How to perform a full remote wipe on an Android device – TechTarget | Hot Mobile Press

One of the most important reasons to properly manage Android devices within an organization is to protect corporate data.

Organizations can require that all Android devices employees use for work purposes comply with company policies before being given access to company data. After access is granted, organizations can still control corporate data and remotely wipe it from Android devices.

If an Android device is stolen or lost, an IT admin can trigger a remote wipe to ensure corporate data doesn’t fall into the wrong hands. A remote wipe can also be useful in BYOD scenarios. For example, if an employee decides to leave the company and no longer wants access to company data, IT can wipe all company data from the BYOD Android smartphone while personal data remains intact.

Wipe Options for Managed Android Devices

For IT admins using mobile device management (MDM) to manage employee devices, there are two different options for wiping an Android device. Admins can choose either delete a device or delete an account. These options are also known as a wipe full and a selective wipe, respectively. When managing devices specifically in Microsoft Intune, administrators see these options as a to wipe and a retire. While naming varies between platforms, the two methods each have consistent results. The options produce the following results:

  • Delete a device. Erases all user accounts, data, and MDM policies and settings by restoring the Android device to factory settings and settings. This is also sometimes referred to as a wipe full; in Microsoft Intune this is simply referred to as a Wipe.
  • Delete an account. Deletes the company user account, including company data and settings, and completely wipes the user’s work profile from the Android device. This is also sometimes referred to as a selective wipe; in Microsoft Intune this is referred to as a Retire.

In addition to the various wipe options for Android devices, most MDM providers also offer wipe options for managed apps on Android devices. In Microsoft Intune there are managed apps that support multiple identities. If admins delete the corporate data from these managed apps, the action will not affect personal data in the same app. This method is especially useful for personal Android devices.

Deletion options for different Android management types

The availability of the different wipe options for Android devices depends on the MDM provider and the management rights on the device. On Android smartphones, users can have either profile owner permissions or device owner permissions on the device. These permissions are mainly related to the ownership of the Android device and the type of management it is subject to.

On a personal Android device, the user must install the MDM provider’s management app and enroll the Android device. After enrollment, the management app creates a separate work profile on the Android device. This gives the organization profile owner permissions within the work profile.

On corporate-owned Android devices, the device is enrolled with the MDM provider during the out-of-box experience. For most management types, this provides the organization with device owner permissions on the Android device. However, there is one exception: corporate-owned Android work profile devices. In this case, the organization on the Android device has profile owner permissions and a little more. From a wipe perspective, the effect is the same as with any type of corporate-owned Android device management.

The following types of management are most common for Android devices:

  • work profile. A separate profile for work and personal use.
  • Fully managed. A fully managed Android device with a personal touch.
  • Dedicated. A kiosk-style Android device.

Depending on the type of administration and ownership, different deletion options are available (Figure 1).

Illustration 1.

How to perform a remote wipe of an Android device using Microsoft Intune

IT admins can perform a remote wipe of an Android device through the organization’s MDM provider. For most MDM providers, the process is relatively easy to complete. Using Microsoft Intune as this example, admins can remotely wipe an Android device by following the steps below:

1. Open the Microsoft Endpoint Manager portal, sign in with an account that has the required privileges, and navigate to Devices > Android > Android devices.

The user performing the remote delete or remote retract action in Microsoft Intune needs at least the Wipe and Retire Permissions available within remote tasks Category.

2. On the Android | Android devices page, select the specific Android device and click Wipe or Retiredepending on the management type of the Android device (Figure 2).

The screen for a specific Android device in Microsoft Endpoint Manager.
Figure 2. Overview of information and remote actions for a corporate-owned Android device.

3. In the confirmation dialog box, familiarize yourself with the implications of the remote action before clicking Continue (Figure 3).

Android device screen with confirmation dialog confirming whether to erase the device.
Figure 3. The confirmation message users see after they choose to erase an Android device.

In addition, most MDM providers offer methods to further automate this process in certain situations. In Microsoft Intune there is an option to automatically decommission an Android device if it does not comply with company guidelines. If the device is noncompliant, Microsoft Intune adds it to a noncompliant device list in the portal. IT admins can go through this list and either decommission a specific device on it or decommission all devices on it.

Leave a Comment