Share via


Help protect your data with remote wipe, remote lock, or passcode reset using Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 SP1, Microsoft Intune, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

System Center 2012 Configuration Manager provides selective wipe, full wipe, remote lock, and passcode reset capabilities. Mobile devices can store sensitive corporate data and provide access to many corporate resources. To protect devices you can issue:

Beginning with System Center 2012 R2 Configuration Manager:

  • A full wipe to restore the device to its factory settings.

  • A selective wipe to remove only company data.

Beginning with System Center 2012 Configuration Manager SP2:

  • A remote lock to help secure a device that might be lost.

  • Reset the device passcode.

This topic includes:

  • Wipe

  • Passcode Reset

  • Remote Lock

Mobile devices that are managed using Configuration Manager R2 with Microsoft Intune can wipe or retire managed devices.

Wipe

You might issue a wipe command to a device when you need to secure a lost device or when you retire a device from active use.

Issue a full wipe to a device to restore the device to its factory defaults. This removes all company and user data and settings. You can do a full wipe on Windows Phone, iOS, and Android devices.

Issue a selective wipe to a device to remove only company data. The following table describes by platform what data is removed and the effect on data that remains on the device after a selective wipe.

Content removed when retiring a device

Windows 8.1 and Windows RT 8.1

Windows RT

Windows Phone 8 and Windows Phone 8.1

iOS

Android

Samsung KNOX

Company apps and associated data installed by using Configuration Manager and Intune.

Apps are uninstalled and sideloading keys are removed. Apps using Windows Selective Wipe will have the encryption key revoked and data will no longer be accessible.

Sideloading keys are removed but apps remain installed.

Apps are uninstalled. Company app data is removed.

Apps are uninstalled. Company app data is removed.

Apps and data remain installed.

Apps are uninstalled.

VPN and Wi-Fi profiles

Removed.

Not applicable.

Removed for Windows Phone 8.1.

Removed.

Removed.

Removed.

Certificates

Removed and revoked.

Not applicable.

Removed for Windows Phone 8.1.

Removed and revoked.

Revoked.

Revoked.

Settings

Requirements removed.

Requirements removed.

The following settings are removed (Windows Phone 8.1 only):

  • Require a password to unlock mobile devices

  • Allow simple passwords

  • Minimum password length

  • Required password type

  • Password expiration (days)

  • Remember password history

  • Number of repeated sign-in failures to allow before the device is wiped

  • Minutes of inactivity before password is required

  • Required password type – minimum number of character sets

  • Allow camera

  • Require encryption on mobile device

  • Allow removable storage

  • Allow web browser

  • Allow application store

  • Allow screen capture

  • Allow geolocation

  • Allow Microsoft Account

  • Allow copy and paste

  • Allow Wi-Fi tethering

  • Allow automatic connection to free Wi-Fi hotspots

  • Allow Wi-Fi hotspot reporting

  • Allow factory reset

  • Allow Bluetooth

  • Allow NFC

  • Allow Wi-Fi

Removed, except for:

  • Allow voice roaming

  • Allow data roaming

  • Allow automatic synchronization while roaming

Requirements removed.

Requirements removed.

Management Agent

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Management profile is removed.

Device Administrator privilege is revoked.

Device Administrator privilege is revoked.

Email profiles

Removes email that is EFS enabled which includes the Mail app for Windows email and attachments.

Not applicable.

Removed (Windows Phone 8.1 only)

For email profiles provisioned by Microsoft Intune, the email account and email are removed.

Not applicable.

For email profiles provisioned by Microsoft Intune, the email account and email are removed.

To initiate a remote wipe from the Configuration Manager console

  1. In the Configuration Manager console, click Assets and Compliance and select Devices. Alternatively, you can click Device Collections and select a collection.

  2. Select the device that you want to retire/wipe.

  3. Click Remote Device Actions in the Device Group, and then select Retire/Wipe.

Wiping EFS-enabled content

Selective wipe of EFS-encrypted content is supported by Windows 8.1 and Windows RT 8.1. The following apply to a selective wipe of EFS-enabled content:

  • Only apps and data that are protected by EFS using the same Internet domain as the Intune account are selectively wiped. For more information, see Windows Selective Wipe for Device Data Management.

  • If there are any changes are made to the domain associated with EFS, the changes can take up to 48 hours before apps and data using the new domain can be selectively wiped.

  • Each domain that is registered with Intune is the domain that will be wiped.

The data and apps that are currently supported by EFS selective wipe are:

Best Practices for Selective Wipe

  • For successful wipe of email, provision email profiles to iOS and Windows Phone 8.1 devices.

  • For successful wipe of apps, make sure the apps are distributed through mobile device app management. For more information, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager 

  • For iOS, configure the setting “Allow backup to iCloud” to “Disallow” so that users can’t restore content using iCloud.

  • If an account has been deactivated, then after one year, the account will be retired by Intune and a selective wipe will be performed.

Passcode Reset

If a user forgets their passcode, you can help them by removing the passcode from a device or by forcing a new temporary passcode on a device. The table below lists how passcode reset works on different mobile platforms.

Platform

Passcode Reset

iOS

Supported for clearing the passcode from a device. Does not create a new temporary passcode.

Android

Supported and a temporary passcode is created.

Windows Phone 8 and Windows Phone 8.1

Supported

Windows RT 8.1 and Windows RT

Not Supported

Windows 8.1

Not Supported

To reset the passcode on a mobile device remotely in Configuration Manager

  1. In the Configuration Manager console, click Assets and Compliance and select Devices. Alternatively, you can click Device Collections and select a collection.

  2. Select the device or devices on which to reset the passcode.

  3. Click Remote Device Actions in the Device Group, and then select Passcode Reset.

To show the state of the passcode reset

  1. In the Configuration Manager console, click Assets and Compliance and select Devices. Alternatively, you can click Device Collections and select a collection.

  2. Select the device or devices on which to show the state of the passcode reset.

  3. Click Remote Device Actions in the Device Group, and then select Show Passcode State.

Remote Lock

If a user loses their device you can lock the device remotely. The following table lists how remote lock works on different mobile platforms.

Platform

Remote Lock

iOS

Supported

Android

Supported

Windows Phone 8 and Windows Phone 8.1

Supported

Windows RT 8.1 and Windows RT

Supported if the current user of the device is the same user who enrolled the device.

Windows 8.1

Supported if the current user of the device is the same user who enrolled the device.

To lock a mobile device remotely through the Configuration Manager console

  1. In the Configuration Manager console, click Assets and Compliance and select Devices. Alternatively, you can click Device Collections and select a collection.

  2. Select the device or devices to lock.

  3. Click Remote Device Actions in the Device Group, and then select Remote Lock.

To show the state of the remote lock

  1. In the Configuration Manager console, click Assets and Compliance and select Devices. Alternatively, you can click Device Collections and select a collection.

  2. Select the device on which to show the state of the remote lock.

  3. Click Remote Device Actions in the Device Group, and then select Show Remote Lock State.