Use of Mobile Devices

The management scenarios specified on this page are scheduled to be replaced by end of August 2021. Due to absences the activation has been postponed from July to August. For a reference of what to expect afterwards, please consider these pages:

Pilot: Use of Privately Owned Mobile Devices
Pilot: Use of UZH Owned Mobile Devices

 

If you would like to use Microsoft 365 (or components thereof, e.g. teams) on your mobile device, additional security requirements must be met for its use in compliance with data protection regulations. For example, every mobile device must be protected with a password or code so that the data is not freely accessible if the device is lost.


In order to make the configuration as user-friendly as possible and at the same time to ensure that all necessary settings are made, UZH uses the "Intune Enterprise Portal". This is a so-called Mobile Device Management System (MDM), i.e. software that checks and manages the security settings of mobile devices.

Which settings are checked on the mobile devices?

  1. Password: Each mobile device must be protected by a password.
    1. The password may not be simple (e.g. ascending numbers) and must be at least 6 characters long.
    2. After 10 incorrect password entries, the device must be deleted.
    3. In case of inactivity, the device must be locked after 5 minutes (password entry required thereafter).
  2. Data:
    1. Microsoft 365 UZH data must be stored on the device in encrypted form so that other apps cannot access it.
    2. It must be possible to delete the data from Office 365 UZH in the event of equipment loss or leaving the UZH.
  3. Device security:
    1. The device must run with original software from the manufacturer (no hacked version such as jail-break or root access).
    2. Microsoft offers the Office 365 apps via the official portals of Android, iOS and Windows (Google Play Store, App Store and Windows Store). It may not be possible to install the apps due to outdated hardware or software.

How does MDM work?

After installing the corporate portal app from the appropriate store and logging in with a Microsoft 365 UZH account, the security requirements are checked and a management profile is installed. In addition to the security settings, the profile also contains the account information and allows access to UZH data with the Office 365 applications (e.g. OneDrive, OneNote, Word, Excel, PowerPoint). If the profile is removed by the user or the UZH administrator, all Office 365 UZH data and account information is automatically deleted from the device. Direct access to the data stored on the device or the user's connection data is not possible.

MDM functions

  1. Selective deletion (Retire):
    By deleting the management profile, all Microsoft 365 UZH data and account information can be deleted from the device without changing any other data on the device. This can be accomplished manually by the user in device settings. Alternatively, the user can delete the management profile in the Microsoft 365 Portal or the Enterprise Portal App (even from another device). In addition to this self-service, it is also possible to have the profile deleted by an administrator, for example if the user does not have access to the self-service options mentioned above.
  2. Reset to factory settings (wipe):
    Just as selective deletion, a device can also be deleted completely. This makes sense especially in case of loss or theft of the device, as private data on the device is also deleted.
  3. Locating the device:
    Through the Microsoft 365 Portal, the location of the device can be determined by the user (self-service) or an administrator. In addition to simply locating a device, this information can also be used for safety rules. For example, it is possible to block access from certain countries.
  4. Security settings:
    As long as the management profile is installed on the device, the device itself ensures that the security settings described above are maintained. If the profile is removed, the Microsoft 365 UZH data is deleted and the device is no longer managed.
  5. Device data
    The administrator is able to:
    • View model, serial number and operating system
    • Identify your device by name
    • Reset lost or stolen devices to factory settings (Only on explicit instruction of the user)
    • View apps you have installed*
    • Display the phone number of your device*.
    • View information collected by enterprise apps and networks*
    • View the location of a lost device*
    *) Functions currently not available. So far we use the integrated MDM of Microsoft 365, but if we use an additional MDM solution later on, the marked functions would be possible additionally. Using an additional MDM solution makes sense, for example, if we want to add apps, WLAN or VPN settings automatically on the mobile devices.
    The administrator is not able to:
    • View the browsing history on your device
    • View personal e-mail, documents, contacts, or calendars
    • Display data from other apps
    • Accessing your passwords
    • View, edit or delete your photos
    Further information
    Further information about the possibilities of the MDM solution used can be found under the following link:
    Capabilities of Basic Mobility and Security

 

Use without MDM

If a device does not meet the security requirements, or if a user does not want to install MDM, Microsoft 365 UZH cannot be accessed through the Microsoft Apps. In this case, restricted functionality is available via the browser of the device (https://portal.office.com). However, this variant does not offer any offline options.

 

Use of private devices

In general, the use of private devices is permitted with Microsoft 365 UZH. However, the Central IT reserves the right to block devices in case of misuse or for security reasons and to delete Microsoft 365 UZH data. Microsoft 365 UZH data is stored separately from the existing data on the devices in so-called accounts. This allows parallel operation of different Microsoft 365 accounts on a single device. However, multiple management profiles cannot be installed.

 

Backup of mobile devices

It is strongly recommended to make regular backups of the mobile devices. Device backups do not include Microsoft 365 UZH data, but they are backed up within Microsoft 365. Central IT does not offer support for the recovery of private data, please contact the respective manufacturer support.

Store accounts (iCloud, Google Play, ...)

Please do not use an UZH e-mail address for the registration of your store accounts, as you will not be able to access purchased content such as apps and music or your backups if you leave UZH.

Information about Intune Enterprise Portal (MDM): https://docs.microsoft.com/en-us/mem/intune/user-help/use-managed-devices-to-get-work-done

Self Service Portal to manage the personal devices: https://portal.manage.microsoft.com/devices