When a device is lost or stolen, or if the employee leaves your company, you want to make sure company app data is removed from the device. But you might not want to remove personal data on the device, especially if the device is an employee-owned device.
Note
The iOS/iPadOS, Android, and Windows 10 platforms are the only platforms currently supported for wiping corporate data from Intune managed apps. Intune managed apps are applications that include the Intune APP SDK, and have at least one enabled and licensed user account in your organization. Deployment of Application Protection Policies is required to enable app selective wipe on Android and iOS.
Note
For iOS 16 and later devices, the "Device Name" value for all selective wipe actions and status will be a generic device name. For more information, see Apple Developer documentation.
To selectively remove company app data, create a wipe request by using the steps in this topic. After the request is finished, the next time the app runs on the device, company data is removed from the app. In addition, you can also configure a selective wipe of your company data as a new action when the conditions of Application Protection Policies (APP) Access settings are not met. This feature helps you automatically protect and remove sensitive company data from applications based on pre-configured criteria.
Contacts synced directly from the app to the native address book are removed. Any contacts synced from the native address book to another external source can't be wiped. Currently, this only applies to the Microsoft Outlook app.
Deployed WIP policies without user enrollment
Windows Information Protection (WIP) policies can be deployed without requiring MDM users to enroll their Windows 10 device. This configuration allows companies to protect their corporate documents based on the WIP configuration, while allowing the user to maintain management of their own Windows devices. Once documents are protected with a WIP policy, the protected data can be selectively wiped by an Intune administrator (Global administrator or an Intune Service administrator). By selecting the user and device, and sending a wipe request, all data that was protected via the WIP policy will become unusable. From the Intune in the portal, select Client app > App selective wipe. For more information, see Create and deploy Windows Information Protection (WIP) app protection policy with Intune.
Create a device based wipe request
Sign in to the Microsoft Intune admin center.
Select Apps > App selective wipe > Create wipe request. The Create wipe request pane is displayed.
Click Select user, choose the user whose app data you want to wipe, and click Select at the bottom of the Select user pane.
Click Select the device, choose the device, and click Select at the bottom of the Select Device pane.
The service creates and tracks a separate wipe request for each protected app on the device, and the user associated with the wipe request.
Create a user based wipe request
By adding a user to the User-level wipe we will automatically issue wipe commands to all apps on all the user's devices. The user will continue to get wipe commands at every check-in from all devices. To re-enable a user, you must remove them from the list.
Choose the user whose app data you would like to wipe > Select.
Monitor your wipe requests
You can have a summarized report that shows the overall status of the wipe request, and includes the number of pending requests and failures. Completed wipe request entries remain in the report for 4 days after completion. In the event that a wipe request is not marked as completed, but remains in a pending state, the request remains in the report for a total number of days equal to the sum of the value of Offline grace period wipe data + 4 days for the record to be deleted which, by default, is 94 days.
To get more details, follow these steps:
On the Apps > App selective wipe pane, you can see the list of your requests grouped by users. Because the system creates a wipe request for each protected app running on the device, you might see multiple requests for a user. The status indicates whether a wipe request is pending, failed, or successful.
Additionally, you are able to see the device name, and its device type, which can be helpful when reading the reports.
Important
The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.
Delete a device wipe request
Wipes with pending status are displayed until you manually delete them. To manually delete a wipe request:
On the Client Apps - App selective wipe pane.
From the list, right-click on the wipe request you want to delete, then choose Delete wipe request.
You're prompted to confirm the deletion, choose Yes or No, then click OK.
Delete a user wipe request
User wipes will remain in the list until removed by an administrator. To remove a user from the list:
On the Client Apps - App selective wipe pane select User-Level Wipe
From the list, right-click on the user you want to delete, then choose Delete.
Sign in to the Microsoft Intune admin center.Select Apps > App selective wipe > Create wipe request. The Create wipe request pane is displayed. Click Select user, choose the user whose app data you want to wipe, and click Select at the bottom of the Select user pane.
You can explicitly choose to wipe your company's corporate data from the end user's device as an action to take for noncompliance by using these settings. For some settings, you're able to configure multiple actions, such as block access and wipe data based on different specified values.
Sign in to the Microsoft Intune admin center.Select Devices > All devices.Select the name of the device that you want to wipe.In the pane that shows the device name, select Wipe.
Select Mailboxes under Recipients. Select the User you would like to wipe and click View Details on the right hand pane. Select the type of remote wipe you want to do with the drop down. To do a selective wipe and delete only Office 365 organization information, select Account Only Remote Wipe Device.
However, the retire process will begin the first time the device checks in. In other words, Delete performs the same tasks that Retire does. It just hastens the removal of the device from the listings page. The exception is cleanup rules that do delete devices immediately but do not retire them.
Once documents are protected with a WIP policy, the protected data can be selectively wiped by an Intune administrator (Global administrator or an Intune Service administrator).
Selective wipe is an event from the MaaS360 Portal to instruct the wrapped app to uninstall itself. All data that is stored in the app is deleted with the app. The following issues automatically trigger a selective wipe: The MaaS360 Portal or the MaaS360 app detects a failure with compliance.
The choice between Intune Wipe and Fresh Start hinges on your Windows device's unique needs. Intune Wipe offers a rapid cleanup, while Fresh Start provides a more comprehensive overhaul. Both tools, integral to Microsoft's Intune, ensure your devices remain optimized and secure.
Enterprise Wipe: This will wipe a device of all company-related information and the AirWatch agent. The types of data that is removed are configured within the AirWatch Console. Device Wipe: A Device Wipe completely wipes a device and sets it back to default as if you pulled the device new out of its box.
Wipe a device—If it's a company-owned or personal device that's lost or stolen. This option removes all work data and apps from the device. For Android devices that don't have a work profile and device-enrolled iOS devices, it also removes personal data and apps.
A soft-deleted user mailbox is a mailbox that has been deleted using the Microsoft 365 admin center or the Remove-Mailbox cmdlet and has still been in the Microsoft Entra ID recycle bin for less than 30 days.
Remote wipe is a security feature that allows a network administrator or device owner to send a command that remotely deletes data from a computing device. It's primarily used to erase data on a device that has been lost or stolen, so the data won't be compromised if it falls into the wrong hands.
Complete Wipe: To prevent data loss/theft by erasing all the device data making it as good as new. Corporate Wipe: To remove only the corporate data leaving the personal data like contacts, photos, etc.
The Intune feature “Device clean-up rules”, provides the ability to configure the automatic cleanup rule for the devices that are inactive, orphaned and have not checked in recently. The rule allows administrators to choose between 30 and 270 days to remove the inactive device records from Intune automatically.
Deleted apps are removed from group assignments and uninstalled from devices. To assign the app again, you will need to add it back to your Intune tenant through the App Store. Microsoft Office desktop apps, Microsoft Store for Education apps, and VPP token apps cannot be deleted.
Click Managed devices.Wipe Account or Wipe Device. Wipe Account or Wipe Device. If you're not sure which option to choose, review Decide what to wipe from the device.
Questions arise when the discussion turns to employees' personal cellphones and wiping both personal and company data from a device. Currently, this practice is not prohibited under state and federal regulations. However, it is important for employers to implement such policies cautiously.
Introduction: My name is Msgr. Refugio Daniel, I am a fine, precious, encouraging, calm, glamorous, vivacious, friendly person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
