You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Optional diagnostic data from Intune Client apps
34
34
35
35
Intune collects various optional data to detect, diagnose, and fix problems from users through various Intune client apps. These optional diagnostic data we collect help to proactively detect problems in your organization so they can be addressed before they become an issue. Intune client apps include:
36
+
36
37
- iOS/iPadOS Company Portal
37
38
- macOS Company Portal
38
39
- Windows Company Portal
@@ -43,63 +44,65 @@ Intune collects various optional data to detect, diagnose, and fix problems from
43
44
- Android Mobile App Management (MAM)
44
45
45
46
The optional data collected from clients aren't required to successful run Intune services. The data collected helps:
47
+
46
48
- Provides enhanced information to help us proactively detect, diagnose, and fix issues.
47
49
- Makes product and service improvements.
48
50
49
-
50
51
## Data collected
51
52
52
53
Optional diagnostic data collected by Intune client apps may cover the following areas:
53
54
54
55
- Microsoft-generated user information
55
-
- Azure AD User ID
56
-
- Device ID
57
-
- Correlation ID
58
-
- App Session ID
59
-
- User Session ID
56
+
- Azure AD User ID
57
+
- Device ID
58
+
- Correlation ID
59
+
- App Session ID
60
+
- User Session ID
60
61
- Admin and account information
61
-
- Tenant ID
62
-
- Azure AD tenant ID
62
+
- Tenant ID
63
+
- Azure AD tenant ID
63
64
- Hardware and software information
64
-
- Device OS version
65
-
- Device model
66
-
- Device make
67
-
- Application ID
68
-
- User language
69
-
- User time zone
65
+
- Device OS version
66
+
- Device model
67
+
- Device make
68
+
- Application ID
69
+
- User language
70
+
- User time zone
70
71
- Service events and error information
71
-
- Enrollment event
72
-
- Failure event
73
-
- Network failure
74
-
- Runtime failure
75
-
- Task schedule failure
76
-
- Enrollment failure
77
-
- Azure AD authentication failure
78
-
- Crash report
79
-
- Consent state
80
-
- Compliance status
81
-
- Policy status
72
+
- Enrollment event
73
+
- Failure event
74
+
- Network failure
75
+
- Runtime failure
76
+
- Task schedule failure
77
+
- Enrollment failure
78
+
- Azure AD authentication failure
79
+
- Crash report
80
+
- Consent state
81
+
- Compliance status
82
+
- Policy status
82
83
- Company Portal events
83
-
- Company Portal error
84
-
- Company Portal page action
85
-
- Company Portal page view
86
-
- Company Portal version
84
+
- Company Portal error
85
+
- Company Portal page action
86
+
- Company Portal page view
87
+
- Company Portal version
87
88
- Performance measurement
88
-
- Duration
89
-
- Response time
90
-
89
+
- Duration
90
+
- Response time
91
91
92
92
## Data not collected
93
+
93
94
The data do not include any customer information, like:
94
-
- Device name.
95
-
- Phone number.
96
-
- Contents to the user’s files or photo.
97
95
96
+
- Device name
97
+
- Phone number
98
+
- Contents to the user’s files or photo.
98
99
99
100
## Turn off data collection
100
-
We think there are compelling reasons for people to share this optional data. All optional diagnostic data Microsoft collects during the use of any Microsoft 365 Apps for enterprise applications and services is pseudonymized as defined in the ISO/IEC 19944-1:2020 (section 8.3.3) standard.
101
-
Users can [turn off usage data collection](../user-help/turn-off-microsoft-usage-data-collection-android.md) for their individual devices.
102
101
102
+
We think there are compelling reasons for people to share this optional data. All optional diagnostic data Microsoft collects during the use of any Microsoft 365 Apps for enterprise applications and services is pseudonymized as defined in the ISO/IEC 19944-1:2020 (section 8.3.3) standard.
103
+
104
+
Users can [turn off usage data collection](../user-help/turn-off-microsoft-usage-data-collection-android.md) for their individual devices.
