Automatic Selective Wipe of Intune App Protection (MAM) Devices on Employee Exit

Bring your own device (BYOD) is the new normal.

With organizations sticking to BYOD, securing enterprise data which employees can access is a top concern. Though many organizations are still reluctant to seriously consider BYOD policies, in the coming years the development of such policies will create as big a shift in enterprise computing as PCs did when they first entered the workplace.

Though BYOD adds to increased productivity, reduced costs and ease of transition, securing the corporate data by maintaining employee's privacy is a major challenge. When organizations try to secure the devices, many a times they end up tightening it too much that users are skeptical about installing MDM agent on their personal devices; they are concerned that admins can glean personal information and could control how they use their devices. Users fear admins could block camera access, prevent copy and paste, or limit other functionalities. When users do not install MDM agent on their devices, admins do not get visibility into the security posture of those devices. It’s a vicious cycle that stalls BYOD security programs, while increasing the risk exposure for organizations. This is where major players like Microsoft, IBM, VMware, CISCO and few more have their own offerings for Enterprise Mobility Management (EMM).

While each product has its own pros and cons, Microsoft Intune from the Enterprise Mobility + Security stack stands out from the crowd because of its app management capabilities without managing the user's device.

Intune App Protection formerly known as Intune Mobile Application Management (MAM) enables your employees to use mobile devices for both personal and work tasks. While making sure your employees can be productive, you want to prevent data loss, intentional and unintentional. You'll also want to protect company data that is accessed from devices that are not managed by you.

Intune App Protection is independent of any mobile-device management (MDM) solution. This independence helps you protect your company’s data with or without enrolling devices in a device management solution. With these app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

Follow Intune App Protection Policies to know more.

While these policies take care of protecting company resources while the employee is working with the organization, how about when an employee leaves the organization and was using a personal device? You may want to ensure company app data is removed from the device quickly without affecting personal data on the device in any manner.

For a single user/single device, you can always go to Intune Blade in Azure Portal and create a selective wipe request by using the steps in this article

Initiating a selective wipe for multiple users is an operational overhead since the Intune Service Administrator has to create multiple wipe requests for each user. To simplify this task, we've put together a PowerShell based solution which leverages Microsoft Graph API endpoint for Intune Selective Wipe.

Here are few of the major takeaways of this solution;

  • Initiate wipe based on Employee's exit date (AccountExpiry) or any other AD attribute
  • Initiate wipe based on a CSV file input
  • Reporting from the Intune Blade in Azure Portal

View Github Repository

Download from Github

We hope this tool saves your precious time.



What next?

Well, stay tuned for upcoming articles. You can contact us for your software and consultancy requirements.

© 2024, Attosol Private Ltd. All Rights Reserved.