Remotely Wipe a Mobile Phone Connected to Exchange 2010

There are occasions, in fact quite rare, where users lose organisation-owned mobile phones containing sensitive personal and/or confidential business information.

In such case all data on a phone have to be immediately wiped to ensure than a mailbox isn’t accessed by anyone other than the owner.

Connect Exchange 2010 Mailbox to Mobile Phone

We are using Samsung phone running Android 4.1.2 in this example.

When setting up an Exchange 2010 mailbox for the first time, the following pop-up message appears on a phone screen:

The server <exchange.example.com> must be able to remotely control some security features on your device.

Activating this administrator will allow the app Email to perform the following operations:

Erase all data

Erase the phone’s data without warning by performing a factory data reset.

Set password rules

Control the length and the characters allowed in a screen-unlock passwords.

Monitor screen-unlock attempts

Monitor the number of incorrect passwords typed when unlocking the screen and lock the phone or erase all the phone’s data if too many incorrect passwords are typed.

Lock the screen

Control how and when the screen locks.

Set lock-screen password expiration

Control how frequently the lock-screen password must be changed.

Set storage encryption

Require that stored app data be encrypted.

Disable cameras

Prevent use of all device cameras.

Set SD card encryption

Require application on SD car be encrypted.

Password recovery 

Allow password needed to unlock device to be restored.

Disable POP and IMAP emails

Prevent use of all POP and IMAP email on device.

Disable SD card

Prevent use of SD card.

Disable SMS/MMS messaging

Prevent use of SMS/MMS messaging.

Disable Internet

Prevent use of Internet.

Disable Internet Sharing

Prevent use of Internet sharing.

Disable Bluetooth

Prevent use of Bluetooth.

Disable desktop Sync

Prevent use of desktop sync.

Disable IrDA

Prevent use of IrDA

Configure email account

Create, modify or delete IMAP/POP accounts and configure related account settings.

As we may see, Exchange active sync requires a huge amount of control over the phone.

Perform a Remote Wipe on a Mobile Phone

Remote wipe can be performed by using Exchange Control Panel (ECP), which should be by default accessible here:

https://exchange.example.com/ecp

Connect with Admin user, then do:

  1. Navigate to “Users & Groups” -> “Mailboxes”.
  2. Select the user, and under “Phone & Voice Features”, make sure “Exchange ActiveSync” is enabled.
  3. Double click on “Exchange ActiveSync”, select the mobile device, and then select “Wipe device”.
  4. Select “Save“.

Now if we switch internet on on the phone and try to sync our mailbox with the server, phone automatically resets to factory defaults and we see the “Remote Device Wipe Successful” on the ECP screen.

We should also get a confirmation email sent from the server:

The last thing to do is to remove our mobile phone from the Exchange server or cancel device wipe as otherwise the phone will continue wiping data for security purposes.