103
105
104
106
## Next steps
107
+
105
108
[Find out more about data collection in Intune.](privacy-data-collect.md)
When any of the following Apple services are enabled on a device, Microsoft Intune establishes a connection with Apple to share user and device information:
39
37
40
38
-[Apple Device Enrollment Program (DEP)](../enrollment/device-enrollment-program-enroll-ios.md)
@@ -112,5 +110,4 @@ The following table lists the data that an Apple device sends to Intune. [Intune
112
110
|[VPP](https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/5-Web_Service_Protocol_VPP/webservice.html#//apple_ref/doc/uid/TP40017387-CH8-SW1)| Apple Business Manager location token | url | The iTunes store URL of an app.|
113
111
|[VPP](https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/5-Web_Service_Protocol_VPP/webservice.html#//apple_ref/doc/uid/TP40017387-CH8-SW1)| Apple Business Manager location token | User Status | The user status in apple VPP programs. |
114
112
115
-
116
113
To stop using Apple services with Microsoft Intune and delete the data, you must both disable the Microsoft Intune Apple token and also delete your Apple account. Refer to Apple account how to perform account management.
When Android enterprise device management is enabled on a device, Microsoft Intune establishes a connection with Google and user and device information is shared between Intune and Google. Before Microsoft Intune can establish a connection, you must create a Google account.
38
36
39
-
The following table lists the data that Google sends to Intune when device management is enabled on a device:
40
-
37
+
The following table lists the data that Google sends to Intune when device management is enabled on an Android device:
41
38
42
39
| Data Google sends to Intune | Details | Used for | Example |
43
40
|:---:|:---:|:---:|:---:|
44
41
| Enterprise data | Customer's enterprise identifiers in Google. | Links the customer's information between Intune and Google. |**enterpriseId** example: LC04eik8a6.<br>**Name**. The Administrator name as entered when configuring Android enterprise. Example: Joe Smith.<br>**Admin email**. [email protected] that was used when configuring Android enterprise. |
45
42
| Application data | Data for managed Play Store applications. | Targeting the application to users or devices as available or required. |**Application Name** example: Contoso Warehouse Inventory Application.<br>**Unique Identifier to represent application** example: app:com.Contoso.Warehouse.InventoryTracking |
46
43
| Service account | Unique internal Google service account for use with specific customer calls. | Used for making calls into Google on the customer behalf (to view apps, devices, and more) |**Name** example: [email protected].<br>**Keys** example: ServiceAccountPassword |
47
44
48
-
49
-
To stop using Android enterprise device management with Microsoft Intune and delete the data, you must both disable the Microsoft Intune Android enterprise device management and also delete your Google account. Refer to Google account how to perform account management.
50
-
51
-
45
+
To stop using Android enterprise device management with Microsoft Intune and delete the data, you must both disable the Microsoft Intune Android enterprise device management and also delete your Google account. Refer to Google account how to perform account management.
When any of the following Apple services are enabled on a device, Microsoft Intune establishes a connection with Apple and shares user and device information with Apple:
36
+
When any of the following Apple services are enabled on a device, Microsoft Intune establishes a connection with Apple and shares user and device information with Apple:
39
37
40
38
-[Apple Device Enrollment Program (DEP)](../enrollment/device-enrollment-program-enroll-ios.md)
When Android enterprise device management is enabled on a device, Microsoft Intune establishes a connection with Google and shares user and device information with Google. Before Microsoft Intune can establish a connection, you must create a Google account.
38
36
39
37
The following table lists the data that Microsoft Intune sends to Google when device management is enabled on a device:
@@ -49,7 +47,4 @@ The following table lists the data that Microsoft Intune sends to Google when de
49
47
| Application Data | Originated in Intune when saving application policy. || Application Name string. Example: app:com.microsoft.windowsintune.companyportal |
50
48
| Enterprise Service Account | Originated in Google upon Intune request. | Used for authentication between Intune and Google for transactions involving this customer. | There are several parts:<br> **Enterprise Id**: documented previously.<br>**UPN**: generated UPN used in authentication on behalf of customer.<br>Example: w49d77900526190e26708c31c9e8a0@pfwp-commicrosoftonedfmdm2.google.com.iam.gserviceaccount.com<br>**Key**: Base64 encoded blob used in auth requests, stored encrypted in the service, but this is what the blob looks like:<br> Unique Identifier to represent the customer's key<br>Example: a70d4d53eefbd781ce7ad6a6495c65eb15e74f1f |
51
49
52
-
53
-
To stop using Android enterprise device management with Microsoft Intune and delete the data, you must both disable the Microsoft Intune Android enterprise device management and also delete your Google account. Refer to Google account how to perform account management.
