It's important for administrators managing personally owned iPhones to be familiar with the available options for wiping corporate data from those devices -- especially since Apple introduced User Enrollment.
User Enrollment provides a secure method for managing personal Apple devices in the enterprise. Previously, there was only a full Device Enrollment option, which ensures that the device is completely managed and can be fully wiped. User Enrollment, on the other hand, protects user privacy by separating work and personal data. It ensures that IT administrators can only selectively wipe the personal device, making it a much better option for BYOD iPhones and iPads.
End users with User Enrollment on their device have a management profile that contains all their work data and apps. When users or IT administrators have to remove corporate data due to situations such as device theft, it's possible to remotely remove that management profile through a selective wipe.
How User Enrollment affects the manageability of an iPhone
User Enrollment provides IT administrators with limited control over the personal iPhones of users. Within this limited management experience, an organization's mobile device management (MDM) software is only able to do the following:
- configure accounts;
- configure per-app VPNs;
- install and configure apps;
- require a passcode;
- enforce some specific device restrictions;
- collect an inventory of managed apps; and
- remove work data.
These capabilities are all well scoped and ensure that users have enough privacy on their BYOD endpoints.
Besides a few specific device restriction options, User Enrollment is mainly focused on managing work apps and data. Once users enroll their device with User Enrollment, a separate volume -- known as a management profile -- is automatically created on the device for standard iOS apps, along with a separate iCloud Drive that serves as a storage location for the work data. Standard iOS apps and managed apps can access the storage location, and the user then has one iCloud Drive for their work data and a separate iCloud Drive for their personal data. For the end user, both locations are shown in apps as separate storage locations. That clear separation also ensures that any MDM software can wipe work apps and data without affecting personal data.
Why is it important to selectively wipe an iPhone?
Personal iPhones are often enrolled for management so users can easily and securely access corporate apps and data. That's also the main reason why it's important to have the ability to wipe -- or at least selectively wipe -- personal devices. This capability is vital if the device gets lost or stolen or when the user is leaving the company. In either case, the IT department stays in control of the work apps and data -- without touching any personal content on the device -- and has the ability to at least remove that corporate information.
Depending on how personal devices are managed and enrolled, there are different options for wiping them. The two available options for wiping personal iPhones are the following:
- Full wipe. This option wipes all the user accounts, data, and MDM policies and settings by resetting the device to factory defaults and settings.
- Selective wipe. This option wipes only the managed app data, MDM policies and settings by removing the management profile from the device, which leaves personal data untouched.
Whether IT can perform either of these wipe options depends on the ownership and enrollment of the device. As previously mentioned, User Enrollment provides end users with certainty that their privacy will be maintained, and their personal apps and data will be left untouched, as IT only has the option to perform a selective wipe.
How to selectively wipe an iPhone
The selective wipe option is ideal for BYOD scenarios because it removes only work apps and data, while leaving personal apps and data untouched. For organizations using Microsoft Intune as their MDM provider, the following steps show the process of selectively wiping a personal iPhone:
- Open the Microsoft Endpoint Manager admin center portal, and navigate to Devices > iOS/iPadOS.
- On the iOS/iPadOS | iOS/iPadOS devices page, select the personal device that should be wiped.
- On the device-specific page, select Retire > Yes to start the selective wipe of the personal device.
The next time that the personal device checks in with the MDM platform, the selective wipe will be performed, and the personal device will be removed from the MDM system. That check-in will happen automatically when the device is connected to the internet.