Use of Privately Owned Mobile Devices

The management scenarios specified on this page are available since 31 August 2021 and replace the previous scenarios.

If you would like to use UZH's Microsoft 365 (UZH365) or components thereof such as Teams on your mobile device, additional requirements must be met for its use in compliance with data protection regulations. For example, every mobile device has to be protected with a password or code to restrict data accessibility in case the device is lost.

In a "Bring Your Own Device (BYOD)" scenario, that is if you're using your own private device, privacy protection is an additional matter of vital importance.

For such scenarios, Microsoft offer security policy management embedded right into their Microsoft 365 Apps. Therefore global device settings and other apps remain untouched.

Choice of Management Scheme

Users can choose from these management schemes:

MDM methods BYOD

App Management

  • Security policies only affect UZH365 Apps (e.g. password prompt upon app startup).
  • Use of UZH365 services with other apps (such as alternative e-mail and calendar apps) is prohibited.

Profile Management

(Android only)

  • Works similar to app management. In addition, UZH365 apps are separated from apps outside the profile/private apps both logically and visually. Work profiles can be disabled manually by the user in order to disable temporarily all UZH365 apps and notifications.

Device Management

(iOS/iPad-OS only)

  • The device management scheme is based on global device security policies and settings (such as the device password) and enables use of UZH365 services with alternative apps (such as e-mail or calendar apps).
  • We do not recommend this scheme for private devices, for UZH administrators gain additional information and rights on private devices. Nevertheless, even with device management, UZH administrators have at no time direct access to general or connection data on the device.
Unmanaged use

If a device does not comply with safety requirements or the user does not want to apply one of the management schemes mentioned above, access to UZH365 data by means of Microsoft apps is prohibited. In this scenario there is limited browser based functionality available (https://portal.office.com).

Which security settings are enforced?

  1. Password: UZH365 data has to be protected by a password.
    1. The password must not be trivial (e.g. sequentially ascending numbers) and must have a minimal length of 6 characters.
    2. After 10 unsuccessful authentication attempts, UZH365 data must be wiped (whole device if using device management).
    3. When inactive, UZH365 apps or the device respectively must be locked after 5 minutes max. To resume, the password is required.
  2. Data:
    1. UZH365 data must be stored encrypted on the device to prohibit other apps from accessing them.
    2. If a device is lost or the owner leaves the UZH, UZH administrators must be able to wipe on-device UZH365 data.
    3. Central IT is entitled to restrict usage of UZH365 services when abused or for security reasons and delete UZH365 data in such cases.
  3. Device Safety:
    1. The device must run genuine, unaltered software as intended by the manufacturer. Tampered-with or alternative versions ("jail beaked", root access, etc.) are not allowed.
    2. The device must run a current operating system version to make sure, it is still supplied with security updates by the manufacturer.
    3. Microsoft 365 apps are available for download and installation in the official App Stores of Android, iOS/iPadOS and Windows (Google Play Store, Apple App Store and Windows-Store). On outdated hardware or operating systems it may not be possible to install the apps.

How to Install/Uninstall?

MDM installation BYOD

App Management

When you sign in with your UZH365 account into a Microsoft 365 app, app management is activated automatically. For synchronisation of security settings you have to sign into the "Intune Company Portal" app in addition. This app also provides Single-Sign-On for all UZH365 apps, which allows you to switch between UZH365 apps without entering a password each time. However, you still need your password after a period of inactivity.

Registration of your device is not necessary (which would activate profile/device management as a matter of fact). If you (or an administrator) sign off from your UZH365 account, you can no longer access UZH365 data.

Profile Management or Device Management

After installation of the "Intune Company Portal" app and signing in with your UZH365 account, a device can be "registered". By means of this registration, users can activate by themselves a work profile (Android) or device management (iOS/iPadOS).

The device profile or work profile, respectively, contains besides security settings your account information, which allows UZH365 data access through Microsoft 365 applications (such as OneDrive, OneNote, Word, Excel, PowerPoint). If the profile is removed by the user or a UZH administrator, either all UZH365 data and account information is wiped or app management is reactivated.

Change Management Scheme to "App management"

Store Accounts (iCloud, Google Play,...)

Please do not use UZH mail addresses for your store accounts! If you do, you will not be able to access paid content such as apps or music or even your device backups after having left the UZH.

Mobile Device Backup

We highly recommend backing up your mobile devices regularly. Device backups do not contain UZH365 data, these are saved within Microsoft 365, however. Central IT does not provide support for restoring private data. If questions arise, please consider contacting your device's manufacturer support instead.

Management Procedures – Capabilities of UZH Administrators

  1. Selective deletion – Retire (all management schemes):
    By deleting the management profile, all Microsoft 365 UZH data and account information can be deleted from the device without changing any other data on the device. This can be accomplished manually by the user in device settings. Alternatively, the user can delete the management profile in the Microsoft 365 Portal or the Enterprise Portal App (even from another device). In addition to this self-service, it is also possible to have the profile deleted by an administrator, for example if the user does not have access to the self-service options mentioned above.
  2. Reset to factory settings – Wipe (only device management):
    Just as selective deletion, a device can also be deleted completely. This makes sense especially in case of loss or theft of the device, as private data on the device is also deleted. This option is only available if device management is active.
  3. Locating the device (only device management):
    Through the Microsoft 365 Portal, the location of the device can be determined by the user (self-service) or an administrator. In addition to simply locating a device, this information can also be used for safety rules. For example, it is possible to block access from certain countries.
  4. Security settings:
    As long as the management profile (device profile or work profile) is installed on the device, the device itself ensures that the security settings described above are maintained. If the profile is removed, the Microsoft 365 UZH data is deleted and the device is no longer managed. If UZH365 apps are used after that, the app management scheme will automatically be activated regardless of the management scheme used before.
  5. Device data
    The administrator is able to (only device management):
    *) We use Microsoft Intune for mobile device management and starred features are not available for privately owned devices. To implement these features, the device must be particularly configured (please refer to Use of UZH Owned Mobile Devices).
    • View model, serial number and operating system
    • Identify your device by name
    • Reset lost or stolen devices to factory settings (only on explicit instruction of the user)
    • View apps you have installed* (on privately owned devices, only managed apps and apps within work profiles are visible)
    • Display the phone number of your device*
    • View information collected by enterprise apps and networks*
    • View the location of a lost device*
    The administrator is not able to (all management schemes):
    • View the browsing history on your device
    • View personal e-mail, documents, contacts or calendars
    • Display data from other apps
    • Access your passwords
    • View, edit or delete your photos
    Further information
    Further information about the features of the implemented management solution can be found at
    Microsoft Intune is an MDM and MAM provider for your devices
  6. Hardware protection
    UZH owned devices can be further protected by way of Apple DEP or Android Zero-Touch, which attach the devices to our UZH management system. Using this solution, the devices can be handed out to users without the need for preconfiguring them and the device management cannot be turned off by the user.

 

Further Reading

Management schemes for UZH owned devices
Use of UZH Owned Mobile Devices

Features of our management solution:
Microsoft Intune is an MDM and MAM provider for your devices

About Intune Company Portal (MDM):
https://docs.microsoft.com/en-us/mem/intune/user-help/use-managed-devices-to-get-work-done

Self Service Portal for management of privately owned devices:
https://portal.manage.microsoft.com/devices