[GH-ISSUE #4903] [Feature Request]:Off-boarding Wizard option-Account Only Remote Wipe Device #2304

New issue

Closed

opened 2026-03-02 13:51:15 +03:00 by kerem · 2 comments

kerem commented 2026-03-02 13:51:15 +03:00

Owner

Copy link

Originally created by @shinomen on GitHub (Nov 3, 2025).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4903

Please confirm:

• I have searched existing feature requests (open and closed) and found no duplicates.
• **me or my organization is currently an active sponsor of the product at the $99,- level.

Problem Statement

When off-boarding users there is currently an option that says "remove all mobile devices" but it's not clear if that is doing a remote data wipe on the device. It would be a great feature to include the option to do an "Account Only Remote Wipe Device" for all mobile devices when off-boarding a user.

Benefits for MSPs

This feature would improve security by removing company data from a device as part of the off-boarding process.

Value or Importance

It's critical to prevent left over residual data from remaining on a users mobile device when they are no longer part of the organization.

PowerShell Commands (Optional)

ChatGPT says:

<# 
.SYNOPSIS
Account-only remote wipe for all mobile devices on a single mailbox.

.NOTES
- Requires Exchange Online PowerShell (Connect-ExchangeOnline).
- "AccountOnly" = remove org mail/calendar/contacts from the device (no full device wipe).
- Works for EAS partnerships; Outlook iOS/Android honors selective wipe as well.
#>

param(
    [Parameter(Mandatory=$true)]
    [string]$UserPrincipalName,

    # Set -DryRun to see what would be wiped without sending commands.
    [switch]$DryRun
)

# 1) Connect (no-op if you’re already connected)
try {
    if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
        throw "ExchangeOnlineManagement module not found. Install-Module ExchangeOnlineManagement"
    }
    if (-not (Get-ConnectionInformation)) {
        Connect-ExchangeOnline -ShowBanner:$false | Out-Null
    }
} catch {
    Write-Error $_.Exception.Message
    break
}

# 2) Get all device partnerships on the mailbox
$devices = Get-EXOMobileDevice -Mailbox $UserPrincipalName -ResultSize Unlimited |
    Sort-Object DeviceType, DeviceModel

if (-not $devices) {
    Write-Host "No mobile devices found for $UserPrincipalName."
    return
}

Write-Host "Found $($devices.Count) devices for $UserPrincipalName.`n"

# 3) Issue Account-only wipe to each device
$results = foreach ($d in $devices) {
    $info = [ordered]@{
        User               = $UserPrincipalName
        Identity           = $d.Identity
        DeviceType         = $d.DeviceType
        DeviceModel        = $d.DeviceModel
        DeviceOS           = $d.DeviceOS
        AccessState        = $d.DeviceAccessState
        WipeRequestSent    = $false
        Error              = $null
    }

    if ($DryRun) {
        $info.WipeRequestSent = $false
        [pscustomobject]$info
        continue
    }

    try {
        # Fire the selective wipe (account-only)
        Clear-MobileDevice -Identity $d.Identity -AccountOnly -Confirm:$false
        $info.WipeRequestSent = $true
    }
    catch {
        $info.Error = $_.Exception.Message
    }

    [pscustomobject]$info
}

$results | Format-Table -AutoSize

# 4) (Optional) Quick verification snapshot
Write-Host "`nVerification snapshot (wipe request/ack where available):`n"
$verify = foreach ($d in $devices) {
    try {
        $stats = Get-EXOMobileDeviceStatistics -Identity $d.Identity -ErrorAction Stop
        [pscustomobject]@{
            Identity              = $d.Identity
            DeviceModel           = $d.DeviceModel
            DeviceOS              = $d.DeviceOS
            LastSuccessSync       = $stats.LastSuccessSync
            DeviceWipeRequestTime = $stats.DeviceWipeRequestTime
            DeviceWipeAckStatus   = $stats.DeviceWipeAckStatus
            DeviceWipeAckTime     = $stats.DeviceWipeAckTime
        }
    } catch {
        [pscustomobject]@{
            Identity              = $d.Identity
            DeviceModel           = $d.DeviceModel
            DeviceOS              = $d.DeviceOS
            LastSuccessSync       = $null
            DeviceWipeRequestTime = $null
            DeviceWipeAckStatus   = "Unknown"
            DeviceWipeAckTime     = $null
        }
    }
}
$verify | Format-Table -AutoSize

