How do you handle Traveler Wipe when users leave the company?
BT (Before Traveler) - when we get informed of a user leaving the company, we run an agent that, among other things, deletes the user’s account, adds their name to a ‘no access’ group, etc. If there was a ‘delay’ before deleting the user, we would at least change their web password, add their name to a ‘no access’ group, and process the delete later.
However, in order for Traveler Wipe to work, the user has to still be in the address book (not deleted), and able to log onto the server (not listed in ‘no access’ group, webmail password unchanged).
So, from a security standpoint, once a user ‘leaves’, and you’ve submitted a Traveler Wipe for a unit, and while you’re frantically hitting ‘F9’ waiting for the wipe to occur, , how do you keep the user from logging into webmail, or from logging into a Notes client?
I agree it the procedure and removal sequence isn’t clear cut.
If the user has one of our phones I lock them out with the Deny Access group. I’m not as worried about what they might have cached on the phone in Traveler as I am about locking them out NOW. When I get the phone back I do a hard reset. I’ll re-enable the user account for a couple of minutes a few days later and do the “traveler delete” and “traveler security delete” commands to remove them permanently from the Traveler db. Then, either Deny Access the user again or purge them completely.
If it is a BYOD, then I simply lock them out. If given the opportunity I tell them how to uninstall Traveler. If not, I’m done. Users have ample opportunity to have saved offline whatever they had access to prior to “leaving”. There is no way to ensure they don’t have copies of things even if you wipe the phone immediately.
The uncertainty as to how long it will take to wipe, and the difficulty of getting firm confirmation as to when it happens has led me to Deny Access first, deal with the phone later.
The only time I’ve remote wiped a device was when the phone was lost and the user was still with the company.
The ability to remote wipe phones after being locked out is on my wish list. Heck, I wish we had the simple ability to remove users and devices from Traveler AFTER the user has been deleted from the company address book. That has caused me headaches before, too.
You can remove the I= BM=AE Lotus Notes=AE Traveler application and data from the device and, depending on the device, restore the device to the factory default settings.
On document below there is additional information:
Thanks, Bradley, but won’t adding the user to the Deny Access group also keep the Traveler client from connecting, and subsequently processing the ‘wipe’ command?
If you want to eep the usr from logging into webmail, you can place the user into a Deny Access Group on the Domino Mail server. This will stop him from accessing the server from either a Notes client or from Web Mail.