Administrators are unable to perform certain MDM commands on enrolled iOS devices. For example, if a device wipe is attempted, and enterprise wipe is actually performed.
During the enrollment of an iOS device and the installation of the MDM profile, the end user (or staging administrator) will confirm which actions AirWatch will be allowed to perform on the device (such as allowing device wipe, management of user-installed apps, querying network information, etc). In AirWatch, these settings are configurable by device ownership type in the AirWatch Console under Devices > Device Settings > Devices & Users > General > Privacy. Note that if these settings are changed, devices must re-enroll for the updated settings to take effect.
This issue generally happens due to the MDM profile on the device not having the permissions to perform a device wipe. To confirm a device has the permissions, perform the following steps:
- On the device, navigate to Settings > General > Device Management > ‘MDM Profile/V_#’ > More Details > MDM Settings
- Confirm under Rights if the profile has the permission Erase all data and settings.
A second way to confirm is to gather iOS device logs while trying to perform a device wipe. In the logs, you will see the following:
The following flowchart explains when an iOS device will allow a Device Wipe (based on the default settings during enrollment).
Additional things to note
The only way to change the Device Wipe permission on a device is to re-enroll the device. This setting/permission is part of the MDM Profile which is only installed/modified during enrollment.
MDM will have full access rights to supervised devices that are enrolled. These settings are only configured at the device level for unsupervised devices.
The "Device Wipe" option may appear for a device in the console even though AirWatch does not have permissions to perform a full device wipe. The options available in the console reflect the current privacy settings and not the settings at the time of enrollment.