RAC(Remove apps and configuration) - The "Undo Button" for Intune

Frustrated by time-consuming troubleshooting on managed mobile devices? No more troubleshooting headaches! Microsoft Intune's recently launched Remove apps and configuration (RAC) feature empowers IT admins to streamline the troubleshooting process for managed mobile devices. Suspect a specific app is causing problems? RAC allows for its temporary removal from a device to isolate the issue. Need to pinpoint a troublesome configuration setting? Simply remove it temporarily with RAC and see if the problem persists.

Here's the beauty of RAC: removed items are automatically restored to the device within 8-24 hours. This ensures your devices stay compliant with your organization's security policies without requiring manual intervention. This translates to significant time savings and freed-up resources for your IT team.

What is Remove Apps and Configuration?

Remove apps and configuration is a single-device action in Microsoft Intune that allows administrators to temporarily uninstall applications or remove configuration items from a device. This feature is designed to help resolve issues that occur outside of Intune, quickly restoring end-user productivity.

Key Features

1. Temporary Removal: Admins can remove apps and configurations with the option to restore them later.
2. Automatic Restoration: If not manually restored, removed items automatically return to the device within 8-24 hours.
3. Platform Support: Currently available for iOS/iPadOS and Android dedicated devices, fully-managed, and corporate-owned work profile devices.
4. Comprehensive Coverage: Supports Intune-delivered applications and a wide range of configuration profiles.

Supported items

1. iOS/iPadOS devices:
   1. Any Intune delivered application
   2. Profile type, Settings catalog: All
   3. Profile types:
      1. Custom
      2. Devices features
      3. Device restrictions
      4. Email
      5. PKCS certificate
      6. PKCS import certificate
      7. SCEP certificate
      8. Trusted certificate
      9. VPN
      10. Wi-Fi
2. Android devices:
   1. Any Intune delivered application
   2. Profile types:
      1. Device restrictions
      2. PKCS certificate
      3. PKCS import certificate
      4. SCEP certificate
      5. Trusted certificate
      6. VPN
      7. Wi-Fi

How It Works

• Initiation:
  • Sign in to the Microsoft Intune admin center.
  • Select Devices, and then select All devices or the device platform.

• From the list of devices you manage, select a supported device (eg. iOS/iPadOS).
• From the buttons, choose Remove apps and configuration. Use the ⋯ overflow menu.

• Selection:
  • Select + Add, then select the type of item to remove; Configuration Item or App.

• Review and Remove:
  • The list of selected items is displayed for review; add or delete using the check boxes and header controls. When satisfied with the item list, select Next.

• The Review + Remove page is displayed for review, when ready to initiate the remove action, select Remove

• Monitoring:
  • After the action is initiated, you'll be directed to the Monitor and restore page.
  • The Remove action is initiated for devices that are powered and actively connected to an internet-enabled network; the selected items are removed as soon as possible.
  • After you initiate the Remove apps and configuration action on a device, the Status column of the Overview page displays the status of the action. The status is updated as the action progresses.

1. Restoration:
   1. Removed items are automatically restored to devices in 8-24 hours in cases where an admin does not initiate a Restore action to ensure that devices remain consistent with assignment intents.

Behind the Scenes: Graph API Calls and iOS Logs

We just navigated through the process of removing apps and configurations from the Intune console, seeing how straightforward it can be from the administrator’s perspective. Now, let’s delve deeper into the rabbit hole and uncover the intricate details and magic happening behind the scenes. This includes examining the specific Graph API calls that Intune makes to manage these actions and exploring the corresponding logs generated on iOS devices, providing a comprehensive understanding of how these processes are executed and tracked.

Step 1: Retrieve All Installed Apps

GET https://graph.microsoft.com/beta/users('xxxxx')/mobileAppIntentAndStates('eda9809a-35bd-49bc-9bdb-b9e017785c7e')

Response:

