Howdy, folks. My organization has had persistent issues with non-compliant and stale iOS devices that is driving me crazy.

When our IT department provides an iPad to an employee, we get it set up and have them log into the Comp Portal with (usually) no issue.

The problem often rears its head when turnover happens: suppose Bob Smith leaves the company. Bob's manager, Jane Doe, hangs on to Bob's old iPad until a new employee is hired to take Bob's spot. In time between Bob's departure and his replacement's hiring, Jane keeps the iPad locked and/or powered off in her desk- meaning the iPad can't check in with InTune's server for an extended period.

Now when Jane hires Henry Ford to fill Bob's spot months later, the device is no longer giving or receiving any communications from InTune's server... despite being powered on again and connecting to the internet via cellular data. This iPad still works, and our company apps are still there.

But, oh no! Now Henry is using the device while the device record remains under Bob's name. A disaster for our inventory records- and what's more, we can't do any management of the noncompliant/stale device anymore. So if Bob set a nonstandard unlock passcode and forgot to tell Jane when he left the company, there's no way for us to remotely unlock the iPad for Henry.

But back up a minute- or rather, a few months. Let's assume Jane handled the device properly by wiping it (either manually or ideally by asking IT to send a wipe command) after Bob gave it to her. Our user adherence to these policies is abysmal, but let's just suppose it happens. Jane guides the device through setup after the wipe and eventually comes to the Comp Portal, where she needs to wait until she hires her name employee. As I alluded to earlier, it may be months until Henry is hired and set up with the device, which is collecting dust in a desk drawer or storage closet somewhere in the meantime.

The iPad eventually becomes noncompliant/stale, and once that happens Henry won't be able to log in to the Comp Portal. I think the issue is that Comp Portal app version is outdated and won't update because it isn't communicating with InTune. But at the same time, since the device is stuck in single app mode, Henry and Jane can't manually wipe the iPad. It's stuck.

These hypotheticals are just two of thw many similar scenarios we have to deal with repeatedly on a daily basis, but similar situations lead to similar end results.

The final recourse, ultimately, is for Jane and Henry to ship the iPad to our main office for my IT department to restore the device using iTunes. This is terribly inconvenient for an organization of our size.

But what else can be done? I had been hopeful that enabling a device clean-up rule could help, but that only prunes the obsolete records- it doesn't do anything to manage the device. I thought retiring it could help, but of course since the iPad isn't receiving commands from InTune anymore the retire command would never arrive either.

We don't really want to remove the passcode and all security from noncompliant/stale devices (for obvious reasons). I'm not exactly sure what an ideal solution would look like here, to be honest... if our iOS devices automatically locked from the devices' end if they don't contact InTune's server after X days, that would at least be a step in the right direction. We'd still have to restore the device with iTunes, but at least we'd cut to the chase and make sure there aren't any devices out there under an ex-employee's name.

I'm a little flabbergasted if InTune is truly not capable of handling this issue more elegantly, but if there is a tool or rule in the InTune admin center then I must be too blind to find it. So, what's an IT admin to do?