How do you handle employees who are fired but leave their email account on their phone?

[thecomputerguy]

I've run into this issue a few times and somehow I've gotten it to work out every time. But I know one of these times an employee will get fired, and the owner/office manager will forget to remove the O365 email off of their phone/tablet/laptop etc.

Even if I change the password if that person leaves the email in their phone/tablet/laptop not only do they have the old data but they will continuously lock the email account due to an incorrect password.

I've told management for multiple companies that they need to either:

1.) Make sure to remove the email account off all of the former employees devices
2.) Do not allow employees to put business email on their personal devices they own that they will take with them when they leave/are let go and to supply employees with a company owned phone.

1.) Most businesses will contact me and say hey we let Bob go when they should be notifying me ahead of time.
2.) A lot of businesses will not supply their employees with phones due to cost.

Is there any other way to handle this?

 

[MichaelBits]

Guess I'm not sure how you manage your email....
I have full control over the email on our domain host. I would just rename it as a defunct email. The account info would change and they no longer have access. I can also suspend or forward that account to another.
Several options actually.... It basically wouldn't matter if it was still on their device, I could kill it from the server side.

 

[ohio_grad_06]

Or with office 365, you can simply disable their license, then delete their account from your server.

 

[cyde_ePhex]

I'm completely new to this (O365)...so please no one bash me over the head for this. Could the company not backup their emails (like using Mailstore) in the event, the former employee goes rogue and starts deleting emails. I understand that this is for one employees account/profile but what if the employee in question has access to more than just his/her account.

Again, I'm new to this so I may be totally missing the issue

 

[4ycr]

this is what I do

• Change the Users Password
• Remotely Wipe their Mobile Device
• Give yourself access to the Users Mailbox and Archive
• Export the Mailbox to PST for Archiving
• Delete the Employee’s mailbox
• Assign the Employee’s Email Address to Another Person
• Set up an Auto-Responder/Out-Of-Office for the Employee
• Free up or Remove the Office 365 Licence

 

[YeOldeStonecat]

O365 recently added an MDM (depending on which level plan...I don't think all of them include it)....so part of onboarding a client with O365, if their plan has the MDM...set it up and make it SOP for the clients staff.

With local on prem Exchange servers...there's a spot to manage mobile devices...can simply break the partnership with that particular mailbox...remove the device. Depending on what options were selected when the phone was originally paired...it can wipe the entire phone. If it was a BYOD you likely don't want that.

Of course changing the password will halt the smart phone from any further syncing...or removing the phone from the mailbox...but it won't remove the existing e-mails/data on the phone which may bring some compliance issues.

 

[allstarit]

For ex employees on Office 365 i convert user to shared mailbox and then remove the license. This then allows you to give another employee access to email and as its shared it cant be added to a mobile device and cant be accessed via webmail.
I also change password as part of my checklist.
Dont foget being office365 users also have access to onedrive and sharepoint so important they dont have access to this which is where MDM comes in to play.

As YeOldestonecat mentioned office 365 recently introduced MDM which i think has 2 new DNS entries when you migrate.
The MDM allows you to control email access, office and onedrive access.
I think it enrolls the users device upon first login andk has to be compliant to the policies set on office 365- eg prevent installing on a jail broken phone.

Allows you to remotely wipe device only for the office365 and mail...not wiping everything.

 

[WindsorComputerRepair]

I simply use an IMAP server, and I can disable that server-side.

 

[resolvetech]

this is what I do

• Change the Users Password
• Remotely Wipe their Mobile Device
• Give yourself access to the Users Mailbox and Archive
• Export the Mailbox to PST for Archiving
• Delete the Employee’s mailbox
• Assign the Employee’s Email Address to Another Person
• Set up an Auto-Responder/Out-Of-Office for the Employee
• Free up or Remove the Office 365 Licence

1. yes
2. usually don't wipe (but if they're under compliance of any sort you'd want to do this and have signed documents in place with HR)
3. yes
4. yes
5. don't usually delete employee mailbox for some time because company usually wants you to forward email. I just leave it for some time so everyone knows about changeover. Keep billing them. Eventually ask them if they'd like mailbox closed then delete mailbox. You could also create "Shared" mailbox and forward email for free from there. I do this sometimes.
6. yes (forwarding)
7. don't usually do Autoresponder but if the customer wanted it you could. Good idea.
8. yes after all is said and done

 

[NETWizz]

I use Airwatch MDM. I selectively wipe the device

 

[nlinecomputers]

O365 recently added an MDM (depending on which level plan...I don't think all of them include it)....so part of onboarding a client with O365, if their plan has the MDM...set it up and make it SOP for the clients staff.

With local on prem Exchange servers...there's a spot to manage mobile devices...can simply break the partnership with that particular mailbox...remove the device. Depending on what options were selected when the phone was originally paired...it can wipe the entire phone. If it was a BYOD you likely don't want that.

Of course changing the password will halt the smart phone from any further syncing...or removing the phone from the mailbox...but it won't remove the existing e-mails/data on the phone which may bring some compliance issues.

This. O365 gives you full control of the devices. You can setup to kill the app or the whole phone. Doesn't help you in the situation the OP described as you need to setup this in advance. But you should do that on any phone they bring in. Or they shouldn't be allowed to use their own phone. Many RMM products also have mobile device management that also allows you to remote lock or remote nuke a phone. Which is also a consideration. What happens if they get their phone stolen with company data on it.

 

[YeOldeStonecat]

This. O365 gives you full control of the devices. You can setup to kill the app or the whole phone. Doesn't help you in the situation the OP described as you need to setup this in advance. But you should do that on any phone they bring in. .

key words... "But you should do that on any phone they bring in"

Thinking about this AFTER the fact...is like wanting to restore a server, but you never setup backup. Or....preventing a virus on your computer after you get one, but you never installed antivirus.

If phones are to be of a concern, such as granular wipe, or full wipe, HIPAA reasons, etc...install an MDM!!!!
Since we're supposed to be consultants for business clients, proposing MDMs should be something we talk about with them. The OP mentioned this happening a few times with O365. Time to learn about the MDM that O365 has (no the cheap plans). (here's yet another reason, out of many many reasons, to push the E3 plans). Or if on the anti-Microsoft band wagon, one of the 3rd party MDMs out there.

But, also learn how to go into Exchange, and manage the phone partnerships there. Exchange (even older versions) has a basic active sync partnership under each mailbox, where you can remove the phones pairing to the mailbox. You can see what/home many devices that person had setup on their mailbox, and remove the pairing. Of course before this you've already changed the users account password...so no further e-mail updates should get to the devices. But you can remove the pairings here. And on newer versions of Exchange you can perform a full wipe of the device from here. (good for lost devices). You don't need an MDM for that. But the MDM on the higher plans allows granular wipe.