{
    "id": "a87b42f4-fb24--c11f8ac7a782",
    "managedDeviceIdentifier": "eda9809a--b9e017785c7e",
    "userId": "783a2608-104b-486d-90c3-157ea88ce73e",
    "mobileAppList": [
        {
            "applicationId": "474eebe1-2691-4837-828b-dad25afe885b",
            "displayName": "Microsoft Outlook",
            "mobileAppIntent": "requiredInstall",
            "installState": "installed"
        },
        {
            "applicationId": "5bbb253d-974b-4ccb-ad7f-63206a44549b",
            "displayName": "Intune Company Portal",
            "mobileAppIntent": "requiredInstall",
            "installState": "installed"
        },
        {
            "applicationId": "bda2e243-8e7f-4ff0-ba12-55ddf5c6cd5d",
            "displayName": "Microsoft Word",
            "mobileAppIntent": "requiredInstall",
            "installState": "installed"
        },
        {
            "applicationId": "294f7356-25a7-42c4-a90d-92c2100f10e2",
            "displayName": "Microsoft Authenticator",
            "mobileAppIntent": "requiredInstall",
            "installState": "installed"
        },
        {
            "applicationId": "ea95a2b2-a2fd-4723-b952-50919a81ae65",
            "displayName": "Microsoft Defender: Security",
            "mobileAppIntent": "requiredInstall",
            "installState": "installed"
        },
        {
            "applicationId": "5dd3596c-8e53-49c4-9c63-0da83f15085c",
            "displayName": "Adobe Acrobat Reader: Edit PDF",
            "mobileAppIntent": "requiredInstall",
            "installState": "installed"
        },
        {
            "applicationId": "378d9604-9d2d-46db-a904-7bc77ccf3745",
            "displayName": "Microsoft OneDrive",
            "mobileAppIntent": "requiredInstall",
            "installState": "installed"
        },
        {
            "applicationId": "e1e87236-4af7-4e8d-bd25-37ffbd8d73a6",
            "displayName": "Microsoft Teams",
            "mobileAppIntent": "requiredInstall",
            "installState": "installed"
        }
    ]
}

The response includes detailed information about each installed application, such as the application ID, display name, and installation state.

Step 2: Remove an App

When you removes an app, the following API call is initiated:

POST https://graph.microsoft.com/beta/deviceManagement/managedDevices('eda9809a-35bd-b9e017785c7e')/changeAssignments

This call changes the assignment of the app, indicating that it should be removed.

Response:

{
    "managementState": "managed",
    "deviceActionResults": [
        {
            "actionName": "changeAssignments",
            "actionState": "active",
            "startDateTime": "2024-07-29T09:02:12.5819891Z",
            "deviceAssignmentItems": [
                {
                    "itemId": "5dd3596c-8e53-49c4-9c63-0da83f15085c",
                    "itemType": "application",
                    "itemDisplayName": "Adobe Acrobat Reader: Edit PDF",
                    "assignmentItemActionIntent": "remove",
                    "assignmentItemActionStatus": "inProgress"
                }
            ]
        }
    ]
}

The response details the action status, showing the app is being removed.

Step 3: Confirm App Removal

After the app removal process is initiated, a follow-up API call checks the status:

GET https://graph.microsoft.com/beta/deviceManagement/managedDevices('eda9809a-35bd-b9e017785c7e')?$select=deviceactionresults,managementstate,lostModeState,deviceRegistrationState,ownertype

Response:

The response confirms that the app has been removed.

{
    "managementState": "managed",
    "deviceActionResults": [
        {
            "actionName": "changeAssignments",
            "actionState": "active",
            "startDateTime": "2024-07-29T09:02:12.5819891Z",
            "deviceAssignmentItems": [
                {
                    "itemId": "5dd3596c-8e53-0da83f15085c",
                    "itemType": "application",
                    "itemDisplayName": "Adobe Acrobat Reader: Edit PDF",
                    "assignmentItemActionIntent": "remove",
                    "assignmentItemActionStatus": "removed"
                }
            ]
        }
    ]
}

Corresponding iOS Logs

When an app is removed, the iOS device generates detailed logs. Below are logs that correspond to the removal of the Adobe Acrobat Reader app:

• Initiating Removal:

default mdmd Starting MDM power assertion with reason: mdmd-Request-RemoveApplication

default mdmd Processing command UUID: BE80C17A-A331-4C09-8021-2BE03010EBA0

default mdmd Attempting to perform Supervised request: RemoveApplication

• Handling Removal Request:

default mdmd Handling request type: RemoveApplication

default dmd Fetch apps with bundle ids: ("com.adobe.Adobe-Reader"), store item id: (null)

default dmd Received request: <DMFRemoveAppRequest: 0x73888dae0>, from client

• Performing Removal:

default dmd Operation will start: <DMDRemoveAppOperation: 0x73887dde0 

default dmd Get bundle identifier for request: <DMFRemoveAppRequest: 0x73888dae0>

default dmd Start uninstalling app with bundle identifier: com.adobe.Adobe-Reader

default dmd Remove app with bundle identifier: com.adobe.Adobe-Reader

• Completion:

default mdmd Removed app “com.adobe.Adobe-Reader”.

default mdmd Command Status: Acknowledged

default mdmd Ending MDM power assertion with reason: mdmd-Request-RemoveApplication

These logs show the sequence of events on the iOS device, matching the actions initiated by the Graph API calls from the Intune console. This detailed look at the process helps in understanding the backend operations that make Intune a powerful tool for device and application management.

Conclusion

The Remove apps and configuration feature in Microsoft Intune offers a flexible and powerful tool for IT administrators to troubleshoot and manage devices more effectively. By allowing temporary removal of apps and configurations with automatic safeguards, Intune continues to evolve to meet the complex needs of modern device management.

As with any powerful tool, use this feature judiciously and always in accordance with your organization's policies and best practices for device management.