No remote wipe for BYOD iPhones

Sampfluger88 commented 1 week ago

@mikermcneil : I want to be able to disable remote wipe for a given team to be able to; as an admin, disable this one particular feature that could wipe your pictures of your kids
@noahtalerman: User requested this because I think we want to dogfood Fleet for BYOD iPhones but the requestor (Mike) doesn't feel comfortable enrolling their iPhone to Fleet if anyone at Fleet can intentionally or accidentally remove all pictures of their kids from their iPhone.
- @allenhouchins: End users also expect that their organization won't be able to see all apps installed. Only the ones delivered by Fleet.
- @allenhouchins: Apple has designed the new account driven user enrollment to have these permissions: https://support.apple.com/guide/deployment/user-enrollment-and-mdm-dep23db2037d/web
- @noahtalerman: In the interim we could tweak the enrollment profile that is downloaded when the end user navigates to the BYOD enrollment page.
- @noahtalerman: Eventually Fleet might present the IT admin the option to choose "BYOD" v. "Company-owned" (aka personal v. corporate) in the "Add hosts" modal experience. If they choose personal, then they'll be presented w/ a link that presents the end user w/ a download link. The download link gives the end user a profile that doesn't include wipe permissions.

allenhouchins commented 5 days ago

A couple of things for us to think through. Our current BYOD solution is not really BYOD otherwise this would not be a problem. Our current BYOD solution is user-initiated enrollment with full MDM capabilities. This is supposed to be used for companies that have devices that aren't being automatically managed by ABM/DEP. The issue around admins have pervasive permissions and capabilities would be address if we supported User Enrollment (true BYOD). I am concerned that just hiding Wipe from the UI would not address the potential issue being raised since the profile being enrollment profile being installed in this method would still have the rights to wipe the device. We would likely have to change the rights management of the enrollment profile that gets installed to fully block wipe capabilities which would mean a re-enrollment of the device. It also means that the customers that want user-initiated enrollment with full MDM capabilities would lose this ability without creating some UI to have multiple user-initiated enrollment workflows.

noahtalerman commented 1 day ago

Problem

Mike: I want to be able to disable remote wipe for a given team (eg byod devices. Could even call it “BYOD mode”— but simplest step is to be able to; as an admin, disable this one particular feature that could wipe your pictures of your kids

fleetdm / fleet

No remote wipe for BYOD iPhones #22882

Problem

What have you tried?

Potential solutions

What is the expected workflow as a result of your proposal?