Microsoft 365 Protection FAQ

Below are frequently asked questions about Microsoft 365 Protection.

Why do we need this? What is the point of the Microsoft 365 Protection Program? 

The University is obligated to protect organizational data to comply with various laws and regulations, and to maintain cybersecurity insurance coverage. 

A security audit recommended that WVU create a process to secure personally owned mobile devices that access sensitive data and, if necessary, erase that data or block access. This protects the University in many scenarios, including employee separation and when a device is lost or stolen.  

Currently, you can save email attachments, OneDrive files, or files from Teams/SharePoint to your personal device. This practice does not protect WVU’s data. 

What qualifies as “organizational data” that needs to be protected? 

“Organizational data” is anything that is saved in or opened from a WVU Microsoft 365 cloud service such as Outlook email, Calendar, OneDrive or SharePoint. Outlook is the primary email account for all WVU employees, regardless of whether they are faculty or staff, and this is the account that should be used for conducting University business. Any document or content that is shared via a WVU email account makes that document “organizational data,” regardless of its purpose or origin. 

If content is created on your personal device and saved only on your personal device, it is not organizational data. However, if you receive personal content from someone else in your WVU email and open it, that content also becomes organizational data and cannot be printed, etc.  

All employees should be using personal accounts for personal business. The Acceptable Use of Technology Resources Policy allows only de minimis personal use of University technology resources. You also should have no expectation of privacy if you are using a WVU account for personal matters. Employees should be using Outlook to conduct WVU business. 

What if I don’t want WVU to be able to manage my personal phone or tablet? 

WVU won’t be managing your mobile device. This program only manages your access to WVU’s Microsoft applications including email, Teams, Calendar, OneDrive, and SharePoint. 

But this feels intrusive. Isn’t there a better way? 

This is the least intrusive option to maintain the required security protections. There are two approaches to securing organizational data: Mobile Application Management, which is the path WVU has chosen, or Mobile Device Management.  

• Mobile App Management requires you to use WVU-managed Microsoft apps for access to work-related data, putting it into a separate electronic “bucket” from your personal content. If/when you separate from WVU, or your personal device is lost or stolen, we can securely wipe WVU content only. This approach also prevents the need to apply other WVU security settings to your personal device. 

• Mobile Device Management lets you continue using native mail and calendar apps such as iOS Mail, with no separation between WVU data and your personal data.  WVU would have to wipe your entire device upon separation to remove WVU data. That would be more disruptive to you and more intrusive than we need to be. Our concern is our data, not your device. 

I used to be able to merge my personal calendar and email with my work calendar and email. Why doesn’t that functionality to work anymore? 

The purpose of the Microsoft Protection Program is to create a separation between WVU data and an employee’s personal data. If you can save WVU data to your personal device, the organizational data is not protected. This includes calendars and email messages. Creating two separate containers for work and personal items makes it easier for WVU to remove its data from your personal device without managing or altering your personal data.  

You can, however, add a Gmail account or another kind of personal email to your Outlook mobile app. This keeps your content in different electronic containers but lets you view all your calendar appointments in one location if you like. 

If I’m already using these Microsoft apps on my mobile device, do I need to reinstall them? 

No, you don't have to re-install them. The first time you use an app after you’re enrolled, you may see a message reading, 'Your organization has applied protection to this app and needs to restart it.” That’s it. If you are already using the Outlook app, it will create a separate container between your personal Outlook email account and your WVU Outlook email account. 

Does this mean I have to use two different authentication methods to get into WVU systems? 

No, as you go through your day and need access to Microsoft services, you will either unlock them with the PIN you’ve created or a biometric identifier such as a fingerprint or facial recognition scan. The authenticator app is a one-time part of the setup process. 

How often will I need to enter my PIN to access these apps? 

Your overall activity within WVU-managed Microsoft apps will be tracked. Any time you are idle for 15 minutes, you will be asked to reauthenticate. If you access Teams and then immediately switch to Outlook Mobile to read email, you won’t be asked to reauthenticate. 

Does this mean all my other apps are behind that PIN or biometric identifier? 

No, the PIN or identifier just keeps the WVU-managed Microsoft apps separate and secure. It doesn’t affect your other apps. However, to protect yourself in cases of loss or theft, Information Technology Services recommends you secure overall access to your device with a pin or biometric identifier. 

What if I don’t want to participate in this?  

If you are an employee of a unit that has been enrolled in the Microsoft Protection Program and you want to access these WVU-managed apps on your personal phone, you must participate. You won’t be able to access WVU data on your personal devices without installing these apps. If you don’t want to access WVU data on your personal phone or tablet, that issue should be discussed with your supervisor. 

WVU is obligated to protect University data and address audit findings. If the nature of your work does not require you to check email or Teams, or otherwise use Microsoft services on your personal phone, this change won’t affect you.  

Why can’t I copy and paste information from a Teams message into a text message? 

WVU data can only be copied and pasted from one WVU-managed app into another. So, data can be copied from Teams and pasted into Outlook email or vice versa. But data cannot be copied from Teams and pasted into a text message. However, you can copy data from a text message and paste into a Teams message. Email attachments can be saved to SharePoint or OneDrive, but cannot be saved to your personal device.  

What do I do if I can’t open a file on my phone?

If you can’t open a protected file on your phone, try installing Microsoft’s Azure Information Protection (AIP) app.

• Install the AIP app on Android: After installing, select AIP Viewer when a file prompts you to select an app before opening.

• Install the AIP app on iOS: After installing, tap Share when prompted to select an app to open a file. Select Share file via then Copy to AIP Viewer.

How soon after an employee separates from WVU will their access to Microsoft services be blocked and the WVU data wiped from their personal device? 

Access to the Microsoft 365 mailbox and organizational data ends when the employee’s account is disabled. Former employees who can’t log in with WVU credentials and Duo two-factor authentication, cannot access WVU data. After 90 days, WVU data is wiped from the device.  

Who should I contact if there are any issues?  

If your college or department has its own IT support team, contact them first for help. If they cannot assist, or your unit is supported by Information Technology Services, call the Service Desk at 304-293-4444.