Help with IOS setup

HKP
Level 1.6: Donut

I initially posted this as a reply to my existing topic, but was pointed out that this should have been a standalone topic.


Appreciate that this is an Android forum, but as people on here have been so helpful I thought I'd ask in here..

I have a question over managing iOS Personally owned devices. I have spent a couple of days trying different ways to no avail.

We need to be able to secure data held on personally owned iOS devices, I can enrol the device absolutely fine using Enrolment type "User enrolment with Company Portal", despite my best efforts I cannot find a way to remove Outlook data when the device is no longer managed, whether done by deleting the device out of Endpoint or if the user does that on their own device. Outlook data stays there. The app is also set to uninstall on device removal but again this does not happen.
I have tried creating an "App protection policy" for Outlook, but after selecting the Outlook iOS app , I cant see a setting to remove data in ant of the following steps.

@jasonbayton replied:-
"I imagine for your use case setting up conditional access policies would help here in addition to app protection policies. Conditional access is pretty aggressive in ensuring devices meet requirements frequently - at least on Android - and should help."

However, for us we dont have MS Entra ID premium which is required. We are licenced for Intunes, for "Microsoft Intune Plan 1 for Education"

If anyone is able to let me know if its possible to protect our data on iOS devices. I would much prefer to use Android Enterprise, but we have some senior member of staff who refuse to use a second phone and currently use Outlook, MS Teams etc on their personal devices which are unmanaged. So I hope by using the iOS version of Work profiles we could at least have some level of protection.

Thanks.

1 REPLY 1

Alex_Muc
Level 1.6: Donut

I have no experience with Intune's MAM, but we have no issues with WS1 here.
With iOS BYOD devices, there are very few options for executing device-wide actions. Supervised mode is required for many commands and restrictions, which is not possible for BYOD devices.
Business apps for iOS should always be "purchased" and distributed via VPP. As soon as the enrollment is canceled, a VPP-managed app should actually be deleted. There may be an option in Intune for the iOS app to remove the app when management is canceled.

 

To stay a bit on the topic of Android:
The Work Profile on Android is simply better, as all work-related data is removed when BYOD devices are unrolled and no potentially work-related data remains on the device, as is the case here. 😄