this post was submitted on 28 Nov 2023
1568 points (98.8% liked)

Technology

59213 readers
2517 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 11 months ago* (last edited 11 months ago) (1 children)

Doesn't that create an isolated admin environment I don't think it gives me access to their personal stuff.

Also not part of Outlook, adding a work email to a private device doesn't register it to the admin environment

[–] tankplanker 2 points 11 months ago (1 children)

If you set up intune correctly (and its a requirement) you can prevent access to the entire of m365 including outlook unless they register their device and you can use allow lists for users who are approved to use their own devices, or just block them full stop while allowing company phones access.

If yours isn't requiring registration, then its not setup to do so, you can very much enforce it, this is usually done via conditional access requiring that the device is registered before it can get access.

Often admins also forget to block web access from mobile devices, but that's also blockable via the conditional access settings (and other ways, but conditional is how I would do it). Its not perfect as its using the user agent, which can be spoofed. Personally if the client needs that level of protection then web access should just be blocked for non company devices.

You can enforce that the company is added as a device manager, that's usually how the device wipe is enforced. Access to personal data isn't really what you are granting here, it is the ability to remote wipe the entire device.

Its a proper device management system with a ton of options. You can for example force users to only use an approved list of applications on their own device for company data.

[–] orclev 3 points 11 months ago (2 children)

There are ways around this. I run Outlook inside of a sandbox, so you can remote wipe the sandbox, but the rest of the phone isn't accessible to anything in the sandbox even with "device admin" permissions.

[–] tankplanker 2 points 11 months ago

There are ways around most things, but you'll have to define this sandbox on your mobile as a lot of these can be prevented with the right additional product, obviously Microsoft being Microsoft isn't going to give this away.

[–] [email protected] 1 points 11 months ago

Yeah I'm pretty sure that's how our system sets it up, but it's supposed to be set up like that not as a workaround, I feel super duper sketchy about wiping it uses personal device. When they leave the company that's the only section of the device we wipe.

There's only like a couple of dozen uses on the account that actually use their personal devices. Mostly just the have IT staff and a few managers who need to be emergency contactable.