Corporate Device Offboarding Procedure

This admin procedure will provide background information on the steps to offboard corporate devices associated with an Azure AD user using Intune.

This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

Wipe Device Action

By using the Retire or Wipe actions, you can remove devices from Intune that are no longer needed, being repurposed, or missing.


Wipe

The Wipe device action restores a device to its factory default settings. The user data is kept if you choose the Retain enrollment state and user account checkbox.

Otherwise, all data, apps, and settings are removed.

Wipe action

Retain enrollment state and user account.

Removed from Intune management.

Description

Wipe

Not checked

Yes

Wipes all user accounts, data, MDM policies, and settings. Resets the operating system to its default state and settings.

Wipe

Checked

No

Wipes all MDM Policies. Keeps user accounts and data. Resets user settings back to default. Resets the operating system to its default state and settings.

Note

The Wipe action is not available for iOS/iPadOS devices enrolled with User Enrollment.

Important

The Wipe action doesn't remove the Autopilot registration from the device.

The Retain enrollment state and user account option is only available for Windows 10 version 1709 or later.

All MDM policies will be reapplied the next time the device connects to Intune.

A wipe is useful for resetting a device before you give the device to a new user, or when the device has been lost or stolen. Be careful about selecting Wipe. Data on the device can't be recovered. The method that "Wipe" uses to remove data is simple file deletion, and the drive is BitLocker decrypted as part of this process.

If the device is on and connected, the Wipe action propagates across all device types in less than 15 minutes.

 

Supported platforms for Wipe device action.

Wipe is supported on the following platforms:

  • Android Enterprise Dedicated, Fully Managed, and Corporate-Owned Work Profile devices.
  • Android Open-Source Project (AOSP) devices
  • iOS/iPadOS
  • macOS
  • Windows

Wipe isn't supported on:

  • Android Enterprise personally owned devices with a work profile
  • Linux

 

Procedure Scope: Administrators

Required Group Membership: Admin.Device

 

Offboarding a Corporate Device

  1. Prior to initializing a wipe action on a corporate device, we will want to locate all devices associated with the user account; this will cover all bases of removing corporate data from all Azure AD devices as well as mobile devices.
  2. Navigate to Users – Azure Active Directory, locate the user account that needs to be offboarded from your corporate environment.
  3. From the overview page, select Devices. Here we will take note of both Azure AD joined and Mobile Devices. These will be used when we navigate to the Intune portal momentarily.
  4. Navigate to Devices – Intune, locate the device that needs to be offboarded from Intune Management.
  5. From the device overview page, select Wipe. A prompt will display asking for your approval, outlining that the device will be returned to a factory default state, this will remove all associated data on the device. Since we are offboarding this device we will opt to not keep enrollment state and associated user account, since this will keep data associated with the previous account. Make sure to check the box for Wipe device and continue to wipe even if device power is lost, since this will guarantee that the wipe action can't be circumvented by turning off the device. This option keeps trying to reset the device until successful. Select Yes to initiate the action, this should take about 15 minutes to carry out the Wipe process.
  6. If everything goes accordingly, you should receive a notification that the initialization process was successful.
  7. Lastly, navigate to App Selective Wipe – Intune, this will cover the last base of removing corporate data from the captured mobile device associated with the user. Select Create Wipe Request to begin.
  8. Select User, a pop-out will be displayed use the search bar to locate the account. When complete hit Select to go back to the main area where the mobile device associated with the account will now be listed.
  9. Select the box to confirm that you want to wipe corporate app data from the listed device and hit Create to finalize the process.

You're Finished!

You should have successfully offboarded all corporate owned Azure Ad joined devices and successfully carried out the corporate data wipe on corporate scoped mobile application for the associated mobile device linked to the user. For any other problems or questions, reach out to us!