Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: About Exchange and remote wiping

My employer provides an Exchange account which I can access on my iPhone.

I've been using this for a while, and just recently I noticed the remote wipe feature on the Exchange web app.

I decided to backup my iPhone and try out the feature; my iPhone was completely erased. Not just the Exchange account, but everything.


Now, since my iPhone is owned by me and not my employer, I was a bit astonished that this was possible. Obviously an administrator of my employer would be able to do the same; remotely wipe my iPhone without my consent.

The thing that I'm confused about, is that I have never seen any warning or notice about this. My employer hasn't told me, and the iPhone does not show any warnings when configuring the account.


Are there any other features provided for Exchange administrators which I should be aware of? Are they able to, for example, monitor messages or data transmitted outside the Exchange account (since they're also able to wipe everything outside the Exchange account)? Can they control anything else?


My point is, I'd like to fully understand what I'm implicitly agreeing to when configuring an Exchange account, and it would be great if the device would notify me about all this. Perhaps someone can provide the details on this matter?

Posted on

Reply
Question marked as Solved
Answer:
Answer:

I've done some searching myself and I found the MDM spec and the iPhone configuration utility. Question answered.


I've also stumbled upon an interesting read on the matter: http://code.technically.us/post/1109586140/exchange-remote-wipe-is-a-terrible-te rrible-bug

Posted on

Question marked as Helpful

Jun 1, 2011 6:41 AM in response to rvanmil In response to rvanmil

http://technet.microsoft.com/en-us/library/bb232129.aspx


I wrote a long reply, explaining that by connecting your device to a network, you are peforming a handshake of control, between yourself and the domain.


Activesync is a microsoft protocol for connecting devices to an exchange, it's gotten more and more granular control with each Exchange release, above are some of the things you're agreeing to


It's also available in Gmail & AppleSo it's not a new thing.


Hope this helps.

There’s more to the conversation

Read all replies
Question marked as Solved

Jun 1, 2011 1:26 AM in response to rvanmil In response to rvanmil

I've done some searching myself and I found the MDM spec and the iPhone configuration utility. Question answered.


I've also stumbled upon an interesting read on the matter: http://code.technically.us/post/1109586140/exchange-remote-wipe-is-a-terrible-te rrible-bug

Jun 1, 2011 1:26 AM

Reply Helpful

Jun 1, 2011 5:56 AM in response to rvanmil In response to rvanmil

If your iPhone has been given to you by your employer, why are you bothered about losing any data?

If you want to put data you own on a device, do it with your own Phone.


I'm an exchange admin/ and i own an iPhone btw - so i can all sides of this argument, as pointed out in the link, its there as a safeguard for drunken salesmen who leave the phone in


1.coffee shop

2.lapdancers bar

3.back of a taxi



You can choose any of the above.


Assume you're using Exchange 2010, since you mentioned 'web apps', this feature works all devices connected to the Exchange by the way, not limited to the iPhone.


Few companies allow iPhones because of the threat they post.


1. You need to usually, activate it by utilising iTunes ( not a corporate application )

2. Exchange Admins/ IT Department are usually tasked with keeping the device(s) updated. which can ONLY be done via iTunes - again, not a corporate application - iTunes which itself requires ports opened on a corporate firewall ( 80 & 443 i think ) installs a lot of services ( mDNSResponder, Bonjour, ) etc, and whilst these are not entirely threat worthy points, they do increase the surface area of attack.


Once this area gets great enough, you are losing track of who owns what device, and give up caring because as long as it looks good you get no irate phone calls saying it ' DOESNT drop calls, it ' DOESNT have a terrible battery life'


You know, all the things us Exchange admins have to put up with all other devices( including iPhones )


My argument here, is that you want to connect your own device to a network you have NO control over, and moan when caution is exercise.


This is similair to borrowing a freinds car, and using all their petrol and then filling it up with your own and giving them the bill.

Jun 1, 2011 5:56 AM

Reply Helpful

Jun 1, 2011 6:32 AM in response to BryC In response to BryC

BryC, I'm not at all interested in the reasons why administrators think they need this kind of control.


What I wanted to know is what kind of remote control features an Exchange admin gets when I configure an Exchange account on my iPhone, since my employer doesn't tell me and the iPhone doesn't tell me either.

Jun 1, 2011 6:32 AM

Reply Helpful
Question marked as Helpful

Jun 1, 2011 6:41 AM in response to rvanmil In response to rvanmil

http://technet.microsoft.com/en-us/library/bb232129.aspx


I wrote a long reply, explaining that by connecting your device to a network, you are peforming a handshake of control, between yourself and the domain.


Activesync is a microsoft protocol for connecting devices to an exchange, it's gotten more and more granular control with each Exchange release, above are some of the things you're agreeing to


It's also available in Gmail & AppleSo it's not a new thing.


Hope this helps.

Jun 1, 2011 6:41 AM

Reply Helpful (1)

Jun 6, 2014 8:30 AM in response to BryC In response to BryC

"If your iPhone has been given to you by your employer, why are you bothered about losing any data?"


Because you find you're in the same jeopardy if you use your personal phone to access your employer's Exchange server. Fair enough in some sense, but the loaned car is at least potentially reversed here -- Your work data is going for a free ride on your device.


I understand there are edge cases ("But wait, you had access to work email, so you may have saved precious docs to your phone! They have every right to erase those!"), but the OP's shock makes sense. I'd expect some sort of middle ground where you could erase the Exchange account automatically, but not, say, my personal pictures, reminders, etc. Heck, just sandbox files in Exchange accounts (don't allow their being saved outside of the Apple ecosystem) for that middle ground. etc etc

Jun 6, 2014 8:30 AM

Reply Helpful

Jun 24, 2015 11:39 AM in response to rvanmil In response to rvanmil

I was asked by my company to monitor my company email from my personal iPhone. After becoming aware of the remote wipe feature on the Exchange server, I informed my company that I was unwilling to continue using my personal phone. I deleted the email account from my phone, but one of the IT people told me that the policy is still resident on my phone and it could still be wiped remotely. Is it possible to sever that connection? Back up my phone and then do a factory reset? If I restore the backup, am I not restoring the policy too?

Jun 24, 2015 11:39 AM

Reply Helpful
User profile for user: rvanmil

Question: About Exchange and remote wiping