• finestnothing@lemmy.world
    link
    fedilink
    English
    arrow-up
    43
    arrow-down
    13
    ·
    11 months ago

    Fun fact! If you have outlook on your phone with a work account added, chances are IT has admin access to your phone and can remotely wipe it at any time. Also means that your phone can be collected as evidence if you or the company is involved in a court case possibly related to emails

    • Echo Dot@feddit.uk
      link
      fedilink
      English
      arrow-up
      31
      ·
      11 months ago

      Ok I’ve tested this with some users that definitely do have their work emails on their private phones and I can’t see what this setting is. Are you sure about this, it seems super dodgy?

        • lazynooblet@lazysoci.al
          link
          fedilink
          English
          arrow-up
          27
          ·
          11 months ago

          This is device management and isn’t something that is the default, or comes with Outlook.

          A less intrusive method is application management which gives the company control to wipe the account, not the device.

        • Echo Dot@feddit.uk
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          11 months ago

          Doesn’t that create an isolated admin environment I don’t think it gives me access to their personal stuff.

          Also not part of Outlook, adding a work email to a private device doesn’t register it to the admin environment

          • tankplanker@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            11 months ago

            If you set up intune correctly (and its a requirement) you can prevent access to the entire of m365 including outlook unless they register their device and you can use allow lists for users who are approved to use their own devices, or just block them full stop while allowing company phones access.

            If yours isn’t requiring registration, then its not setup to do so, you can very much enforce it, this is usually done via conditional access requiring that the device is registered before it can get access.

            Often admins also forget to block web access from mobile devices, but that’s also blockable via the conditional access settings (and other ways, but conditional is how I would do it). Its not perfect as its using the user agent, which can be spoofed. Personally if the client needs that level of protection then web access should just be blocked for non company devices.

            You can enforce that the company is added as a device manager, that’s usually how the device wipe is enforced. Access to personal data isn’t really what you are granting here, it is the ability to remote wipe the entire device.

            Its a proper device management system with a ton of options. You can for example force users to only use an approved list of applications on their own device for company data.

            • orclev@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              11 months ago

              There are ways around this. I run Outlook inside of a sandbox, so you can remote wipe the sandbox, but the rest of the phone isn’t accessible to anything in the sandbox even with “device admin” permissions.

              • tankplanker@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                11 months ago

                There are ways around most things, but you’ll have to define this sandbox on your mobile as a lot of these can be prevented with the right additional product, obviously Microsoft being Microsoft isn’t going to give this away.

              • Echo Dot@feddit.uk
                link
                fedilink
                English
                arrow-up
                1
                ·
                11 months ago

                Yeah I’m pretty sure that’s how our system sets it up, but it’s supposed to be set up like that not as a workaround, I feel super duper sketchy about wiping it uses personal device. When they leave the company that’s the only section of the device we wipe.

                There’s only like a couple of dozen uses on the account that actually use their personal devices. Mostly just the have IT staff and a few managers who need to be emergency contactable.

    • 𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      edit-2
      11 months ago

      Just put your work apps in your Work profile.

      That’s exactly why Android has this function, so they can only remotely access/wipe that profile. Everything in that profile is kept segregated from the rest of the system.

    • Gestrid@lemmy.ca
      link
      fedilink
      English
      arrow-up
      5
      ·
      11 months ago

      My school required this. They forced me to grant the Outlook app admin access to my phone in order to be able to add my school email in the app.

      • 𝔼𝕩𝕦𝕤𝕚𝕒@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        To reset a password for work. Apparently eHub doesnt work on Firefox, it has to be edge or chrome. Called the Help Center and they asked if I was using chrome and I said no Firefox. “You don’t uh…have anything like chrome on your phone?” “no, I might be able to access a work computer with chrome but I’m not putting a chromium browser on my device” (it’s there because android, but all its permissions are cut off)

        She just had to sit on hold while I logged on on a work computer to reset everything where if they just fucking made a webpage to work on Firefox we could have not had the conversation in the first place.