Exchange account on smartphone: what is wiped, what power does admin have? (Network Steve Forum)

Exchange account on smartphone: what is wiped, what power does admin have?

I have been unable to find answers to 2 questions on TechNet, hoping one of you in the forums can help. I am an Exchange administator.

Environment: Microsoft Exchange Server 2013 hosted on premises

Question 1:
When you as administrator in Exchange Admin Center perform a wipe of someone's device, does it wipe only the Exchange account or everything on the device? Microsoft says it wipes "their phone clean of all corporate and user information" (source technet.microsoft.com/en-us/library/aa998614(v=exchg.150).aspx) but doesn't clarify if that user information is the Exchange information only or all personal stuff, too.

Question 2:
A user wants to add Exchange email to her Samsung Galaxy phone. When she goes to add it, she's presented with a screen of about 20 security policies that she must accept before she can finish adding the account. My question is: what power does the Exchange Admin Center give an administrator? Our default OWA for Devices policy is "Password required, 4 characters, lock device after 15 minutes" and "wipe data after 8 attempts to enter password." As far as I know, this is all the power I have. However, her phone's list included things like muting/unmuting and changing ringtones, which as far as I know I can't possibly do in Exchange Admin Center. Or can I?

Thank you!

Edited by Kirsten at museum Wednesday, May 27, 2015 6:59 PM

May 27th, 2015 5:08pm

1) Depends on what you use. The 'regular' ActiveSync functionality is full device wipe. The new MDM/Intune based wipe is selective, so only company stuff is removed.

2) Again, depends on what you use. What's possible via ActiveSync you can configure via the EAC/PowerShell. Additional control can be offered via MDM/Intune, though I haven't seen anything specific to ringtones (might be from another MDM solution). Here's a link to the TechNet documentation around MDM/Intune: https://technet.microsoft.com/en-us/library/mt143180.aspx

Proposed as answer by JasonAptMicrosoft community contributor Thursday, May 28, 2015 8:20 PM

Free Windows Admin Tool Kit Click here and download it now

May 27th, 2015 8:44pm

Hi,

Great advice from Vasil.
For question 1:
If a mobile device is lost, stolen, or otherwise compromised, you can issue a remote wipe command from the Exchange Server computer or from any Web browser by using Outlook Web App.
Remote device wipe tells your account to send an instruction to your phone to delete all data the next time the phone connects to your account.

For question 2:
We can use ActiveSync mailbox policy to configure a variety of security options for users. For your reference: https://technet.microsoft.com/en-us/library/bb123994(v=exchg.141).aspx
In Exchange 2010 we added a feature called the Allow/Block/Quarantine list. With this feature, organizations can choose which devices (or families of devices) can connect using Exchange ActiveSync (and conversely, which are blocked or quarantined).
More details about it, please refer to: http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx

Meanwhile, this issue is related to Exchange ActiveSync. We recommend Exchange Mobility and ActiveSync Team so that you can get more professional suggestion, for your convenience:
https://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrmobilitylegacy

Thanks

May 31st, 2015 4:45am

This topic is archived. No further replies will be accepted.