Hello All,
Looking for some suggestions about how to send a wipe (Clear) instruction to mobile device(s) of a user upon termination if they do not go by IT to have access removed 'gently'.
The issue is that while we WANT to wipe the phone we HAVE to remove their network access by disabling their AD account. There was some discussion internally about whether or not the wipe would work if the AD account is disabled but MS support confirmed that the user does have to authenticate in order to get that wipe command.
They also mentioned that it can take some time for a password change on the AD account to take effect so you could change the AD password to block the user from accessing the network, send the 'Clear' command and then give it some period of time to see if the user authenticates and the phone is wiped.
This doesn't seem like a good way to do things. Most people back up their phone data pretty frequently so wiping it might have limited benefit.
Does anyone have a thought on how to achieve both goals - trying to wipe the phone while ensuring that the user cannot access corporate systems through the AD account? Changing the password for a set period of time MIGHT work but the idea of a process that 'might' work depending on how quickly a password change takes effect seems kludgy at best. Absent a separate MDM product, anybody have a process that would allow us to wipe the phone without leaving a terminated user active in AD? We're automating this with an IDM tool so I need something a little more well-defined than 'give it a while and see if it works' ;-)