In June of 2016 Microsoft announced an update to the Exchange ActiveSync protocol which they called EAS 16.1. Among the improvements in EAS 16.1 was the addition of account-only remote wipes, which allows an administrator to issue a remote wipe for only the Exchange mailbox data on a mobile device. Previously, a remote wipe for an ActiveSync device would wipe the entire device if the user was using a native mail application to connect from the device. Some mobile email clients, like Outlook for iOS and Android, appear to the server as a “device” and therefore only the application data would be wiped. But the full wipe behavior of ActiveSync was still an issue for people using native mail apps, in particular for BYOD devices.
The EAS 16.1 roll-out across Exchange Online has been progressing since June. I've seen it arrive for mailboxes in one of my tenants, but not for others. Microsoft has indicated it will also be included in a future cumulative update for Exchange Server 2016, but no specific timeline has been announced.
You can test the EAS capabilities of a mailbox by using the Remote Connectivity Analyzer to perform an Exchange ActiveSync test. In the results, there's a line called “MS-ASProtocolVersions” which lists the EAS versions a mailbox is capable of.
For a mailbox where EAS 16.1 has not yet been enabled, the output looks like this.
|
1 |
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0 |
For a mailbox where EAS 16.1 has been enabled, the output looks like this.
|
1 |
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0,16.1 |
You can also determine the EAS version in use by querying the mobile devices for a mailbox with the Get-MobileDevice cmdlet.
|
1 2 3 4 5 6 7 8 9 10 11 |
PS C:\> Get-MobileDevice -Mailbox demo@practical365.com | Select FriendlyName,DeviceType,ClientVersion,ClientType FriendlyName DeviceType ClientVersion ClientType ------------ ---------- ------------- ---------- Outlook for iOS and Android Outlook 14.1 EAS Outlook for iOS Outlook 161 REST Outlook for Android Outlook 161 REST TestActiveSyncConnectivity 12.0 EAS iPhone 6s iPhone 16.1 EAS Outlook for iOS Outlook 161 REST iPad mini 2 iPad 16.1 EAS |
In the example above, the iPad is connecting using the native mail app for iOS, and is running iOS 10 which is the minimum requirement for EAS 16.1 compatibility.
To issue an account-only remote wipe, we can use the Clear-MobileDevice cmdlet with the -AccountOnly parameter. The parameter is not available in the older Clear-ActiveSyncDevice cmdlet.
If you try to perform an account-only wipe for a device or mailbox that is not EAS 16.1 capable, it will fail with an error message of “EAS Version 16.1 or greator is required and the EAS version of client is 16.0” as shown below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
PS C:\> Get-MobileDevice -Mailbox mike.ryan@exchangeserverpro.net | Where {$_.DeviceID -eq "3FJBAEQ5G525N9C86RJ801B8GO"} | Clear-MobileDevice -AccountOnly Confirm Are you sure you want to perform this action? Clearing mobile device "Mike Ryan\ExchangeActiveSyncDevices\iPad§3FJBAEQ5G525N9C86RJ801B8GO". All the data on the mobile device will be permanently deleted. [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y EAS Version 16.1 or greator is required and the EAS version of client is 16.0 + CategoryInfo : InvalidArgument: (Mike Ryan\Excha...5N9C86RJ801B8GO:MobileDevice) [Clear-MobileDevice], InvalidClientEASVersionException + FullyQualifiedErrorId : [Server=DB3PR05MB0889,RequestId=86370352-bbb3-4880-9b91-662b4ab4cda8,TimeStamp=29/11/201 6 2:14:25 AM] [FailureCategory=Cmdlet-InvalidClientEASVersionException] 3D6CA96F,Microsoft.Exchange.Management.Tas ks.ClearMobileDevice + PSComputerName : outlook.office365.com |
Note that regardless of whether an account-only or full device wipe is being performed, the same warning message appears in the confirmation prompt.
All the data on the mobile device will be permanently deleted.
If the device wipe is successful, an email notification is sent to confirm the result.
Account-only wipes can also be issued from the Exchange admin center from the list of mobile devices associated with a mailbox.
When you use the Exchange admin center to issue an account-only wipe, the message in the confirmation prompt is more accurate.
At this stage the account-only wipe appears to be an administrator-only capability. For user-initiated wipes from OWA, only full device wipes are available as an option.
Although it's only available in Exchange Online right now, and not yet rolled out across all mailboxes, the addition of account-only wipes is certainly a welcome feature.
Paul is a Microsoft MVP for Office Apps and Services and a Pluralsight author. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server.
I am still running exchange 2013. Any idea if there are plans to include this is a future 2013 CU
I would not expect this feature to come to Exchange 2013 at all.
If the user’s password is changed before the phone’s activesync communication kicks in, is there a possibility that the phone will not be wiped? If so, is there an option to send the notification to an alternate email address that the phone has been wiped so that after I receive this notification, I can proceed to change their password?
Yes, a password change will stop the remote wipe for succeeding.
Clear-MobileDevice has a parameter for specifying a notification email address.
https://technet.microsoft.com/en-us/library/jj218658(v=exchg.160).aspx
On termination of and employee our client went into the 365 portal, changed the mailbox password and turned off all remote access / Email app settings (ie OWA, Desktop MAPI, Exchange Web Services, ActiveSync, IMAP and POP).
1 – Since these changes have been has already been made on the account will this command still work?
2 – Can it work if we turn these settings back on and still have the updated PW in place?
3 – If we turn all the settings back on and able to change the PW back to the original the phone should fully sync, correct? Then can we issue this wipe command?
Thanks for any advice you can give.
The answer to all your questions is – If the device can’t authenticate and connect, the wipe will never succeed.
Paul do you know of any Android apps that support 16.1? It doesnt seem that Microsofts own Outlook for Android app supports eas 16.1.
Since we can’t change the user’s password until after a successful wipe, it seems we have to disable some of the other methods of connecting – Outlook on the Web, IMAP, POP3. Can we disable OWA for devices? Is ExchangeActiveSync the only service that needs to remain enabled? Thanks!