How to prevent users from revoking management?

Description

MDM must be present in the enrolled devices to be managed at all times. If a user tries to remove MDM, then the device is unmanaged and the error User has revoked management is displayed against the device, under Remarks in the Enrollment tab. To prevent the user from removing MDM, configure MDM as follows:

Steps 

Corporate Devices

The devices that are owned by the organization and provided to the employees must be managed at all times. The users must not have the permission to remove these devices from management. To prevent users from removing these devices management, these devices can be enrolled using the available corporate enrollment methods. These enrollment methods ensures that the devices cannot be removed from management even if they are factory reset.

iOS/iPadOS devices

  1. Apple Business Manager

Android Devices

  1. Zero Touch Enrollment
  2. KNOX Mobile Enrollment

Windows 10 Devices

  1. Azure Enrollment

For iOS/iPadOS devices enrolled using other enrollment methods, users can be restricted from removing management by factory resetting devices by applying the Restrictions profile Allow user to wipe device by erasing all content and settings. In Android devices, users can be restricted from removing ME MDM app by navigating to Enrollment -> Android -> ME MDM App -> Allow user to remove ME MDM App.

Personal Devices

Since these devices are personally owned, we cannot completely restrict the users from revoking management, but we can ensure that the admin is notified when any device is removed from management. Follow the steps given below to enable these notifications

  1. On the console, navigate to Enrollment -> Enrollment settings
  2. Enable the option Notify when device becomes unmanaged
  3. Enter the email address that must receive the notifications
  4. Save the settings

In addition to individual notification, the admin can also view the devices that have not come into contact with the server for a period of time by navigating to Reports ->Inactive devices.

It is also recommended to configure services and distribute enterprise apps only through MDM. Though MDM can be removed, it also results in the configurations and enterprise apps being removed from the managed devices. Thereby ensuring that the user's cannot access the corporate data once the management is revoked from these devices.

Conditional Exchange Access also allows organizations keep their e-mails secure by ensuring only enrolled devices get access to the corporate e-mails.

Note: Device management can be revoked by the user if the Show unenrollment option in ME MDM App is enabled in the product console.