|

How to Disable “Erase All Content and Settings” on Supervised iPhones and iPads with Intune

ByTechieGeek

Guide to Disabling the Erase All Content Option on Supervised Devices using Intune

On corporate iPhones and iPads, the Erase All Content and Settings option can be a problem:

  • Users can wipe the device without IT knowing.
  • The device can fall out of Intune and Entra ID management.
  • You lose audit trail and compliance until it’s re-enrolled.

If your iOS/iPadOS devices are supervised and managed by Microsoft Intune, you can block this option with a device restriction policy. When configured, Settings > General > Transfer or Reset iPhone/iPad > Erase All Content and Settings becomes disabled (greyed out) for users.

This guide walks through:

  • When you should block Erase All Content
  • Requirements and notes
  • How to configure the restriction in Intune (Device restrictions and Settings catalog)
  • How to assign and verify the policy on devices
  • Tips for rollout and troubleshooting

When Should You Block “Erase All Content”?

You’ll usually disable this option on:

  • Corporate-owned iPhones and iPads
  • Shared devices (shift workers, frontline, kiosks, labs, exam devices)
  • Devices used for line-of-business apps where re-enrollment is controlled by IT

You may allow it on:

  • BYOD (personally owned) where the user owns the hardware
  • Pilot devices for testing where you often wipe and re-enroll

The setting only applies to supervised devices. If the device is not supervised, the restriction does nothing.

Prerequisites

Before you start:

  1. Intune licensing
    • Devices must be enrolled in Intune using an eligible license (e.g., Microsoft 365 Business Premium, E3/E5, EMS, or Intune Plan licenses).
  2. Supervised iOS/iPadOS devices
    • Devices must be supervised (typically via Apple Business Manager / Apple School Manager with Automated Device Enrollment or Apple Configurator).
  3. iOS/iPadOS enrollment in Intune
    • Devices should already be enrolled and showing under Devices > iOS/iPadOS in the Intune admin center.
  4. A security group for target devices
    • Create an Entra group for your corporate iOS/iPadOS devices so you can assign the policy cleanly.

Option 1 – Use the Built-In iOS/iPadOS Device Restrictions Profile

This is the simplest method and is enough for most tenants.

Step 1 – Create a New Device Restrictions Profile

  1. Go to the Intune admin center.
  2. Navigate to Devices > iOS/iPadOS > Configuration profiles.
  3. Click + Create profile.
  4. Platform: iOS/iPadOS.
  5. Profile type: Templates.
  6. Template name: Device restrictions.
  7. Click Create.

Give the profile a clear name, for example:

iOS – Block Erase All Content – Supervised Devices

Add an optional description like:

“Blocks ‘Erase All Content and Settings’ on supervised corporate iPhones/iPads.”

Step 2 – Configure the Erase All Content Restriction

On the Configuration settings page:

  1. Expand the General section (or search within the settings pane).
  2. Find the setting:
    Erase all content and settings (supervised only)
  3. Set it to Block.

You can leave other options at default unless you’re configuring more restrictions for the same profile.

Click Next to continue.

Step 3 – Assign the Profile to the Right Devices

  1. On the Assignments page, choose Add groups.
  2. Select the device group that contains your supervised corporate iOS/iPadOS devices.
  3. Click Select, then Next.
  4. Review and click Create.

The profile will now deploy to those devices.

Option 2 – Use the Settings Catalog (More Granular Profiles)

If you prefer the Settings catalog, you can configure the same restriction there.

Step 1 – Create a Settings Catalog Profile

  1. In the Intune admin center, go to Devices > iOS/iPadOS > Configuration profiles.
  2. Click + Create profile.
  3. Platform: iOS/iPadOS.
  4. Profile type: Settings catalog.
  5. Click Create.
  6. Name it, for example:
    iOS – Settings Catalog – Disable Erase All Content (Supervised).

Click Next.

Step 2 – Add the Restriction Setting

  1. Click + Add settings.
  2. In the search box, type:
    erase all content or erase
  3. Look for the setting under something like:
    Device Experience or Restrictions (names vary slightly by UI revision).
  4. Add the setting Erase all content and settings (supervised only) to the profile.
  5. Set the toggle to Block.

Click Next when done.

Step 3 – Assign the Profile

Assign the profile to your supervised device group in the Assignments step, then create the profile.

What Users See on the Device

After the device receives and applies the policy:

  1. On the iPhone/iPad, go to:
    Settings > General > Transfer or Reset iPhone/iPad.
  2. Tap Erase All Content and Settings.

When the policy is in effect:

  • The option should be greyed out or blocked.
  • A message may indicate that the action is restricted by the organization.

Users will still be able to:

  • Reset network settings
  • Reset home screen layout
  • Other non-erase reset options (depending on your other restrictions)

But they cannot perform a full wipe from the UI.

How to Verify Policy Application in Intune

1. Check Device Configuration Status

  1. In Intune, go to Devices > iOS/iPadOS > Configuration profiles.
  2. Select your Erase All Content profile.
  3. Click Device status or Per-setting status.

Make sure:

  • Most devices show Succeeded.
  • No large number of Error or Pending entries.

2. Confirm on a Test Device

Always test directly:

  1. Take a test supervised iPhone/iPad in the targeted group.
  2. Force a sync: Settings > Accounts (or Intune Company Portal, if used) > Sync.
  3. Wait a few minutes, then check Transfer or Reset iPhone/iPad.
  4. Confirm Erase All Content and Settings is blocked.

Tips, Edge Cases, and Best Practices

1. BYOD vs Corporate Devices

  • Do not target this restriction to personally owned BYOD devices managed with App Protection Policies only.
  • This guide is for supervised, corporate-owned devices.

2. Combine with Other Restrictions

You can bundle this setting into a broader “Corporate iOS Baseline” profile, including:

  • Disallowing user-enrollment removal (where applicable).
  • Blocking App Store or iCloud changes.
  • Restricting account modification, etc.

Be careful not to cram too much into one profile if you want clear troubleshooting later.

3. Staged Rollout

Roll out in phases:

  1. IT pilot group.
  2. One department / location.
  3. Full corporate fleet.

This way, if any app or workflow unexpectedly expects a full wipe from users, you catch it early.

4. Document the Process for Helpdesk

Make sure your support docs say:

  • Users can’t erase devices themselves.
  • They must contact IT when:
    • Leaving the company.
    • Reassigning a device.
    • Troubleshooting serious issues.

IT can then:

  • Use Intune > Devices > [device] > Wipe to reset the device in a controlled way.

Summary

Disabling the Erase All Content and Settings option on supervised iOS/iPadOS devices is a small but important control for corporate fleets:

  • It stops users from wiping devices on their own.
  • It keeps Intune and Entra enrollments intact until IT decides to wipe.
  • It reduces the risk of lost devices silently resetting to a “clean” state.

With Windows 11 and your existing Intune setup, the steps are simple:

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *