MDM must be present in the enrolled devices to be managed at all times. If a user tries to remove MDM, then the device is unmanaged and the error User has revoked management is displayed against the device, under Remarks in the Enrollment tab. To prevent the user from removing MDM, configure MDM as follows:
The devices that are owned by the organization and provided to the employees must be managed at all times. The users must not have the permission to remove these devices from management. To prevent users from removing these devices management, these devices can be enrolled using the available corporate enrollment methods. These enrollment methods ensures that the devices cannot be removed from management even if they are factory reset.
Windows 10 Devices
For iOS/iPadOS devices enrolled using other enrollment methods, users can be restricted from removing management by factory resetting devices by applying the Restrictions profile Allow user to wipe device by erasing all content and settings. In Android devices, users can be restricted from removing ME MDM app by navigating to Enrollment -> Android -> ME MDM App -> Allow user to remove ME MDM App.
Since these devices are personally owned, we cannot completely restrict the users from revoking management, but we can ensure that the admin is notified when any device is removed from management. Follow the steps given below to enable these notifications
In addition to individual notification, the admin can also view the devices that have not come into contact with the server for a period of time by navigating to Reports ->Inactive devices.
It is also recommended to configure services and distribute enterprise apps only through MDM. Though MDM can be removed, it also results in the configurations and enterprise apps being removed from the managed devices. Thereby ensuring that the user's cannot access the corporate data once the management is revoked from these devices.
Conditional Exchange Access also allows organizations keep their e-mails secure by ensuring only enrolled devices get access to the corporate e-mails.