Apple Mail and Microsoft Exchange, can we restrict admin phone wiping powers?

Just subscribing to basic Office 365 will not grant an Exchange administrator any power to erase or in any other way control an iPhone. All they can do is erase the data in the relevant Office 365 account. However, if the client's plan includes Mobile Device Management, then the administrator has a lot more power. For details I'd suggest starting here:

https://learn.microsoft.com/en-us/microsoft-365/admin/basic-mobility-security/overview?view=o365-worldwide

and if you have more questions, contact Microsoft Support.

Regards.

The last time I tried an account only wipe from our 365 tenant to an iPhone was about a year ago and it wiped the entire device.

Even if that worked, there is no way to restrict the administrator from being able to only do a device only wipe in 365.

We have a policy document that explains this and we require anyone who wants to get email in the mail app or outlook on their personal device to sign that they understand they will be required to physically present the device to US at the time of their termination to remove the app or we will issue a remote wipe of the device.

We are a healthcare facility to the HIPAA rules are pretty strict about the need to do this.

If they don’t want to do that, they can access their email on the web. It’s less convenient, but it gives them an alternative at least.

Whether it’s set up in the Outlook app or the native mail app, the administrators have the ability to remotely wipe the device.

There is no way around that unless the organization wants to enable SMTP access to their 365 tenant, which would be monumentally stupid from a management and security point of view.

Good luck with that. I guarantee it’s not going to change.

I’m assuming you’re new to the industry as this is the way Exchange has worked for many years. The value is placed on the security of corporate data and assets.

As I said, we’ve had people balk at the possibility of their device being wiped if they fail to abide by the rules. The answer is simple… use web mail. Then you don’t have to worry about it.

We’ve also had people balk at the requirement to use an Authenticator application for 2 factor authentication to access their accounts. The answer to that is a little bit harsher. If you refuse to do it, you can’t access your account, which means you don’t have a job. Have a nice day. For those very few staff who do not have a smart phone of any kind capable of running an Authenticator application, we will offer them a hardware security key. The key must be returned when they leave or they will be charged for it. Believe it or not, people have actually refused, believing we can use it to track them somehow… Like we can’t see everything they do when they’re logged into an computer anyway.

In theory, if they are using Outlook and their account is not set up in mail, calendar, contacts, reminders, or notes, it will only wipe company data.

According to Microsoft, if the device supports EAS 16.1, it is possible to do an account only remote wipe.

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/exchange-activesync/remote-wipe-on-mobile-phone

EAS has always been a little bit twitchy, and MS's implementation of it has varied in quality between versions of Exchange and Exchange Online. Since migrating from a standalone Exchange environment about 2 years ago to Microsoft 365 / Exchange online, I have only had one occasion to issue a forced remote erase to a user's device following a very hostile termination and that was a complete device erase.

That document is somewhat misleading. Issuing an erase can wipe the entire device, even if there is no MDM involved.

Source: I learned that the hard way as an administrator.

I dug further into this, and you're right, Tim, if the iPhone users are set up with the native Mail app is connected to Exchange, then the Exchange administrator can indeed wipe all the data from the device using an Exchange Active Sync command. Not something I was aware of since my experience with Exchange predates such capabilities. I'm not at all clear on whether an account-only wipe is supported with iOS or if so whether there's a way to restrict an administrator to only using that command.

Again, this is probably something Mr/Ms Hodgson should take up with Microsoft Support get get full details.

Regards.