Office 365: Selectively Wipe a Mobile Phone

Posted By Ian@SlashAdmin in Office 365 | 4 comments

Storing company information on a mobile phone carries with it some risk. Having the ability to erase all information held on a phone from the portal is a fantastic feature but what if the device belongs to the employee? Maybe they are no longer employed by your organisation and have left never to return, what do you do about your data left on the phone? You cant remotely wipe the whole phone because they will have personal pictures, messages and emails on there which you have no right to remove.

This is where it’s very important to have a clear Bring Your Own Device (BYOD) policy which is signed by employees. This makes its very clear what both parties agree will happen to the phone and the data on it should you part ways or the phone is lost.

But what gets erased when you perform a selective wipe?

Well, lets test it and see, first I setup a phone new mobile phone and setup the office applications and ensure we have files and emails setup as follows:

1. Txt messages
2. Camera photos
3. Screen shots
4. Personal email in Gmail app
5. Company email in Outlook app
6. Word document stored locally
7. Word document stored in OneDrive
8. Word document stored in SharePoint
9. Excel document stored locally
10. Excel document stored in OneDrive
11. Excel document stored in SharePoint
12. OneNote document stored in SharePoint
13. Skype for Business conversations

I’ve highlighted above the data which I think should be erased from the device, essentially everything stored within the Office 365 tenant and everything else should be left alone.

What I will do is run through the process to perform a remote wipe and we will see what actually gets removed and what stays.

Let’s run through the instructions for remotely erasing only data connected to Office 365 from a mobile phone.

Log into the Admin center and click on Admin Centres then security & Compliance.

Now click Security policies then Device management.

Now locate the device from the list, in this example we will wipe my own device. Click on the device then select ‘Selective wipe’ from the menu on the right hand side.

You will receive a warning that all data will be erased. That’s fine, its what we want! Press Yes.

If the device has a connection to the internet the phone will start erasing all of the company data, at least that’s the idea. If the device has been turned off or doesn’t have internet access then the device will never receive the wipe command but as soon as it does the process will begin.

Lets see what got removed and what stayed.

1. Txt messages – On device
2. Camera photos – On device
3. Screen shots – On device
4. Personal email in Gmail app – On device
5. Company email in Outlook app – Prompts for user logon credentials
6. Word document stored locally – On device
7. Word document stored in OneDrive – Prompts for user logon credentials
8. Word document stored in SharePoint – Prompts for user logon credentials
9. Excel document stored locally – On device
10. Excel document stored in OneDrive – Prompts for user logon credentials
11. Excel document stored in SharePoint – Prompts for user logon credentials
12. OneNote document stored in SharePoint – Prompts for user logon credentials
13. Skype for Business conversations – Skype is still active and I can view previous conversations.

So there you go it worked great with the exception of Skype for Business which was still able to login. Knowing this I would advise you to reset the users password and remove any app passwords should you ever need to execute a remote wipe of a mobile device in the future.

Once the device has been erased it will get removed from the Mobile Device Management page.

Summary

Remotely wiping a mobile device is very easy and is a great way to help protect your business data. Employees often lose their mobile devices, the larger your organisation the more likely you will require this feature.