The mobile device mailbox policies for Exchange Server and Exchange Online can be configured to automatically issue a remote wipe request for devices that exceed the specified number of sign-in failures.
The option to automatically wipe devices is not enabled by default, and with good reason. Remote wipe is a destructive process that will wipe all of the data from the mobile device or application that is connected to Exchange via ActiveSync.
For native email clients, such as the Mail app on iOS, this means the entire device is wiped (including all personal data on the device). For apps such as Outlook for iOS and Android, the remote wipe will remove all data from within the application only, and not the entire device.
If your organization has a security requirement to automatically wipe mobile devices after a series of sign-in failures, then you need to consider the serious implications of wiping personal data from employee-owned devices (BYOD). Yes, someone trying to brute force their way into a device with corporate data on it is a concern. But it's also quite likely that a device will be accidentally wiped due to that policy option, for example if a child is mashing buttons on their parent's mobile device lock screen. Furthermore, wiping the device doesn't wipe any backups of that device that the user may have already made.
If you do choose to enable automatic remote wipe, consider:
- Making it very clear through written policies and user-acceptance forms that remote wipe is a possible outcome
- Enforcing the use of applications, such as Outlook for iOS and Android, that will allow a wipe of the application data only and not the entire device
- Implementing a more robust mobile device management (MDM) solution than what Exchange can provide with ActiveSync alone, that will allow “containerization” of data so that selective wipe of corporate data can be performed without wiping personal data
- Preparing a standard response, supported by high level stakeholders in the organization, for the inevitable case of a user complaining about losing personal data