1

Hello,

I am trying to make a decision whether to allow employees to have corporate email accounts on their personal devices (IOS, Android, etc). The concern is: If an employee leaves the company how do you make sure corporate email that is stored on their devices gets deleted? I understand office 365 offers a remote wipe option however this is too drastic as it restores the employee’s device to factory defaults. Disabling the email account simply means that new emails won’t get delivered. What do you do?

4 Spice ups
2

Take a look at Microsofts MDM (Mobile Device Management) stuff which is rolling out very soon.

It allows you to perform a selective wipe of the device, so you don’t nuke all the users personal information.

3

We put in our policy that as part of their exit interviews, they hand over their phones so we can clear the e-mail. If they do not, we wipe them with our MDM solution (Sophos Cloud). Kind of harsh, but it is for everyone’s protection, including the person leaving.

1 Spice up
4

Finally! thanks Alan

5

First step:

Create the BYOD policy. Use plain English to describe what the users can do, cannot do, how the company controls this, and what happens if they leave the organization without returning the device to IT for proper disconnect. Explain this to them in person, then require they sign a document indicating they:

  • Received a hard copy of the policy,
  • Read the policy document,
  • Received training on the policy from IT, and
  • Accept the policy in full - including all consequences for failure to comply

At that point a remote wipe is not “too drastic”. Decisions have consequences. Adults understand and accept this.

1 Spice up
6

Honestly? I find this insufficient. If you’re worried about ensuring company data doesn’t remain on the device, employees should have two choices:

  1. Return the device to IT to ensure data is properly scrubbed, or
  2. Submit to full device wipe. Backup your devices, yo.
2 Spice ups
7

If corporate data is sandboxed within a portion of the device, why is it necessary to wipe the entire device?

You can restrict the ability to copy/paste/screenshot from “Corporate” apps so data shouldn’t leak as easily as it can these days.

8

I agree…why delete employees’ personal photos and files? As long as corporate data is wiped I am comfortable

9

that is a BIG “IF”. this generally has not been the case with most MDM solutions. This is new to Office 365 and Exchange in general. with the exception of BB balance. Bryce stated the only 2 options that were previously available. physical access removal or factory wipe.

10

This is totally joking so please don;t think I would actually do this to a user ( unless severely provoked.)

Also what if it is a user that you hated/despised? the one that never submitted a ticket or ignored you when you told them exactly what needed to be done to fix the issue. But always complained about how crappy you are. would you not want to exact the final IT revenge? “Oh sorry I just killed all of your phones capabilities. Buh BYE!”

11

Making the decision to allow for corporate email accounts on personal devices is a common pain point we have seen. This is absolutely possible! Bitglass is a solution that requires no software or hardware on the end user device. All corporate email going down to BYOD devices is tracked and you can place access controls based on who you want to see data, from where and from what kinds of device. If an employee leaves or their device is lost or stolen, Bitglass can remote wipe all corporate data, leaving all personal data completely untouched. No factory defaults necessary. Here’s a link to a data sheet. Please let me know if you have questions!