fleetdm
No remote wipe for BYOD iPhones
- @mikermcneil : I want to be able to disable remote wipe for a given team to be able to; as an admin, disable this one particular feature that could wipe your pictures of your kids
- @noahtalerman: User requested this because I think we want to dogfood Fleet for BYOD iPhones but the requestor (Mike) doesn't feel comfortable enrolling their iPhone to Fleet if anyone at Fleet can intentionally or accidentally remove all pictures of their kids from their iPhone.
- @allenhouchins: End users also expect that their organization won't be able to see all apps installed. Only the ones delivered by Fleet.
- @allenhouchins: Apple has designed the new account driven user enrollment to have these permissions: https://support.apple.com/guide/deployment/user-enrollment-and-mdm-dep23db2037d/web
- @noahtalerman: In the interim we could tweak the enrollment profile that is downloaded when the end user navigates to the BYOD enrollment page.
- @noahtalerman: Eventually Fleet might present the IT admin the option to choose "BYOD" v. "Company-owned" (aka personal v. corporate) in the "Add hosts" modal experience. If they choose personal, then they'll be presented w/ a link that presents the end user w/ a download link. The download link gives the end user a profile that doesn't include wipe permissions.
User stories
- #23242
A couple of things for us to think through. Our current BYOD solution is not really BYOD otherwise this would not be a problem. Our current BYOD solution is user-initiated enrollment with full MDM capabilities. This is supposed to be used for companies that have devices that aren't being automatically managed by ABM/DEP. The issue around admins have pervasive permissions and capabilities would be address if we supported User Enrollment (true BYOD). I am concerned that just hiding Wipe from the UI would not address the potential issue being raised since the profile being enrollment profile being installed in this method would still have the rights to wipe the device. We would likely have to change the rights management of the enrollment profile that gets installed to fully block wipe capabilities which would mean a re-enrollment of the device. It also means that the customers that want user-initiated enrollment with full MDM capabilities would lose this ability without creating some UI to have multiple user-initiated enrollment workflows.
Problem
Mike: I want to be able to disable remote wipe for a given team (eg byod devices. Could even call it “BYOD mode”— but simplest step is to be able to; as an admin, disable this one particular feature that could wipe your pictures of your kids
What have you tried?
Potential solutions
What is the expected workflow as a result of your proposal?
Hey @Sampfluger88, we decided to drop #23242 because none of our customers requested this feature. We're planning to bring #27390 into the sprint starting on May 5.
customer-sarahwuwants to enroll personal (BYOD) iPhones using the profile-based enrollment to get more visibility but they want to restrict the actions that IT admins can take on the device: one is wipe.
- @noahtalerman: What else? Enable lost mode?
@Patagonia121 what other actions does customer-sarahwu want to make sure IT admins can't take on iPhones. Other than wipe.
Hi @noahtalerman - I finally heard back from customer-sarahwu, here's what else they'd like to see:
- Disable "
Full device wipe" - Allow only "
Enterprise or Corporate selective wipe" -
Nooption to see personal apps info - Geolocation tracking
Good to have other basic controls on overall iOS management:
- Remote command to
Lock device(in case device is stolen or lost) - Capability to
remove device lock(in case user misses out or forgets device unlock passcode) - only if MDM profile to set device passcode is pushed down
