How much access does Microsoft exchange give to my admins?

I believe Lawrence was referring to me above. I manage Exchange and a bunch of mobile devices (among other things) for may organization.

Adding the account to your device does not give them access to any data on your phone. They have access to the contents of your Exchange account, but that's because it's their Exchange server.

What it does is lets the administrators enforce policies on the device.

They can set minimum passcode length requirements, passcode complexity requirements, alphanumeric password requirements, maximum inactivity time to device lock, and enforced password history (so that you can't re-use passcodes).

They can also require device encryption (not an issue on iOS as all devices with a passcode are encrypted), and force encrypted backups if backing up to iTunes. This has tripped some people up as they were unaware this happened and their Exchange password was used to encrypt the backups. Problem is the encryption password for iTunes backups doesn't change when the Exchange password does...

They can also forcibly disable the camera on the device.

Lastly, the admins can forcibly erase the device. They have a choice between only erasing the EAS synced data or wiping the entire device.

This is all true whether it's a personal or company owned device.

It is also true if you install an app like Microsoft Outlook and set the account up in that instead of in the native accounts on the device itself.

Exchange ActiveSync was designed specifically to give companies control over their data to ensure that it's secure.

I happen to be in IT in a healthcare setting. Without these safeguards, we could never allow staff to access email whether it was a company or personal device. HIPAA laws require encryption, passcodes, ability to remotely erase Protected Health Information when the recipient no longer has a legitimate medical need for the information, etc.

As I said, they have no information to any data on your device. They can't actually access the mail that's on your phone... but because they own the mail server, they can access it there if they want.

I've only had to issue a remote wipe of someone's phone a handful of times, and all but one of those was because the device was damaged, lost, or stolen. There has only been one case of a termination that got ugly that necessitated remotely wiping a live phone that someone was still using.

You should still never store any personal information on a company owned device. Anything you put on it belongs to the company, not you. Same goes for company owned computers.

They would have access to any data in your MS Exchange account. They would not have access to other data on your phone, but they could still manage pretty much all settings that would affect security, such as a password length and type (numeric or alphanumeric), screen lock time, forced backup encryption, disable the voice recorder, camera settings, copy & paste from the Exchange account to anywhere else, and a lot more. But it is settings that they control, not access to content other than the Exchange data.

This would be a question to ask Microsoft. It is not an Apple product

An iPhone with an ActiveSync account can be managed remotely. It is primarily security settings, including forcing passcode rules, limiting the camera, and remotely erasing the phone. They can’t view your data, other than the contents of your Exchange account (email, contacts and calendars) It’s not a good idea to put any personal information on a company phone; for one thing, if it’s a company phone they own all of the content you add to it. There is another level 10 user in the forum who is actually an ActiveSync manager; perhaps he will see this thread and provide more detail.

Thanks Tim, great and more coherent answer than mine. I was thinking of you or Mr H.