Forum Discussion
Terminated user - cached data access
How does the Teams app function when a user account is disabled? We did some basic testing, and when a mobile device has no internet access, it can still be opened and you can browse Teams and threads that appear to be cached. Is there a way to force disconnect the app so the user cannot get in? When a user is disabled, Exchange gives some ability to remove data from their mobile device and block the device. I know that Teams data is stored in Exchange, so do we just follow the exchange procedures? https://docs.microsoft.com/en-us/office365/admin/add-users/remove-former-employee?view=o365-worldwide
- Hi!
Ideally, Teams should be a managed app with Intune and you would perform an app selective wipe on the mobile device
https://docs.microsoft.com/en-us/intune/apps/apps-selective-wipe
https://www.contentandcode.com/blog/intune-mam-managing-corporate-data-on-byod/
https://blogs.technet.microsoft.com/skypehybridguy/2017/09/01/microsoft-teams-manage-it-using-mobile-application-management-mam/
In this case, if you haven’t got this, you would need to get the user to manually log out or remove the Teams app on the device. I know that sometimes this isn’t possible, and when the phone connects to the internet it ought to log out if you have disabled the userand changed the username, however the selective wipe on the device should ensure this. Of course, that selective wipe would need to be done whilst the phone is connected and probably prior to the disable as it is done over the internet. If the user is offline the wipe would occur when the phone next connects
The great thing about a managed app and an app protection policy is that data can be set to not be copied, pasted or printed out of the app too making it more difficult.
Hope that answers your question!
Best, Chris
2 Replies
- Hi!
Ideally, Teams should be a managed app with Intune and you would perform an app selective wipe on the mobile device
https://docs.microsoft.com/en-us/intune/apps/apps-selective-wipe
https://www.contentandcode.com/blog/intune-mam-managing-corporate-data-on-byod/
https://blogs.technet.microsoft.com/skypehybridguy/2017/09/01/microsoft-teams-manage-it-using-mobile-application-management-mam/
In this case, if you haven’t got this, you would need to get the user to manually log out or remove the Teams app on the device. I know that sometimes this isn’t possible, and when the phone connects to the internet it ought to log out if you have disabled the userand changed the username, however the selective wipe on the device should ensure this. Of course, that selective wipe would need to be done whilst the phone is connected and probably prior to the disable as it is done over the internet. If the user is offline the wipe would occur when the phone next connects
The great thing about a managed app and an app protection policy is that data can be set to not be copied, pasted or printed out of the app too making it more difficult.
Hope that answers your question!
Best, ChrisChrisHoardMVP - I figured MDM was the true solution. We are implementing it soon for our laptops, and I will consider mobile devices next. I just wondered how Teams would act with the locally cached data. If I disable an account, I agree the device will most likely be online and discover the user is not authenticated. However, I'm curious if the user goes offline (airplane mode) will the app remember they are disabled, or let them in since it can't check their authentication. If I get some time I'll try and test this. Thanks for your help!
