With more businesses than ever embracing BYOD — Bring Your Own Device — there are plenty of Microsoft 365 users using their own devices for work. With that in mind, when you get the prompt Allow my organization to manage my device, you might be worried about what it means — is your organization able to control and access your personal data?
Accepting the “Allow my organization to manage my device” prompt lets your organization enforce specific settings on your device, see the hardware you are using, and remotely wipe sensitive work files from your device. Your organization cannot see all your files; only the files associated with your work account. They may enforce policies that affect your experience using your device.
We’ve also created a video talking you through what the “Allow my organization to manage my device” prompt means. You can watch it here:
If you allowed your organization to manage your device via any of the Microsoft 365 applications, your device will become linked to your business account and registered in your organization’s Azure AD. That allows your organization to manage your device using 
Microsoft Intune.
For more on Microsoft Intune, read What Is Microsoft Intune and How Does It Work?
In this blog post, I’ll explain a bit more about what your organization can do if they “manage” your device, what information your organization can see when you enrol your device, and how you can disable your organization’s ability to manage your device.
What does “Allow My Organization To Manage My Device” mean?
In basic terms, it means Microsoft detected your account’s association with Azure Active Directory. By accepting the prompt, you’re enrolling your device in the company’s directory, giving your organization certain capabilities, such as the ability to perform a factory reset on your device.
If you’ve accidentally clicked “Allow my organization to manage my device” — which, undoubtedly, a lot of people have without reading it properly — you’re probably panicking about how much control it gives your organization. That’s especially true if you are using your personal device at work.
The capabilities your organization has when you accept the prompt above depends on whether they’re using Basic Mobility and Security or Microsoft Intune.
Basic Mobility and Security offers some basic capabilities, such as:
- Setting and managing security policies.
- Limit access to Exchange Online, SharePoint Online, and Outlook.
- Configure device settings, such as disabling the device camera.
Microsoft Intune is a much more advanced solution, giving your organization much greater control over the devices enrolled. From the organization’s perspective, this allows them to protect their data. However, from your perspective, it could impinge upon your own privacy.
In the table below, we can look at and compare the capabilities of Basic Mobility and Security and Microsoft Intune/Endpoint Manager. Basic Mobility and Security is included with all Microsoft 365 plans, while Intune is only included in the more expensive subscriptions (Microsoft 365 Business Premium, Microsoft 365 Education, and Microsoft 365 Enterprise Mobility & Security).
Basic Mobility and Security & Microsoft Intune Feature Comparison
| Feature | Basic Mobility and Security | Microsoft Intune |
|---|---|---|
| Managing different OS platforms | 4 OSs: Windows, iOS, Android, & Samsung KNOX | 6 OSs: Windows, iOS, Android, Samsung KNOX, Mac OS, & iPad OS |
| Set and manage security policies | Yes - with limitations on Android 9 and later | Yes |
| Prevent noncompliant devices accessing email and data from the cloud | Limited to controlling access to Exchange Online, SharePoint Online, & Outlook | Yes |
| Device configuration | Yes - with limited settings to choose from | Yes: Comprehensive set of configuration settings to choose from |
| Email profile provisioning | ✔️ | ✔️ |
| WiFi profile provisioning | ❌ | ✔️ |
| WiFi profile provisioning | ❌ | ✔️ |
| VPN profile provisioning | ❌ | ✔️ |
| Mobile application management [MAM] | ❌ | ✔️ |
| Mobile application protection | ❌ | ✔️ |
| Remote actions (retire, wipe, & full wipe) | ✔️ | ✔️ |
| Remote actions (full scan, remote lock, rename device, reset passcode, synchronize device, etc.) | ❌ | ✔️ |
As you can see in the feature comparison above, Microsoft Intune is significantly more comprehensive than Basic Mobility and Security. Reading down the feature list should give you a good idea of what your organization can do with your device, whether they’re using Basic Mobility and Security or Microsoft Intune.
Features in common are as follows, as well as an explanation of what each feature means.
| Feature | What the feature means |
|---|---|
| Set and manage security policies | Your organization can set and enforce security policies that force you to change your password regularly, for example, or choose a password of a certain strength. |
| Prevent non-compliant devices accessing email/data | If your device doesn’t comply with company policies, your organization can prevent you from accessing your email and company data. |
| Device configuration | Your organization can configure device settings. For example, disabling the camera or enforcing automatic software updates. |
| Email provisioning | Email provisioning enables your organization to provide a native email profile on your device. |
| Remote actions [retire, wipe, & full wipe] | There are 3 remote actions included with both Mobility and Security and Intune: retire, wipe, & full wipe. Retire removes Office data from a device, leaving personal data. Wipe removes Office apps from a device, while full wipe resets a device to its factory settings. |
If you’ve accidentally enrolled your personal device, you can follow the step-by-step process for unenrolling your device. You can then reinstall the Microsoft 365 software you need while selecting “This app only” next time round.
If you’re wondering what information your organization can see about the devices enrolled, I’ll explain that next.
