, I will launch the Microsoft Teams app on my smartphone. I will be presented with a new message indicating the MAM policy is now effective. Tap OK.
Relaunch the app. Once the app is relaunched, because I configured the MAM policy to require a PIN when using Microsoft Teams, the app will prompt me to create a PIN:
I will now have access to the app:
To test the policy setting for restricting cut/copy/paste, I will open an existing private chat with another user:
Next, I will highlight some text and with a long press tap Copy text:
Next, I will open another app (Outlook) where my personal email account is configured and attempt to paste the confidential information from the Microsoft Teams app into a new personal email message. Notice the text that displays indicating the data cannot be pasted (the policy worked!):
How to wipe data from the Microsoft Teams app:
Return to the Intune App Protection blade in the Azure portal. On the left side, under Remote requests, click Wipe Requests:
Click New Wipe Request:
On the New wipe request blade click User. For this demonstration, I will choose Megan. Click Select after choosing the user
Next on the New wipe request blade click Device. Select the device by placing a check mark next to it then click Select then click OK:
Note: The name of the device is Matts iPhone as I am using my device for this demonstration.
A new wipe request will be created and queued to be sent to the device:
Note: the wipe request can be cancelled by clicking the ellipsis and selecting Delete wipe request:
User experience when wiping data from the Microsoft Teams app:
The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was sent.
Launching the Microsoft Teams app after the wipe request has been sent, I will be prompted with a message indicating the app has been wiped. Tap OK to proceed:
I will be returned to the home screen. After re-launching Microsoft Teams app, I will be asked to sign-in. At this point, the app has been returned to its default out of the box state:
Back in the Azure portal, notice the wipe request is now marked as Complete:
Conclusion: The Microsoft Teams app can be managed by the organization and the data within that app can be protected through MAM policy such as preventing users from copying data out of the app and pasting into a non-managed app, etc. What questions, comments, feedback or input do you have? Let me know down below in the comments.
MAM for other Microsoft mobile applications
If you are curious about MAM for other Microsoft apps such as Outlook, OneDrive, etc the process is identical to the above to configure MAM for those apps. In addition, the user experience within the app when MAM is applied, and the wipe experience, is also identical.