Providing a work environment where users can bring their own personal device and use it for their day jobs can be very empowering for employees. For me personally, having access to all of my company data such as email, files, and internal applications on my smartphone allows for a better work/life balance. However, this presents a challenge for IT – when an employee is terminated how do you remove only the company's data and not wipe the entire device to it's factory defaults so the employee still has access to their personal apps and data? Well, Microsoft Intune and EMS to the rescue!
When a mobile device is enrolled in Microsoft Intune and the entire device is managed (MDM), it's possible to remove only the company's data while leaving everything else intact. Let's take a look at how to do this:
Note: Refer to the technical documentation for more information on Intune, MDM and removing company data.
Using the Microsoft Intune portal in Azure, I'm going to navigate to Devices and then All Devices
Filter on the employee in question:
Next, I will single click on their entry and select Remove Company Data:
I will now be prompted to confirm I'd like to remove company data. I'll click Yes to submit the request:
On the employee's device, where they once had Outlook installed – it's now deleted. Only the Company Portal app remains:
Launching the company portal app I am presented with a message indicating the device is no longer managed by my IT admin and my email and access has been removed:
Upon tapping OK I am presented with the Sign in screen:
Back in the Intune console, notice that employee's entry is now missing. Their device have been removed completely:
Hang on, what if the employee isn't terminated but doesn't want their device to be managed anymore?
That's a great question and a neat self service capability the employee has! From within the Intune application on their device, tap the button that has the name of their device. In my case Megan's iPad:
On the dialog box, I'm going to tap Remove:
And confirm that I wish to remove the device from IT management:
Intune management has now been removed, tapping the flag icon will confirm this (I'm still signed into the Company Portal app, but no access to data/resources).
Going back to my home screen, all corporate apps have been removed with the exception of Company Portal which I can remove on my own. If I wish to regain access to corporate apps and data, I can simply re-enroll through the company portal app.
Conclusion: As you can see this is a quick way to remove just company data from a user's device and preserve their own personal data. Enjoy!