What information can my organization see when I allow them to manage my device?
Basic Mobility and Security and Microsoft Intune are Microsoft services designed to let businesses control and manage their data and network. Therefore your organization can see a lot of information about your device when you enroll it.
As part of researching this blog post, I reached out to Microsoft asking the question of what information organizations can see when you enroll your device. A member of their tech support team, Austin, said:
“Information that is available to your organization will be device-specific details like identifying information (serial, IMEI, make, model).
Things that your organization will never be able to see (phone records, text messages, personal data, pictures, browsing history).
Things to keep in mind:
• If the device is fully enrolled into Intune, then your company will be able to wipe it/factory reset it. (This is to protect organizational data in the event that your device becomes lost or stolen).
• In the event you leave the company, I would make sure you make your phone ready to be factory wiped. You do not have to wipe the phone, and can simply retire it and remove company data only, but a lot of Intune administrators don’t know this, or don’t care.”
Microsoft tech support
Disclaimer: Opinions and information provided by any Microsoft staff are of a voluntary nature and there is no warranty implied or explicit with any assistance granted by self-identified Microsoft personnel on any social media outlet, including Reddit.
After receiving the response above, I logged into my organization’s admin center to have a look around at exactly what information can be seen by your organization when you enroll your device.
This is the information your organization can see about your device when you allow your organization to manage your device:
- Device name
- Management name
- Ownership
- Serial number
- Primary user
- Enrolled by
- Compliance
- Operating system
- Device model
- Device manufacturer
- Last check-in time
- Operating system version
- Storage space
- Discovered apps
The screenshot below shows the overview dashboard in the Microsoft Endpoint Manager admin center. If your organization is using Intune — as ours does — much more information is available when compared with Microsoft’s Basic Mobility and Security.
Here we’re just looking at the overview, without digging deeper into any of the information available. As you can see, by enrolling your device, you make a lot of information available to your organization.
At the end of the day, you don’t really have anything to worry about. The main concern, in my opinion, is your organization having the ability to remotely wipe your device back to factory default if you’re using your personal device for work purposes.
With that in mind, you might want to unenroll your device and stop your organization from managing it. Next, I’m going to explain how you can do that while retaining the capability of using the Microsoft applications you need to complete your work.
How to Stop Allowing your Organization to Manage your Device
There are numerous methods for revoking your organization’s ability to manage your device. However, this is by far the easiest:
- Go to
“Settings” in your device. - Click “Accounts.”
- Click “Access work or school.”
- Select the account you connected your device with.
- Click “Disconnect.”
Following the process above should disconnect your device from your work account, preventing your organization from managing your personal device going forward.
After following the process above, you might notice that you’ve been signed out of all your Office applications. When you sign into them again, you’ll be prompted to Allow your organization to manage your device. Instead of allowing this again — and restoring your organization’s control over your personal device — select “This app only.” That means your organization can only control what you do within that particular application.
Here’s a step-by-step demonstration of the process outlined above with screenshots.
Disconnect your organization device (Windows)
- Click or right-click the
“Start” button and select “Settings” from the popup menu. - Alternatively, press the Windows and “I” keys on your keyboard ( + I ).
- You can also type “settings” into your Windows search bar and “Open” the app.
- Click “Accounts.”
- Click “Access work or school” on the left menu.
- Select the account your device is connected with.
- Then click the “Disconnect” button.
Following the process above should disconnect your device from your work account, preventing your organization from managing your personal device going forward.
After following the process above, you might notice that you’ve been signed out of all your Office applications. When you sign into them again, you’ll be prompted to Allow your organization to manage your device. Instead of allowing this again — and restoring your organization’s control over your personal device — select “This app only.” That means your organization can only control what you do within that particular application.
Disable your organization device (Windows & Mobile)
Another method for removing your device is to disable it in the devices section of your Microsoft account page. Please note that once disabled, you will need an admin to re-enable your device. You will need to send them your “Device object ID.”
- Go to you Microsoft account page.
- Click on “Devices” in the left menu. (1)
- Click the
down arrow next to the device you want to disable. (2) - Then click the “Disable lost device” button. (3)
- In the mobile layout, click on “Manage Devices“
- Click the down arrow next to the device you want to disable.
- Then click the “Disable lost device” button.
  |
Sign out of your organization account (Windows & Mobile)
You can prevent your organization from managing your device by signing out in the Office Web Portal. Please follow the steps below to do that.
- Go to your Office Web Portal.
- Click on “Apps & devices” in the left menu. (1)
- Click on the down arrow next to “DEVICES.” (2)
- Then click “Sign out” next to the device you want to sign out of. (3)
When you sign out of Office, you won’t be able to save files to OneDrive. However the Office software will remain installed on your device and your subscription will continue.
Conclusion
When you allow your organization to manage your device, your company will have access to certain information, which we have specified in this article. The extent of information to which they have access will depend on whether they use Microsoft Intune or Basic Mobility and Security.
Thanks for reading this blog post! If you’ve any questions, please leave a comment below and we’d be happy to help.