54
-
55
-
50
+
To stop using Android enterprise device management with Microsoft Intune and delete the data, you must both disable the Microsoft Intune Android enterprise device management and also delete your Google account. Refer to Google account how to perform account management.
When you use [Jamf Pro](https://www.jamf.com) to manage your end-users Macs
37
-
with Intune, Jamf Pro captures inventory information about managed macOS devices.
36
+
When you use [Jamf Pro](https://www.jamf.com) to manage your end-users Macs with Intune, Jamf Pro captures inventory information about managed macOS devices.
38
37
39
-
## Data
40
-
For the list of data that Jamf Pro shares with Intune, see [Appendix: Inventory Information Shared with Microsoft Intune](https://docs.jamf.com/technical-papers/jamf-pro/microsoft-intune/10.9.0/Appendix__Inventory_Information_Shared_with_Microsoft_Intune.html) in the Jamf Pro technical documentation.
41
-
42
-
<!--
43
-
Jamf Pro reports the following information to Intune:
38
+
## Data
44
39
45
-
* Device Azure AD ID
46
-
* JAMF Inventory State (inventory state of a computer checked in with Jamf Pro within the last 24 hours)
47
-
* OS Version
48
-
* User Azure AD ID
49
-
* Encrypted (FileVault 2)
50
-
* Gatekeeper Status
51
-
* Password: minimum number of character sets
52
-
* Password expiration (days)
53
-
* Password Type - simple, alphanumeric, or unknown
54
-
* Prevent Auto Login
55
-
* Required Passcode Length
56
-
* Password: number of previous passwords to prevent reuse
57
-
* System Integrity Protection
58
-
* Last Check-In Time
59
-
* Architecture Type
60
-
* Available RAM Slots
61
-
* Battery Capacity
62
-
* Boot ROM
63
-
* Bus Speed
64
-
* Cache Size
65
-
* Device Name
66
-
* Domain Join
67
-
* Jamf ID
68
-
* MAC address
69
-
* Make
70
-
* Model
71
-
* Model Identifier
72
-
* NIC Speed
73
-
* Number of Cores
74
-
* Number of Processors
75
-
* OS
76
-
* Platform
77
-
* Processor Speed
78
-
* Processor Type
79
-
* Secondary MAC Address
80
-
* Serial Number
81
-
* SMC Version
82
-
* Total RAM
83
-
* UDID
84
-
* User Email
85
-
-->
86
-
87
-
<!--
88
-
You can remove a Jamf-managed device from the Intune console by selecting **Delete** in the **All devices** view. Bulk device deletion can be enabled by selecting multiple devices and clicking **Delete**.
89
-
-->
40
+
For the list of data that Jamf Pro shares with Intune, see [Appendix: Inventory Information Shared with Microsoft Intune](https://docs.jamf.com/technical-papers/jamf-pro/microsoft-intune/10.9.0/Appendix__Inventory_Information_Shared_with_Microsoft_Intune.html) in the Jamf Pro technical documentation.
90
41
91
42
## Next steps
92
-
Get information on how to [remove a Jamf-managed device in the Jamf Pro docs](https://www.jamf.com/jamf-nation/articles/80/unmanaging-computers-while-preserving-their-inventory-information). You can also file a support ticket with [Jamf support](https://www.jamf.com/support/) for additional help.
93
43
44
+
Get information on how to [remove a Jamf-managed device](https://docs.jamf.com/technical-papers/jamf-pro/microsoft-intune/10.9.0/Deleting_a_Computer_from_the_Microsoft_Azure_and_Intune_Portals.html) from Intune and Azure Active Directory. You can also file a support ticket with [Jamf support](https://www.jamf.com/support/) for additional help.
Copy file name to clipboardExpand all lines: memdocs/intune/protect/privacy-data-audit-export-delete.md
+13-8Lines changed: 13 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,14 +1,14 @@
1
1
---
2
2
# required metadata
3
3
4
-
title: Audit, export, or delete personal data
4
+
title: Audit, export, or delete personal data collected by Intune
5
5
titleSuffix: Microsoft Intune
6
-
description: Learn how to audit, export, or delete personal data.
