• Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • The Practical 365 Podcast
  • Books
  • Community
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Clients / Mobile Devices / Performing Account-Only Remote Wipes of Mobile Devices in Exchange

Performing Account-Only Remote Wipes of Mobile Devices in Exchange

November 29, 2016 by Paul Cunningham 11 Comments

In June of 2016 Microsoft announced an update to the Exchange ActiveSync protocol which they called EAS 16.1. Among the improvements in EAS 16.1 was the addition of account-only remote wipes, which allows an administrator to issue a remote wipe for only the Exchange mailbox data on a mobile device. Previously, a remote wipe for an ActiveSync device would wipe the entire device if the user was using a native mail application to connect from the device. Some mobile email clients, like Outlook for iOS and Android, appear to the server as a “device” and therefore only the application data would be wiped. But the full wipe behavior of ActiveSync was still an issue for people using native mail apps, in particular for BYOD devices.

The EAS 16.1 roll-out across Exchange Online has been progressing since June. I've seen it arrive for mailboxes in one of my tenants, but not for others. Microsoft has indicated it will also be included in a future cumulative update for Exchange Server 2016, but no specific timeline has been announced.

You can test the EAS capabilities of a mailbox by using the Remote Connectivity Analyzer to perform an Exchange ActiveSync test. In the results, there's a line called “MS-ASProtocolVersions” which lists the EAS versions a mailbox is capable of.

For a mailbox where EAS 16.1 has not yet been enabled, the output looks like this.

1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0

For a mailbox where EAS 16.1 has been enabled, the output looks like this.

1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0,16.1

You can also determine the EAS version in use by querying the mobile devices for a mailbox with the Get-MobileDevice cmdlet.

1
2
3
4
5
6
7
8
9
10
11
PS C:\> Get-MobileDevice -Mailbox demo@practical365.com | Select FriendlyName,DeviceType,ClientVersion,ClientType
 
FriendlyName                DeviceType                 ClientVersion ClientType
------------                ----------                 ------------- ----------
Outlook for iOS and Android Outlook                    14.1          EAS
Outlook for iOS             Outlook                    161           REST
Outlook for Android         Outlook                    161           REST
                            TestActiveSyncConnectivity 12.0          EAS
iPhone 6s                   iPhone                     16.1          EAS
Outlook for iOS             Outlook                    161           REST
iPad mini 2                 iPad                       16.1          EAS

In the example above, the iPad is connecting using the native mail app for iOS, and is running iOS 10 which is the minimum requirement for EAS 16.1 compatibility.

To issue an account-only remote wipe, we can use the Clear-MobileDevice cmdlet with the -AccountOnly parameter. The parameter is not available in the older Clear-ActiveSyncDevice cmdlet.

If you try to perform an account-only wipe for a device or mailbox that is not EAS 16.1 capable, it will fail with an error message of “EAS Version 16.1 or greator is required and the EAS version of client is 16.0” as shown below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\> Get-MobileDevice -Mailbox mike.ryan@exchangeserverpro.net | Where {$_.DeviceID -eq "3FJBAEQ5G525N9C86RJ801B8GO"} | Clear-MobileDevice -AccountOnly
 
Confirm
Are you sure you want to perform this action?
Clearing mobile device "Mike Ryan\ExchangeActiveSyncDevices\iPad§3FJBAEQ5G525N9C86RJ801B8GO". All the data on the
mobile device will be permanently deleted.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
EAS Version 16.1 or greator is required and the EAS version of client is 16.0
    + CategoryInfo          : InvalidArgument: (Mike Ryan\Excha...5N9C86RJ801B8GO:MobileDevice) [Clear-MobileDevice],
   InvalidClientEASVersionException
    + FullyQualifiedErrorId : [Server=DB3PR05MB0889,RequestId=86370352-bbb3-4880-9b91-662b4ab4cda8,TimeStamp=29/11/201
   6 2:14:25 AM] [FailureCategory=Cmdlet-InvalidClientEASVersionException] 3D6CA96F,Microsoft.Exchange.Management.Tas
  ks.ClearMobileDevice
    + PSComputerName        : outlook.office365.com

Note that regardless of whether an account-only or full device wipe is being performed, the same warning message appears in the confirmation prompt.

All the data on the mobile device will be permanently deleted.

