Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. How-to Guides
  3. Best Practice Guides

Category filter

How to securely disenroll devices from endpoint management platforms?

Jump To

Device lifecycle management is incomplete without a secure retirement strategy. This Secure Device Offboarding Protocol provides IT administrators with a technical framework to disenroll devices from Hexnode UEM without compromising data security or leaving endpoints in an unstable state.

Whether a device is being retired, repurposed, or returned, executing a structured disenrollment ensures that corporate data is wiped while personal data remains intact where appropriate.

Phase 1: Impact Analysis

Before initiating the command to disenroll devices, administrators must understand the immediate consequences on the endpoint configuration. Disenrollment strips the device of its management profile, reverting it to an unmanaged state.

1. Configuration & Access Loss

  • Hexnode Email App: The associated email account and all cached data are immediately removed.
  • Hexnode Access: Identity configurations are erased, revoking access to cloud apps and corporate accounts.
  • Security Policies: All restrictions (e.g., camera blocks, password complexity) are lifted immediately.

2. Application Removal Behavior

The behavior of installed applications upon disenrollment varies significantly by Operating System.

Platform App Removal Behavior
iOS / macOS All apps installed via the Hexnode portal are automatically removed.
Android / Windows Apps are removed only if the “Remove apps from the device on policy removal” option was enabled in the specific policy. Otherwise, apps (including the Hexnode agent) remain and require manual uninstallation.

Phase 2: Pre-Offboarding Checklist

To prevent data loss or “bricking” a device, complete these steps before sending the disenrollment command.

  • Audit Asset Inventory: Cross-reference the device’s Serial Number and Device ID with your internal inventory. This prevents accidental disenrollment of the wrong active device.
  • Resolve Kiosk State: Critical Warning: If a device is in Kiosk Mode and goes offline or enters a “Pending” disenrollment state, it may remain locked in Kiosk Mode indefinitely. Always exit Kiosk Mode before disenrolling.
  • Data Backup: Disenrollment triggers a corporate wipe. Ensure essential corporate documents or app-specific files are backed up to a secure cloud repository if they need to be retained.
  • User Communication: Notify the user. Disruptions will be immediate Wi-Fi profiles may be deleted, cutting internet access, and business apps will disappear.

Phase 3: Execution Strategy (Wipe & Disenroll)

When you disenroll devices, you must choose the appropriate level of data erasure based on the device’s future destination.

Level 1: Corporate Wipe (BYOD / Data Separation)

Standard disenrollment automatically triggers a Corporate Wipe.

  • Scope: Removes only corporate data, managed apps, Wi-Fi configurations, and VPN profiles.
  • Outcome: Personal photos, emails, and unmanaged apps remain untouched.
  • Use Case: Employee leaving the company with their personal device (BYOD).

Level 2: Complete Wipe (Repurposing / Lost Devices)

For corporate-owned devices, a Complete Wipe restores the device to factory settings.

  • Scope: Erases all data, including personal files, OS settings, and the entire file system.
  • Outcome: Device returns to the “Hello” setup screen.
  • Use Case: Reassigning a device to a new employee or retiring from an asset.

Handling “Pending” States

If a device is offline or inactive, the disenrollment status may remain “Pending.”

  • Mark as Disenrolled: You can force the status to “Disenrolled” in the portal to free up the license slot immediately.
  • Caveat: The server ceases communication. If the device comes back online later, it may not receive the wipe command immediately if the token is invalidated.

Phase 4: Re-enrollment Behaviors

Understanding how a device behaves after a wipe is crucial for preventing unauthorized re-enrollment or ensuring seamless redeployment.

Enrollment Type Post-Wipe Behavior
Standard / Rooted Android Requires manual re-enrollment.
Unsupervised iOS/macOS Requires manual re-enrollment.
Apple ADE (DEP) Auto Re-enrollment: Device will force enrollment into Hexnode upon connecting to the internet during setup.
Samsung Knox / Zero-Touch Auto Re-enrollment: Device pulls the Hexnode profile automatically after factory reset.
Android Device Owner Must be factory reset after disenrollment to allow enrollment into a new MDM.

Phase 5: Post-Offboarding Verification

After the command to disenroll devices is executed:

  • Generate Reports: Use the Hexnode Reports tab to export a final PDF/CSV record of the device’s compliance status and app list for audit trails.
  • Verify Status: Check the “Disenrolled Devices” report to confirm the action was successful and not stuck in “Pending.”
  • License Management: Confirm that the license slot has been freed for new inventory.

Frequently Asked Questions

Q 1. What happens if we disenroll a device that is currently offline?

A. The device status will be shown as “Pending”. The disenrollment (and corporate wipe) will only be executed once the device reconnects to the internet and checks in with the Hexnode server.

Q 2. Does disenrolling a device delete the user from the Hexnode portal?

A. No. Disenrolling a device only removes the device-to-server link. The user account remains in the portal.

Q3. Can we recover data after a Corporate Wipe?

A. Generally, no. Once the corporate container is removed, managed data (like emails in the Hexnode Email app) is deleted. This is why a Data Backup is a critical pre-offboarding step.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
How-to Guides