The mobile device mailbox policies for Exchange Server and Exchange Online can be configured to automatically issue a remote wipe request for devices that exceed the specified number of sign-in failures.

exchange-mobile-policy-automatic-wipe

The option to automatically wipe devices is not enabled by default, and with good reason. Remote wipe is a destructive process that will wipe all of the data from the mobile device or application that is connected to Exchange via ActiveSync.

For native email clients, such as the Mail app on iOS, this means the entire device is wiped (including all personal data on the device). For apps such as Outlook for iOS and Android, the remote wipe will remove all data from within the application only, and not the entire device.

If your organization has a security requirement to automatically wipe mobile devices after a series of sign-in failures, then you need to consider the serious implications of wiping personal data from employee-owned devices (BYOD). Yes, someone trying to brute force their way into a device with corporate data on it is a concern. But it’s also quite likely that a device will be accidentally wiped due to that policy option, for example if a child is mashing buttons on their parent’s mobile device lock screen. Furthermore, wiping the device doesn’t wipe any backups of that device that the user may have already made.

If you do choose to enable automatic remote wipe, consider:

  • Making it very clear through written policies and user-acceptance forms that remote wipe is a possible outcome
  • Enforcing the use of applications, such as Outlook for iOS and Android, that will allow a wipe of the application data only and not the entire device
  • Implementing a more robust mobile device management (MDM) solution than what Exchange can provide with ActiveSync alone, that will allow “containerization” of data so that selective wipe of corporate data can be performed without wiping personal data
  • Preparing a standard response, supported by high level stakeholders in the organization, for the inevitable case of a user complaining about losing personal data

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Russ A

    Hey Paul,

    There have been some security concerns exposed by Rene Winkelmeyer on the Outlook App, do you know how Microsoft responds to those concerns and how we should respond to our users when they want to install and use that app? We really don’t want to wipe a users phone, but we really don’t want to expose our corp to the security risk, if there is one.

    Thanks for the help,
    Russ

    1. Avatar photo

      Most of those concerns were addressed early in the life of Outlook, and some of them were subjective. I’ve been using the app since day 1. Whether the current app meets your org’s security requirements is up to you, but it’s fine for me and pretty much every customer I deal with.

      Some reading:
      https://www.practical365.com/exchange-server/outlook-for-ios-and-android/
      https://blogs.office.com/2016/09/26/outlook-for-ios-and-android-is-now-fully-powered-by-the-microsoft-cloud/
      https://technet.microsoft.com/en-us/library/mt684947(v=exchg.160).aspx

  2. Joe Elter

    Enforcing the use of applications, such as Outlook for iOS and Android, that will allow a wipe of the application data only and not the entire device

    How is this enforced, i dont see a gui means of doing so in Exchange 2010

    1. Avatar photo

      You would need to set an org-level of quarantine or block:

      https://www.practical365.com/preventing-new-activesync-device-types-from-connecting-to-exchange-server-2010/

      Then if you want Outlook for iOS and Android to be allowed to connect without being quarantined and manually approved, a device access rule can be used to allow it:

      https://www.practical365.com/creating-activesync-device-access-rules-exchange-server-2010/

Leave a Reply