The reply to all of those is it relies upon how your employer has configured Microsoft merchandise on their admin facet.
They will implement not one of the doable levers to handle the apps in every of your 4 situations so they’re all equal at that second.
Down the street, they might change issues to tighten up what restrictions they impose.
Ultimately, all the pieces boils down to 2 primary information:
- They personal the machine as a result of claiming it within the portal they’ve with Apple they usually can power distant enrollment every time it’s wiped.
- They push a MDM payload (or compel you to self enroll) after which iOS tells you precisely what it has finished to switch your machine beneath profiles.
An MDM-commanded erase solely can occur when it’s entitled with Required Entry Proper: AllowDeviceErase on the machine. This implies your situation 2 is the only real one when it is best to prepeare for a distant erase (or comply with the hyperlink above for distant lock, distant reboot, distant shutdown).
It’s not clear what sensible drawback you face and you’ll have to be specific with display screen photographs and precise iOS variations for us to go deeper into situation 1 (which appears very unusual or unlikely).
4 is a private machine so no administration apart from what the app sends again to Microsoft.
2-3 displays my “enrollment” textual content above.