In my previous blog I showed how you can monitor policies on unmanaged devices. Now I’m going to demonstrate how to selective wipe corporate data. When a device is stolen, lost or an employee leaves the company, you want to be sure there is no corporate data is left on the device. This can be archieved by preforming a selective wipe. After the selective wipe is requested, the corporate data is will be removed from the app. This will be performed the next time the app is started.
How to initiate a wipe
At the moment there are two ways to initiate a selective wipe. The selective wipe can be performed as part of the Conditional Launch in the App protection policy or by manually initiating a wipe request.
Conditional Launch
When you configure an app protection policy a selective wipe will be configured. This is part of the conditional launch. One of the default settings is “Offline grace period -> 90 days”. After 90 days offline you need to reconnect to the network and succesfully authenticate. If the user succesfully authenticates nothing will happen, but if the user fails a selective wipe will be performed.
Manually initiate a wipe request
There are two ways to manually initiate a wipe request. There is a device based wipe request and a user based wipe request.
To initiate a wipe select in the MEM admin center “Apps” -> “App selective wipe” or press here. In the top of the app selective wipe blade you can select “Wipe request” (device based wipe) or “User-Level Wipe” (user based wipe).
Device based wipe request
With a device based wipe request a wipe can be initiated for each user device registered with an app protection policy. If an user has lost it’s device and a new device is in use. Then a device based wipe can be used to only wipe the previous device.
1. Press the button “Create wipe request” in top of the page.
2. Press “Select user” to select the user of which you want to wipe a device. After the user has been selected the devices belonging to the user will be displayed. Select the device you want to wipe and press “Create”.
3. The wipe request will be sent to the device to remove corporate data from applications protected with an app protection policy. You will return to the app selective wipe blade where you can monitor the removal process of the user. Pending requests can be deleted by right clicking the request and select “Delete wipe request”.
4. After a succesfully performed wipe the device will be removed from the device overview.
Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.
User based wipe request
When performing an user based wipe request a wipe request will be sent to all apps on all the devices. This wipe you may want to perform when a user leaves the company and you want to be sure all data is removed from all devices associated with the user.
1. On the app selective wipe page select “User-level wipe” and press “add” to select the user for which you want to perform a user-level wipe.
2. Now the user has been selected wipe requests will be sent to all the devices of the user. As long as the user is on the list. The user will continue to get wipe commands at every check-in from all devices. To allow sign-in on a device you first need to remove the user from te list.
3. The wipe action can be monitored using the User report (“Apps” -> “Monitor” -> “Reports”).
Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.