When a device managed falls out of compliance, the compliance action setup to quarantine the device fails to remove the profiles correctly, but leaves all the profiles in place. This can be a significant problem with the security of the corporate data and / or access to corporate resources.
Discovered on several installation of MobileIron and seemed to affect iOS devices specifically. A theory to explain the behavior is that iOS devices require at least one policy to remain active to retain a management status. This means that in order to “keep” the default profile (the profile that provides all the additional profiles to the device), one of the additional profiles also needs to be retained. It would appear that MobileIron selected the WiFi policy to be this policy. According to the supported configurations, the “remove all profiles” setting for a quarantine action is not possible, however, by selecting either “keep WiFi settings for WiFi only devices” or “keep WiFi settings for all devices” is possible and a supported configuration. Testing was performed with the various configurations and it was found that if either of these “keep the WiFi ….” configurations were selected the quarantine actions were successful, but without these options selected, the quarantine actions failed.
The cause of this behavior is currently unknown.
In order to have iOS devices successfully quarantine, a WiFi policy must be deployed to the devices and retained in the event of a quarantine action. Quarantine actions will be useless unless and all profiles will remain in tact on the device without a configured WiFi policy. This affects iOS versions up to 6.1. It has not been tested with iOS 7.