There are occasions, in fact quite rare, where users lose organisation-owned mobile phones containing sensitive personal and/or confidential business information.
In such case all data on a phone have to be immediately wiped to ensure than a mailbox isn’t accessed by anyone other than the owner.
Connect Exchange 2010 Mailbox to Mobile Phone
We are using Samsung phone running Android 4.1.2 in this example.
When setting up an Exchange 2010 mailbox for the first time, the following pop-up message appears on a phone screen:
The server <exchange.example.com> must be able to remotely control some security features on your device.
Activating this administrator will allow the app Email to perform the following operations:
Erase all data
Erase the phone’s data without warning by performing a factory data reset.
Set password rules
Control the length and the characters allowed in a screen-unlock passwords.
Monitor screen-unlock attempts
Monitor the number of incorrect passwords typed when unlocking the screen and lock the phone or erase all the phone’s data if too many incorrect passwords are typed.
Lock the screen
Control how and when the screen locks.
Set lock-screen password expiration
Control how frequently the lock-screen password must be changed.
Set storage encryption
Require that stored app data be encrypted.
Disable cameras
Prevent use of all device cameras.
Set SD card encryption
Require application on SD car be encrypted.
Password recovery
Allow password needed to unlock device to be restored.
Disable POP and IMAP emails
Prevent use of all POP and IMAP email on device.
Disable SD card
Prevent use of SD card.
Disable SMS/MMS messaging
Prevent use of SMS/MMS messaging.
Disable Internet
Prevent use of Internet.
Disable Internet Sharing
Prevent use of Internet sharing.
Disable Bluetooth
Prevent use of Bluetooth.
Disable desktop Sync
Prevent use of desktop sync.
Disable IrDA
Prevent use of IrDA
Configure email account
Create, modify or delete IMAP/POP accounts and configure related account settings.
As we may see, Exchange active sync requires a huge amount of control over the phone.
Perform a Remote Wipe on a Mobile Phone
Remote wipe can be performed by using Exchange Control Panel (ECP), which should be by default accessible here:
https://exchange.example.com/ecp
Connect with Admin user, then do:
- Navigate to “Users & Groups” -> “Mailboxes”.
- Select the user, and under “Phone & Voice Features”, make sure “Exchange ActiveSync” is enabled.
- Double click on “Exchange ActiveSync”, select the mobile device, and then select “Wipe device”.
- Select “Save“.
Now if we switch internet on on the phone and try to sync our mailbox with the server, phone automatically resets to factory defaults and we see the “Remote Device Wipe Successful” on the ECP screen.
We should also get a confirmation email sent from the server:
The last thing to do is to remove our mobile phone from the Exchange server or cancel device wipe as otherwise the phone will continue wiping data for security purposes.