Aug 29 2019
- last edited on
Apr 11 2022
With Office 365 Pro Plus and the E3 license, we are able to deploy 5 copies of the Pro Plus suite. This includes personal device. Once employment ends, how do we go about removing the Pro Plus suite from someone's personal device so they cannot access any corporate data that might be downloaded to their system?
An example would be someone is using the Outlook desktop app from their personal device and they leave the company. They would still have access to those files. Another example would be someone is working on a spreadsheet from their device vs. from OneDrive or SharePoint.
How do we as M365 admins protect the corporate data and retrieve it from a personal device? How do we stop that employee from downloading it to their personal device?
Aug 29 2019 08:26 AM
After the user is terminated and the account disabled/removed, he cannot activate Office anymore, so he will not be able to add to the numbers of active installs. For users that are still active, you can go to the O365 admin portal, select the user and manage the office installs from there (remove devices that you don't recognize). Unfortunately, there is no programmatic way to do this, despite of us asking Microsoft for years...
If you want to tightly control who can install where, you will have to use some MDM solution (Intune) or disable the download altogether.
Aug 29 2019 08:31 AM
Very true that they cannot activate more licenses, but that does not stop them from using the applications without the license. They can still access anything in Outlook that was downloaded to their personal computer.
Aug 29 2019 11:30 PM
That's a different issue altogether. If you have concerns about them keeping mails and files on personal devices, you should disable external access from the get go via CA policies or Client Access Rules in Exchange.
Sep 04 2019 04:25 AM
That was my thought, but leadership believes there are other ways to secure the information without disabling the ability for end users to not use the applications on their personal computers.
Personally, we should be using all of the web based applications when not using company devices.
Sep 04 2019 08:32 AM
Yeah, that's why they are leaders, they don't care about minor details :D Removing Outlook on its own doesn't really solve anything here, I can easily export all the content of the mailbox and keep it on my device, or wherever I see fit. RMS/AIP can help by protecting individual messages, but I'm yet to see a company that does this for every single message received.