Fun fact! If you have outlook on your phone with a work account added, chances are IT has admin access to your phone and can remotely wipe it at any time. Also means that your phone can be collected as evidence if you or the company is involved in a court case possibly related to emails
Ok I’ve tested this with some users that definitely do have their work emails on their private phones and I can’t see what this setting is. Are you sure about this, it seems super dodgy?
If you set up intune correctly (and its a requirement) you can prevent access to the entire of m365 including outlook unless they register their device and you can use allow lists for users who are approved to use their own devices, or just block them full stop while allowing company phones access.
If yours isn’t requiring registration, then its not setup to do so, you can very much enforce it, this is usually done via conditional access requiring that the device is registered before it can get access.
Often admins also forget to block web access from mobile devices, but that’s also blockable via the conditional access settings (and other ways, but conditional is how I would do it). Its not perfect as its using the user agent, which can be spoofed. Personally if the client needs that level of protection then web access should just be blocked for non company devices.
You can enforce that the company is added as a device manager, that’s usually how the device wipe is enforced. Access to personal data isn’t really what you are granting here, it is the ability to remote wipe the entire device.
Its a proper device management system with a ton of options. You can for example force users to only use an approved list of applications on their own device for company data.
There are ways around this. I run Outlook inside of a sandbox, so you can remote wipe the sandbox, but the rest of the phone isn’t accessible to anything in the sandbox even with “device admin” permissions.
Fun fact! If you have outlook on your phone with a work account added, chances are IT has admin access to your phone and can remotely wipe it at any time. Also means that your phone can be collected as evidence if you or the company is involved in a court case possibly related to emails
Ok I’ve tested this with some users that definitely do have their work emails on their private phones and I can’t see what this setting is. Are you sure about this, it seems super dodgy?
Modern way of doing it is via intune: https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe
You can force registration of the device before they can access the environment, and you can enforce all sorts of things.
Doesn’t that create an isolated admin environment I don’t think it gives me access to their personal stuff.
Also not part of Outlook, adding a work email to a private device doesn’t register it to the admin environment
If you set up intune correctly (and its a requirement) you can prevent access to the entire of m365 including outlook unless they register their device and you can use allow lists for users who are approved to use their own devices, or just block them full stop while allowing company phones access.
If yours isn’t requiring registration, then its not setup to do so, you can very much enforce it, this is usually done via conditional access requiring that the device is registered before it can get access.
Often admins also forget to block web access from mobile devices, but that’s also blockable via the conditional access settings (and other ways, but conditional is how I would do it). Its not perfect as its using the user agent, which can be spoofed. Personally if the client needs that level of protection then web access should just be blocked for non company devices.
You can enforce that the company is added as a device manager, that’s usually how the device wipe is enforced. Access to personal data isn’t really what you are granting here, it is the ability to remote wipe the entire device.
Its a proper device management system with a ton of options. You can for example force users to only use an approved list of applications on their own device for company data.
There are ways around this. I run Outlook inside of a sandbox, so you can remote wipe the sandbox, but the rest of the phone isn’t accessible to anything in the sandbox even with “device admin” permissions.