It’s critical for organizations to ensure the security of corporate data on any mobile devices, and iPhones are no exception.
If corporate data is accessible via applications or local device storage on devices that don’t comply with company policies, sensitive information can end up in the hands of bad actors. This is an especially concerning possibility for mobile devices, which are generally easier to lose than other endpoints. In BYOD or COPE situations, mobile devices may also contain personal data, further complicating security. When an end user leaves the organization or a device is lost or stolen, IT must be able to remotely wipe corporate data.
The process of performing a remote wipe of a device varies among mobile platforms, however. In organizations that allow the use of iPhones as work devices, IT administrators should know the options for wiping these devices specifically.
Wipe options for managed iPhones
When using mobile device management (MDM) to manage employee devices, there are a few different methods for remotely wiping an iPhone. These options are similar for Android devices and basically all other device platforms. The name of the method differs per platform, and sometimes even per MDM provider. For iOS and macOS devices, admins can choose between a full wipe and a selective wipe. For devices under Microsoft Intune management, the options are instead referred to as a wipe and a retire. Even though the name may differ between platforms or MDM providers, the results are often the same. The different actions achieve the following results:
- Full wipe. This action wipes all the user accounts, data and MDM policies and settings by resetting the iPhone to its factory defaults and settings. Be careful with this action, as there is no way back. This is simply called a Wipe in Microsoft Intune.
- Selective wipe. This option wipes only the managed app data, MDM policies and settings by removing the management profile from the iPhone. A selective wipe leaves personal data untouched. This is called a Retire in Microsoft Intune.
Wipe options depending on iPhone enrollment
The availability of the different wipe options depends on which enrollment type the iPhone is registered under. The MDM provider might not have the permissions to perform a full wipe of the device. The enrollment option is often related to the ownership of the device.
On a personally owned iPhone, the user must install the management app of the MDM provider to enroll the device. During this process, the user makes a few decisions. First, the user can enroll the device as either personally owned or corporate owned. Additionally, the user chooses whether the MDM provider will secure the entire device or just corporate data and apps. The IT administrator can perform a complete wipe on a fully secured device.
However, if the user has enabled activation lock, performing a full wipe will be more challenging for the admin. When the device is locked to the user’s personal Apple ID, it will be difficult to reactivate the iPhone. This is one reason for organizations to rely on Automated Device Enrollment (ADE), part of Apple Business Manager, for corporate-owned iPhones. Besides that, ADE provides a positive user experience out of the box.
Getting started with ADE is simple. Enrollment relies on the Apple Setup Assistant and ensures proper device management. The most common enrollment options for iPhones are user enrollment for personal devices and ADE for corporate-owned devices (Figure 1). The latter can also differentiate between iPhones with and without user affinity. Devices without user affinity are often shared. For those devices, it’s often technically possible to perform a selective wipe, but that might not be a logical option in such situations.
How to perform a remote wipe of an iPhone with Microsoft Intune
Across most MDM providers and device platforms, the actions an IT administrator must take to remotely wipe a device are pretty straightforward. Using Microsoft Intune as an example, admins can perform a remote wipe of an iPhone by walking through the following steps:
- Open the Microsoft Endpoint Manager portal and sign in to an account with the required permissions. Navigate to Devices > iOS/iPadOS > iOS/iPadOS devices.
- The user performing the remote wipe or remote retire action in Microsoft Intune needs at least the Wipe and Retire permissions that are available within the “Remote tasks” category.
- On the iOS/iPadOS devices page, select the specific iOS device and click on Wipe or Retire, depending on the available options for the iPhone and the eventual goal of performing the action (Figure 2).
- On the confirmation dialog box, make sure to fully understand the impact of the remote action before clicking to continue (Figure 3).