Home » Exchange Server » Exchange Best Practices: Automatically Remote Wiping Mobile Devices

Exchange Best Practices: Automatically Remote Wiping Mobile Devices

The mobile device mailbox policies for Exchange Server and Exchange Online can be configured to automatically issue a remote wipe request for devices that exceed the specified number of sign-in failures.

exchange-mobile-policy-automatic-wipe

The option to automatically wipe devices is not enabled by default, and with good reason. Remote wipe is a destructive process that will wipe all of the data from the mobile device or application that is connected to Exchange via ActiveSync.

For native email clients, such as the Mail app on iOS, this means the entire device is wiped (including all personal data on the device). For apps such as Outlook for iOS and Android, the remote wipe will remove all data from within the application only, and not the entire device.

If your organization has a security requirement to automatically wipe mobile devices after a series of sign-in failures, then you need to consider the serious implications of wiping personal data from employee-owned devices (BYOD). Yes, someone trying to brute force their way into a device with corporate data on it is a concern. But it’s also quite likely that a device will be accidentally wiped due to that policy option, for example if a child is mashing buttons on their parent’s mobile device lock screen. Furthermore, wiping the device doesn’t wipe any backups of that device that the user may have already made.

If you do choose to enable automatic remote wipe, consider:

  • Making it very clear through written policies and user-acceptance forms that remote wipe is a possible outcome
  • Enforcing the use of applications, such as Outlook for iOS and Android, that will allow a wipe of the application data only and not the entire device
  • Implementing a more robust mobile device management (MDM) solution than what Exchange can provide with ActiveSync alone, that will allow “containerization” of data so that selective wipe of corporate data can be performed without wiping personal data
  • Preparing a standard response, supported by high level stakeholders in the organization, for the inevitable case of a user complaining about losing personal data
Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

4 comments

  1. Joe Elter says:

    Enforcing the use of applications, such as Outlook for iOS and Android, that will allow a wipe of the application data only and not the entire device

    How is this enforced, i dont see a gui means of doing so in Exchange 2010

  2. Russ A says:

    Hey Paul,

    There have been some security concerns exposed by Rene Winkelmeyer on the Outlook App, do you know how Microsoft responds to those concerns and how we should respond to our users when they want to install and use that app? We really don’t want to wipe a users phone, but we really don’t want to expose our corp to the security risk, if there is one.

    Thanks for the help,
    Russ

Leave a Reply

Your email address will not be published. Required fields are marked *