If the device wipe is successful, an email notification is sent to confirm the result.

exchange-activesync-wipe-result

Account-only wipes can also be issued from the Exchange admin center from the list of mobile devices associated with a mailbox.

exchange-activesync-account-only-wipe

When you use the Exchange admin center to issue an account-only wipe, the message in the confirmation prompt is more accurate.

exchange-activesync-account-only-wipe-prompt

At this stage the account-only wipe appears to be an administrator-only capability. For user-initiated wipes from OWA, only full device wipes are available as an option.

Although it's only available in Exchange Online right now, and not yet rolled out across all mailboxes, the addition of account-only wipes is certainly a welcome feature.

Paul Cunningham

Paul is a Microsoft MVP for Office Apps and Services and a Pluralsight author. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server.

Mobile Devices ActiveSync, Exchange Online, Mobile

Comments

  1. Anil says

    November 15, 2019 at 11:06 pm

    Hi Paul.

    If I want to perform Account only remote wipe Device(Where only the data related to exchange gets wiped) may I know, which command should I use to do so?

    Clear-MobilDevice -Accountonly “UserEmail”

    Reply
  2. bharath says

    September 8, 2019 at 7:34 pm

    Hi
    Anyone can help us that how to recover all files from mobile device which wipe data done (office 365- mobile devices) by mistakenly

    Mohammed

    Reply
  3. DM says

    May 24, 2019 at 6:29 pm

    What is the difference between Account Only Remote Wipe Device and Wipe Data and what would be the impact for each opton?

    Reply
  4. Jeff says

    April 27, 2019 at 2:48 am

    Since we can’t change the user’s password until after a successful wipe, it seems we have to disable some of the other methods of connecting – Outlook on the Web, IMAP, POP3. Can we disable OWA for devices? Is ExchangeActiveSync the only service that needs to remain enabled? Thanks!

    Reply
  5. Rob P says

    December 18, 2018 at 6:34 am

    Paul do you know of any Android apps that support 16.1? It doesnt seem that Microsofts own Outlook for Android app supports eas 16.1.

    Reply
  6. Todd Cooper says

    August 31, 2017 at 9:10 am

    On termination of and employee our client went into the 365 portal, changed the mailbox password and turned off all remote access / Email app settings (ie OWA, Desktop MAPI, Exchange Web Services, ActiveSync, IMAP and POP).
    1 – Since these changes have been has already been made on the account will this command still work?
    2 – Can it work if we turn these settings back on and still have the updated PW in place?
    3 – If we turn all the settings back on and able to change the PW back to the original the phone should fully sync, correct? Then can we issue this wipe command?

    Thanks for any advice you can give.

    Reply
    • Paul Cunningham says

      August 31, 2017 at 10:15 am

      The answer to all your questions is – If the device can’t authenticate and connect, the wipe will never succeed.

      Reply
  7. Steve Berglund says

    July 19, 2017 at 6:17 am

    If the user’s password is changed before the phone’s activesync communication kicks in, is there a possibility that the phone will not be wiped? If so, is there an option to send the notification to an alternate email address that the phone has been wiped so that after I receive this notification, I can proceed to change their password?

    Reply
    • Paul Cunningham says

      July 19, 2017 at 12:34 pm

      Yes, a password change will stop the remote wipe for succeeding.

      Clear-MobileDevice has a parameter for specifying a notification email address.

      https://technet.microsoft.com/en-us/library/jj218658(v=exchg.160).aspx

      Reply
  8. Pam Walsh says

    December 2, 2016 at 8:01 am

    I am still running exchange 2013. Any idea if there are plans to include this is a future 2013 CU

    Reply
    • Paul Cunningham says

      December 2, 2016 at 11:03 am

      I would not expect this feature to come to Exchange 2013 at all.

      Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • The Practical 365 Podcast: Ep 4 – Teams, Azure AD, Updates & Roadmap
  • Hijacking the Cloud Legacy DN Writeback – Part 2
  • Hijacking the Cloud Legacy DN Writeback – Part 1
  • The Practical 365 Podcast: Ep 3 – New Data Centers, Teams and more
  • Build your own custom SharePoint document library bulk provisioning system using the PowerPlatform – Part 1
Practical 365

Related Posts

Device Co-Management with Configuration Manager & Intune
How do we secure data accessed by multiple devices? Windows MVP Chris Rhodes discusses device
Microsoft is Retiring the OWA Mobile Apps in Favor of Outlook for iOS and Android
Microsoft is retiring the OWA mobile apps for iOS and Android mobile devices in May
What Can Microsoft Intune See On Your Managed Mobile Devices?
Does enrolling a device in mobile device management with Microsoft Intune give the company access

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2019 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland