In June of 2016 Microsoft announced an update to the Exchange ActiveSync protocol which they called EAS 16.1. Among the improvements in EAS 16.1 was the addition of account-only remote wipes, which allows an administrator to issue a remote wipe for only the Exchange mailbox data on a mobile device. Previously, a remote wipe for an ActiveSync device would wipe the entire device if the user was using a native mail application to connect from the device. Some mobile email clients, like Outlook for iOS and Android, appear to the server as a “device” and therefore only the application data would be wiped. But the full wipe behavior of ActiveSync was still an issue for people using native mail apps, in particular for BYOD devices.

The EAS 16.1 roll-out across Exchange Online has been progressing since June. I’ve seen it arrive for mailboxes in one of my tenants, but not for others. Microsoft has indicated it will also be included in a future cumulative update for Exchange Server 2016, but no specific timeline has been announced.

You can test the EAS capabilities of a mailbox by using the Remote Connectivity Analyzer to perform an Exchange ActiveSync test. In the results, there’s a line called “MS-ASProtocolVersions” which lists the EAS versions a mailbox is capable of.

For a mailbox where EAS 16.1 has not yet been enabled, the output looks like this.

MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0

For a mailbox where EAS 16.1 has been enabled, the output looks like this.

MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0,16.1

You can also determine the EAS version in use by querying the mobile devices for a mailbox with the Get-MobileDevice cmdlet.

PS C:\> Get-MobileDevice -Mailbox demo@practical365.com | Select FriendlyName,DeviceType,ClientVersion,ClientType

FriendlyName                DeviceType                 ClientVersion ClientType
------------                ----------                 ------------- ----------
Outlook for iOS and Android Outlook                    14.1          EAS
Outlook for iOS             Outlook                    161           REST
Outlook for Android         Outlook                    161           REST
                            TestActiveSyncConnectivity 12.0          EAS
iPhone 6s                   iPhone                     16.1          EAS
Outlook for iOS             Outlook                    161           REST
iPad mini 2                 iPad                       16.1          EAS

In the example above, the iPad is connecting using the native mail app for iOS, and is running iOS 10 which is the minimum requirement for EAS 16.1 compatibility.

To issue an account-only remote wipe, we can use the Clear-MobileDevice cmdlet with the -AccountOnly parameter. The parameter is not available in the older Clear-ActiveSyncDevice cmdlet.

If you try to perform an account-only wipe for a device or mailbox that is not EAS 16.1 capable, it will fail with an error message of “EAS Version 16.1 or greator is required and the EAS version of client is 16.0” as shown below.

PS C:\> Get-MobileDevice -Mailbox mike.ryan@exchangeserverpro.net | Where {$_.DeviceID -eq "3FJBAEQ5G525N9C86RJ801B8GO"} | Clear-MobileDevice -AccountOnly

Confirm
Are you sure you want to perform this action?
Clearing mobile device "Mike Ryan\ExchangeActiveSyncDevices\iPad§3FJBAEQ5G525N9C86RJ801B8GO". All the data on the
mobile device will be permanently deleted.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
EAS Version 16.1 or greator is required and the EAS version of client is 16.0
    + CategoryInfo          : InvalidArgument: (Mike Ryan\Excha...5N9C86RJ801B8GO:MobileDevice) [Clear-MobileDevice],
   InvalidClientEASVersionException
    + FullyQualifiedErrorId : [Server=DB3PR05MB0889,RequestId=86370352-bbb3-4880-9b91-662b4ab4cda8,TimeStamp=29/11/201
   6 2:14:25 AM] [FailureCategory=Cmdlet-InvalidClientEASVersionException] 3D6CA96F,Microsoft.Exchange.Management.Tas
  ks.ClearMobileDevice
    + PSComputerName        : outlook.office365.com

Note that regardless of whether an account-only or full device wipe is being performed, the same warning message appears in the confirmation prompt.

All the data on the mobile device will be permanently deleted.

If the device wipe is successful, an email notification is sent to confirm the result.

exchange-activesync-wipe-result

Account-only wipes can also be issued from the Exchange admin center from the list of mobile devices associated with a mailbox.

exchange-activesync-account-only-wipe

When you use the Exchange admin center to issue an account-only wipe, the message in the confirmation prompt is more accurate.

exchange-activesync-account-only-wipe-prompt

At this stage the account-only wipe appears to be an administrator-only capability. For user-initiated wipes from OWA, only full device wipes are available as an option.

Although it’s only available in Exchange Online right now, and not yet rolled out across all mailboxes, the addition of account-only wipes is certainly a welcome feature.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Nick B

    Wipe Data will wipe out all data on the mobile device. This has effected me and I lost photos/videos of my son from birth to 1.5yrs old. Were not backed up anywhere so those memories are gone. Do not trust any Outlook apps on your personal devices!

  2. Willie

    I don’t mean to necro an old post, but any idea how an AccountOnly wipe works when the user is using the Windows 10 Mail app? Would it erase the entire device?

    PowerShell shows:
    DeviceType = UniversalOutlook
    ClientType = Outlook
    ClientVersion = 1.0

  3. Saipriya

    Hi
    Please help me to recover mail in mobile device which wipe data done (office 365- mobile devices) by mistakenly

    Thanks

  4. Anil

    Hi Paul.

    If I want to perform Account only remote wipe Device(Where only the data related to exchange gets wiped) may I know, which command should I use to do so?

    Clear-MobilDevice -Accountonly “UserEmail”

  5. bharath

    Hi
    Anyone can help us that how to recover all files from mobile device which wipe data done (office 365- mobile devices) by mistakenly

    Mohammed

  6. DM

    What is the difference between Account Only Remote Wipe Device and Wipe Data and what would be the impact for each opton?

    1. Nick B

      Wipe Data will wipe out all data on the mobile device. This has effected me and I lost photos/videos of my son from birth to 1.5yrs old. Were not backed up anywhere so those memories are gone. Do not trust any Outlook apps on your personal devices!

  7. Jeff

    Since we can’t change the user’s password until after a successful wipe, it seems we have to disable some of the other methods of connecting – Outlook on the Web, IMAP, POP3. Can we disable OWA for devices? Is ExchangeActiveSync the only service that needs to remain enabled? Thanks!

  8. Rob P

    Paul do you know of any Android apps that support 16.1? It doesnt seem that Microsofts own Outlook for Android app supports eas 16.1.

  9. Todd Cooper

    On termination of and employee our client went into the 365 portal, changed the mailbox password and turned off all remote access / Email app settings (ie OWA, Desktop MAPI, Exchange Web Services, ActiveSync, IMAP and POP).
    1 – Since these changes have been has already been made on the account will this command still work?
    2 – Can it work if we turn these settings back on and still have the updated PW in place?
    3 – If we turn all the settings back on and able to change the PW back to the original the phone should fully sync, correct? Then can we issue this wipe command?

    Thanks for any advice you can give.

  10. Steve Berglund

    If the user’s password is changed before the phone’s activesync communication kicks in, is there a possibility that the phone will not be wiped? If so, is there an option to send the notification to an alternate email address that the phone has been wiped so that after I receive this notification, I can proceed to change their password?

    1. Avatar photo
  11. Pam Walsh

    I am still running exchange 2013. Any idea if there are plans to include this is a future 2013 CU

Leave a Reply