Office 365: Selectively Wipe a Mobile Phone
Storing company information on a mobile phone carries with it some risk. Having the ability to erase all information held on a phone from the portal is a fantastic feature but what if the device belongs to the employee? Maybe they are no longer employed by your organisation and have left never to return, what do you do about your data left on the phone? You cant remotely wipe the whole phone because they will have personal pictures, messages and emails on there which you have no right to remove.
This is where it’s very important to have a clear Bring Your Own Device (BYOD) policy which is signed by employees. This makes its very clear what both parties agree will happen to the phone and the data on it should you part ways or the phone is lost.
But what gets erased when you perform a selective wipe?
Well, lets test it and see, first I setup a phone new mobile phone and setup the office applications and ensure we have files and emails setup as follows:
- Txt messages
- Camera photos
- Screen shots
- Personal email in Gmail app
- Company email in Outlook app
- Word document stored locally
- Word document stored in OneDrive
- Word document stored in SharePoint
- Excel document stored locally
- Excel document stored in OneDrive
- Excel document stored in SharePoint
- OneNote document stored in SharePoint
- Skype for Business conversations
I’ve highlighted above the data which I think should be erased from the device, essentially everything stored within the Office 365 tenant and everything else should be left alone.
What I will do is run through the process to perform a remote wipe and we will see what actually gets removed and what stays.
Let’s run through the instructions for remotely erasing only data connected to Office 365 from a mobile phone.
Log into the Admin center and click on Admin Centres then security & Compliance.
Now click Security policies then Device management.
Now locate the device from the list, in this example we will wipe my own device. Click on the device then select ‘Selective wipe’ from the menu on the right hand side.
You will receive a warning that all data will be erased. That’s fine, its what we want! Press Yes.
If the device has a connection to the internet the phone will start erasing all of the company data, at least that’s the idea. If the device has been turned off or doesn’t have internet access then the device will never receive the wipe command but as soon as it does the process will begin.
Lets see what got removed and what stayed.
- Txt messages – On device
- Camera photos – On device
- Screen shots – On device
- Personal email in Gmail app – On device
- Company email in Outlook app – Prompts for user logon credentials
- Word document stored locally – On device
- Word document stored in OneDrive – Prompts for user logon credentials
- Word document stored in SharePoint – Prompts for user logon credentials
- Excel document stored locally – On device
- Excel document stored in OneDrive – Prompts for user logon credentials
- Excel document stored in SharePoint – Prompts for user logon credentials
- OneNote document stored in SharePoint – Prompts for user logon credentials
- Skype for Business conversations – Skype is still active and I can view previous conversations.
So there you go it worked great with the exception of Skype for Business which was still able to login. Knowing this I would advise you to reset the users password and remove any app passwords should you ever need to execute a remote wipe of a mobile device in the future.
Once the device has been erased it will get removed from the Mobile Device Management page.
Summary
Remotely wiping a mobile device is very easy and is a great way to help protect your business data. Employees often lose their mobile devices, the larger your organisation the more likely you will require this feature.
[email-download download_id=”10391″ contact_form_id=”9351″]
18th January 2017
Do you have the test on Android device?
I found that “Company email in Outlook app” will Prompts for user logon credentials after selective wipe. But with 2 taps on back button, I can still find old downloaded email, though new email is not showing up.
25th January 2017
The Security Policies section of Security & Compliance Admin Center is missing. Anyone know where it’s moved to or how you get it to show up?
26th January 2017
Hi Ian, Security policies have been moved to the Threat Management menu in the Security & Compliance portal.
https://protection.office.com/#/device
29th April 2019
After I go to threat managment, I don’t see anything dealing with devices. Just trying to figure out how to do a selective wipe.