pdf icon
Category Filter

Deprovisioning Devices

Keeping track of all the mobile devices in an organization is a crucial device management task to be performed by any mobile device management solution. IT admins need to have complete information about the devices that are in use and the ones that are not currently a part of the workforce. The admin should also be able to deprovision the devices that are not in use. Using Mobile Device Manager Plus, all that the IT admin has to do, is to mark the devices to be deprovisioned.

Why deprovision devices?

Deprovisioning devices completely removes it from management. In case of lost devices, devices requiring maintenance, and devices of employees who are leaving the organization, have to be removed from management. Such devices have to be deprovisioned.

For workspace-managed devices, the work profile can be revoked. In case of fully managed devices, they can be factory reset.

How to deprovision a device?

Deprovision can be done either for a single device or multiple devices. For deprovisioning individual devices, navigate to Enrollment > Devices > Managed > Actions > Deprovision. You can also choose multiple devices from this tab and then deprovision them.

Revoke MDM

Revoke MDM

Revoke MDM erases only corporate data(work apps, company documents, etc.) present on the device, hence the user's personal data(personal apps, personal files, etc.) is safe and still present on the device.

Note:The data once deleted cannot be restored.

Factory reset device

Factory reset device

Wipe options(Retain MDM profile, Unlock PIN, Retain eSIM data, Retain SD card data) are applicable only when Factory reset device is selected.
Retain MDM profile: It is applicable only for devices enrolled via Windows Autopilot.
Unlock PIN: After factory reset, the device must be unlocked using this new PIN to initiate device bootup. It is applicable only for macOS devices.
Retain eSIM data: When this option is enabled, eSIM configurations will be retained on the device even after factory reset. It is applicable for iOS/iPadOS devices.
Retain SD card data: It is applicable for all Android devices.
These options will be shown based on the device platform selected for deprovision. If a complete wipe is performed, both corporate and personal data will be deleted.

Note:
  • Complete wipe can be performed on both Supervised and Unsupervised Apple devices based on the permissions configured in the device privacy settings in MDM prior to enrollment.
  • Complete wipe can be performed only on fully managed and WPCO android devices but not workspace managed devices.
  • You can deprovision the corporate data for up to 25 devices at once.
  • You can perform complete wipe for up to 10 devices at once.

Move devices to

Personal devices can only be moved to retired. Corporate devices can be moved to stock, repair, or retire.

    • In Stock - When employees leave the organization, their mobile devices can be deprovisioned and moved to "In Stock" , allowing them to be re-enrolled and assigned to another user.
    • Repair Mobile devices often require frequent servicing, and while they are under repair, they cannot be part of the workforce. However, they may still contain corporate data that could fall into the wrong hands. Therefore, when a device is being repaired, it can be marked as "In Repair" in the MDM server. Once the device is repaired, it can be re-enrolled. If the device cannot be repaired and needs to be permanently removed from MDM, it can be removed through the Actions option.
    • Retire - If a device is moved to Retired, it will be deprovisioned. Personal devices will remain available on the server for 90 days, after which they will be automatically removed. Corporate devices must be manually removed.

Note: Specify the reason for deprovision as it is used for audit log purposes. Deprovisioned devices can be removed or  reenrolled
If the device was enrolled using KNOX, ABM/ASM, Zero-touch, or Chrome enrollment, it will be automatically re-enrolled upon boot up.
 

Deprovisioning Settings

Admins can deprovision the devices from MDM when a device is no longer in use or when an employee leaves the company. Deprovisioning devices will completely erase all the corporate data present on the device. This helps to protect corporate data associated with unmanaged devices. In MDM, admins can configure certain settings to predefine the device deprovisioning process.

  1. Revoke MDM from devices once users are deactivated in Okta - Admin can configure to automatically deprovision devices associated with the users who are disabled or removed from the Okta directory.

Note: Deprovisioning is not possible when a user has more than three associated devices and when the device count exceeds 50.Desktops and Laptops remain continuously provisioned.

      2.Upon deprovisioning, sign-out the associated Google Workspace (G Suite) users across all apps - This will remove all data and accounts associated with G Suite users from the device.

      3.Notify via email when device unmanaged by user: For personal devices, since users cannot be restricted completely from revoking management, admins can instead make sure that they are notified when a user unmanages the device by enabling the option Notify when the device becomes unmanaged . Admins can specify more than one email address if the notifications have to be sent to multiple persons.

      4.Show unenrollment option in ME MDM app: Device management can be revoked by the user if this option is enabled in the product console. Learn How to prevent Device Unenrollment in ME MDM App.

Remove admin enrolled deprovisioned devices

If a device enrolled using admin enrollment is deprovisioned, the device will be un-enrolled but not removed from the respective portals. Follow these documents to remove devices from ABMZero-touch, Chrome and Knox.

 

Jump To