Originally created by @shinomen on GitHub (Nov 3, 2025). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4903 ### Please confirm: - [x] **I have searched existing feature requests** (open and closed) and found no duplicates. - [x] **me or my organization is currently an active sponsor of the product at the $99,- level. ### Problem Statement When off-boarding users there is currently an option that says "remove all mobile devices" but it's not clear if that is doing a remote data wipe on the device. It would be a great feature to include the option to do an "Account Only Remote Wipe Device" for all mobile devices when off-boarding a user. ### Benefits for MSPs This feature would improve security by removing company data from a device as part of the off-boarding process. ### Value or Importance It's critical to prevent left over residual data from remaining on a users mobile device when they are no longer part of the organization. ### PowerShell Commands (Optional) ChatGPT says: ``` <# .SYNOPSIS Account-only remote wipe for all mobile devices on a single mailbox. .NOTES - Requires Exchange Online PowerShell (Connect-ExchangeOnline). - "AccountOnly" = remove org mail/calendar/contacts from the device (no full device wipe). - Works for EAS partnerships; Outlook iOS/Android honors selective wipe as well. #> param( [Parameter(Mandatory=$true)] [string]$UserPrincipalName, # Set -DryRun to see what would be wiped without sending commands. [switch]$DryRun ) # 1) Connect (no-op if you’re already connected) try { if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) { throw "ExchangeOnlineManagement module not found. Install-Module ExchangeOnlineManagement" } if (-not (Get-ConnectionInformation)) { Connect-ExchangeOnline -ShowBanner:$false | Out-Null } } catch { Write-Error $_.Exception.Message break } # 2) Get all device partnerships on the mailbox $devices = Get-EXOMobileDevice -Mailbox $UserPrincipalName -ResultSize Unlimited | Sort-Object DeviceType, DeviceModel if (-not $devices) { Write-Host "No mobile devices found for $UserPrincipalName." return } Write-Host "Found $($devices.Count) devices for $UserPrincipalName.`n" # 3) Issue Account-only wipe to each device $results = foreach ($d in $devices) { $info = [ordered]@{ User = $UserPrincipalName Identity = $d.Identity DeviceType = $d.DeviceType DeviceModel = $d.DeviceModel DeviceOS = $d.DeviceOS AccessState = $d.DeviceAccessState WipeRequestSent = $false Error = $null } if ($DryRun) { $info.WipeRequestSent = $false [pscustomobject]$info continue } try { # Fire the selective wipe (account-only) Clear-MobileDevice -Identity $d.Identity -AccountOnly -Confirm:$false $info.WipeRequestSent = $true } catch { $info.Error = $_.Exception.Message } [pscustomobject]$info } $results | Format-Table -AutoSize # 4) (Optional) Quick verification snapshot Write-Host "`nVerification snapshot (wipe request/ack where available):`n" $verify = foreach ($d in $devices) { try { $stats = Get-EXOMobileDeviceStatistics -Identity $d.Identity -ErrorAction Stop [pscustomobject]@{ Identity = $d.Identity DeviceModel = $d.DeviceModel DeviceOS = $d.DeviceOS LastSuccessSync = $stats.LastSuccessSync DeviceWipeRequestTime = $stats.DeviceWipeRequestTime DeviceWipeAckStatus = $stats.DeviceWipeAckStatus DeviceWipeAckTime = $stats.DeviceWipeAckTime } } catch { [pscustomobject]@{ Identity = $d.Identity DeviceModel = $d.DeviceModel DeviceOS = $d.DeviceOS LastSuccessSync = $null DeviceWipeRequestTime = $null DeviceWipeAckStatus = "Unknown" DeviceWipeAckTime = $null } } } $verify | Format-Table -AutoSize ```

kerem 2026-03-02 13:51:15 +03:00

• closed this issue
• added the
  enhancement
  no-priority
  no-activity
  not-assigned
  labels

kerem commented 2026-03-02 13:51:16 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 14, 2025):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:3530518060 --> @github-actions[bot] commented on GitHub (Nov 14, 2025): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

kerem commented 2026-03-02 13:51:16 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 20, 2025):

This issue was closed because it has been stalled for 14 days with no activity.

<!-- gh-comment-id:3555455516 --> @github-actions[bot] commented on GitHub (Nov 20, 2025): This issue was closed because it has been stalled for 14 days with no activity.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs

dev

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#2304

No description provided.