6
+
description: Learn how to audit, export, or delete personal data that's been collected by Intune.
7
7
keywords: GDPR, personal data, privacy
8
8
author: brenduns
9
9
ms.author: brenduns
10
10
manager: dougeby
11
-
ms.date: 9/10/2020
11
+
ms.date: 04/08/2022
12
12
ms.topic: conceptual
13
13
ms.service: microsoft-intune
14
14
ms.subservice: protect
@@ -39,7 +39,7 @@ Intune admins can use audit logs to track activities surrounding personal data.
39
39
40
40
Audit logs provide tenant admins with a record of activities that generate a change in Microsoft Intune. Audit logs are available for many manage activities and typically create, update (edit), delete, and assign actions. Remote tasks that generate audit events can also be reviewed. These audit logs may contain personal data from users whose devices are enrolled in Intune.
41
41
42
-
For security purposes Intune may maintain audit logs for user and device actions for a period of one year. These logs are automatically deleted after the one-year retention period.
42
+
For security purposes Intune may maintain audit logs for user and device actions for one year. These logs are automatically deleted after the one-year retention period.
43
43
44
44
To review audit logs, see [Audit logs for Intune activities](../fundamentals/monitor-audit-logs.md).
45
45
@@ -51,13 +51,15 @@ These audit events are retained for one year. Tenant admins can request audit lo
51
51
52
52
Admins can export end user personal data, including accounts, service data, and associated logs to comply with Data Subject Rights requests. It's up to you and your organization to decide whether or not to provide the data subject with a copy of the personal data or if you have a legitimate business reason to withhold it. If you decide to provide it, you can provide them with a copy of the actual document, an appropriately redacted version, or a screenshot of the portions you have deemed appropriate to share.
53
53
54
-
To export a user's personal data, you can use:
55
-
- the Intune MDM Device blade to export a list of devices. You can also copy device data directly.
54
+
To export a user's personal data, you can use:
55
+
56
+
- the *Export* option on the *All devices* node of the Microsoft Endpoint Manager admin center to export a list of devices. You can also copy device data directly.
56
57
- the [Export-IntuneData.ps1 script](https://aka.ms/intunedataexport).
57
58
58
59
## Delete end user personal data
59
60
60
61
There are three ways to remove personal data from Intune management:
62
+
61
63
- Delete the user from Azure Active Directory
62
64
- Reset the device to factory settings
63
65
- User self-removal
@@ -67,12 +69,15 @@ There are three ways to remove personal data from Intune management:
67
69
To delete an end user's personal data from Intune, an admin must [delete the user from Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/add-users-azure-active-directory#delete-a-user). When the user is deleted from Azure AD (hard deleted), Intune receives the delete signal from Azure AD and then automatically begins purging all of that user's personal data from the Intune service. The user's information will be deleted from Intune service within 30 days of the removal action.
68
70
69
71
### Reset device to factory settings
70
-
Resetting to factory settings restores all company and personal data and settings to the original factory settings. It is useful for providing a device to the next employee. User files, user installed applications, and non-default settings are removed and this data is deleted from the Intune service within 30 days of the removal action.
72
+
73
+
Resetting to factory settings restores all company and personal data and settings to the original factory settings. It's useful before providing a device to the next employee. User files, user installed applications, and non-default settings are removed and this data is deleted from the Intune service within 30 days of the removal action.
71
74
72
75
### User self-removal from Intune management
73
-
Users can remove their [Android, Apple, or Windows](../user-help/unenroll-your-device-from-intune-android.md) personal device from Intune management without admin assistance.
76
+
77
+
Users can remove their [Android](../user-help/unenroll-your-device-from-intune-android.md), [Apple](../user-help/unenroll-your-device-from-intune-ios.md), or [Windows](../user-help/unenroll-your-device-from-intune-windows.md) personal device from Intune management without admin assistance.
74
78
75
79
### Retire
80
+
76
81
The **Retire** action removes Intune provisioned data like company applications, data about apps that Intune is managing, policy settings, and email profiles that are provisioned through Intune. This action leaves the user's personal data on the device.
0 commit comments