Home » Clients » Mobile Devices » Performing Account-Only Remote Wipes of Mobile Devices in Exchange

Performing Account-Only Remote Wipes of Mobile Devices in Exchange

In June of 2016 Microsoft announced an update to the Exchange ActiveSync protocol which they called EAS 16.1. Among the improvements in EAS 16.1 was the addition of account-only remote wipes, which allows an administrator to issue a remote wipe for only the Exchange mailbox data on a mobile device. Previously, a remote wipe for an ActiveSync device would wipe the entire device if the user was using a native mail application to connect from the device. Some mobile email clients, like Outlook for iOS and Android, appear to the server as a “device” and therefore only the application data would be wiped. But the full wipe behavior of ActiveSync was still an issue for people using native mail apps, in particular for BYOD devices.

The EAS 16.1 roll-out across Exchange Online has been progressing since June. I’ve seen it arrive for mailboxes in one of my tenants, but not for others. Microsoft has indicated it will also be included in a future cumulative update for Exchange Server 2016, but no specific timeline has been announced.

You can test the EAS capabilities of a mailbox by using the Remote Connectivity Analyzer to perform an Exchange ActiveSync test. In the results, there’s a line called “MS-ASProtocolVersions” which lists the EAS versions a mailbox is capable of.

For a mailbox where EAS 16.1 has not yet been enabled, the output looks like this.

For a mailbox where EAS 16.1 has been enabled, the output looks like this.

You can also determine the EAS version in use by querying the mobile devices for a mailbox with the Get-MobileDevice cmdlet.

In the example above, the iPad is connecting using the native mail app for iOS, and is running iOS 10 which is the minimum requirement for EAS 16.1 compatibility.

To issue an account-only remote wipe, we can use the Clear-MobileDevice cmdlet with the -AccountOnly parameter. The parameter is not available in the older Clear-ActiveSyncDevice cmdlet.

If you try to perform an account-only wipe for a device or mailbox that is not EAS 16.1 capable, it will fail with an error message of “EAS Version 16.1 or greator is required and the EAS version of client is 16.0” as shown below.

Note that regardless of whether an account-only or full device wipe is being performed, the same warning message appears in the confirmation prompt.

All the data on the mobile device will be permanently deleted.

If the device wipe is successful, an email notification is sent to confirm the result.

exchange-activesync-wipe-result

Account-only wipes can also be issued from the Exchange admin center from the list of mobile devices associated with a mailbox.

exchange-activesync-account-only-wipe

When you use the Exchange admin center to issue an account-only wipe, the message in the confirmation prompt is more accurate.

exchange-activesync-account-only-wipe-prompt

At this stage the account-only wipe appears to be an administrator-only capability. For user-initiated wipes from OWA, only full device wipes are available as an option.

Although it’s only available in Exchange Online right now, and not yet rolled out across all mailboxes, the addition of account-only wipes is certainly a welcome feature.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Mobile Devices

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *