How to remove a policy settings from a user/device managed by Intune

As you all know, Intune can deploy all kind of settings and profiles (security settings, WiFi, Certificate, Mail and VPN profiles) to your users and devices. But what if you want to remove one of the settings/profiles.

Until now this hasn’t been possible (expect if you did a selective wipe/full wipe). With the updates delivered in the November and December release of Microsoft Intune backend, the policy will be removed when:

  • User or device leaves a collection / Group where policy was targeted to
  • Admin removes the deployment
  • Admin removes the policy itself

Note that this feature is available in both if you use Microsoft Intune Standalone and SCCM UDM with Intune.

As with all things we do with the device, we are dependent of underlying management platform. Below you see what’s can remove per platform.

Type of settings

Windows

Android

WP8.1 (There is no support for WP8)

IOS

Resource access Profiles (WiFi, VPN, Email, Certificate etc)

Yes

Yes

Yes

Yes

Configuration Items

No

No

Supported settings:
./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowIdleReturnWithoutPassword
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordEnabled”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowSimpleDevicePassword”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordLength”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/AlphanumericDevicePasswordRequired”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordExpiration”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordHistory”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxDevicePasswordFailedAttempts”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxInactivityTimeDeviceLock”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordComplexCharacters”;
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
./Vendor/MSFT/PolicyManager/My/Camera/AllowCamera
./Vendor/MSFT/PolicyManager/My/Security/RequireDeviceEncryption
./Vendor/MSFT/PolicyManager/My/System/AllowStorageCard
./Vendor/MSFT/PolicyManager/My/Browser/AllowBrowser
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowStore
./Vendor/MSFT/PolicyManager/My/Experience/AllowScreenCapture
./Vendor/MSFT/PolicyManager/My/System/AllowTelemetry
./Vendor/MSFT/PolicyManager/My/System/AllowLocation
./Vendor/MSFT/PolicyManager/My/Accounts/AllowMicrosoftAccountConnection
./Vendor/MSFT/PolicyManager/My/Accounts/AllowAddingNonMicrosoftAccountsManually
./Vendor/MSFT/PolicyManager/My/Experience/AllowCopyPaste
./Vendor/MSFT/PolicyManager/My/WiFi/AllowInternetSharing
./Vendor/MSFT/PolicyManager/My/WiFi/AllowAutoConnectToWiFiSenseHotspots
./Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFiHotSpotReporting
./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment
./Vendor/MSFT/PolicyManager/My/System/AllowUserToResetPhone
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowUSBConnection
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowBluetooth
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularDataRoaming
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowNFC
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularData
/Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFi

All settings except roaming settings

The list of policies can also be found at http://technet.microsoft.com/en-us/library/dn743712.aspx under “What happens when a policy is deleted, or no longer applicable”

To illustrate how this can look like I have recorded a short video describing how this looks like.

If you have any questions or feedback, please add into the comments below

What’s new in the Jan/Feb 2014 Intune update

The Jan/Feb 2014 update to Windows Intune has now been out for a couple of weeks. This was the first  update that was released through the SCCM “Extensions for Windows Intune”

image

So what did the update actually include:

  • Ability for the administrator to configure email profiles, which can automatically configure (IOS and WP8) the device with the appropriate email server information and related policies, as well as the ability to remove the profile along with the email itself via a remote wipe if needed (Only IOS).
  • Support for new configuration settings in iOS 7, including the "Managed open in" capability to protect corporate data by controlling which apps and accounts are used to open documents and attachments, and disabling the fingerprint unlock feature.
  • Ability for the administrator to remotely lock the device if it is lost or stolen, and reset the password if the user forgets it (as of now, this this feature only exist in the Intune standalone cloud service).

If you would like to see a good demo of some of the new features, please look at the interview on Channel9 with Martin Booth

http://channel9.msdn.com/Shows/Edge/Edge-Show-90-System-Center-Configuration-Manager-and-Windows-Intune-and-Managing-iOS-What-s-New-