Exchange Server 2010 ActiveSync: How to Perform User-Initiated Remote Wipe of a Mobile Device

When a user in the organization has a mobile device configured for ActiveSync, Exchange Server 2010 gives them the capability to perform their own remote device wipes.

This is useful in scenarios such as a lost of stolen mobile phone, because the user can often perform the remote wipe faster than if they had to contact their IT support.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

There are a few caveats of course.

The user needs to be aware that the capability exists, and either be trained or be able to access help documentation for the process. This means your user education needs to be performed in advance, or alternatively your help documentation needs to already exist and be available somewhere that you can direct the user if they contact you for support.

The mobile device also needs to make a connection to the Exchange server for the remote wipe to occur. There are a number of ways that a lost or stolen device may never contact the server again, such as:

  • the device isn’t configured for push email, so doesn’t automatically connect to the server
  • the thief disables 3G/wireless to prevent connections being made
  • the mobile carrier disables the SIM card
  • the user changes their password in Active Directory
  • the device is blocked by a device access rule

So with all of that in mind, lets take a look at the process for a user-initiated remote wipe.

Exchange makes this functionality available to the end user via the Exchange Control Panel. Users can access the Exchange Control Panel by first logging in to Outlook Web App, clicking Options in the upper-right corner, and then choosing See All Options.

Clicking on Phone on the left-hand side displays the list of mobile devices associated with the user.

Select the device you wish to wipe and click on Wipe Device.

A warning box appears to confirm that the user wishes to wipe their device. Click Yes to confirm.

The device status changes to Wipe Pending. The user has the opportunity to cancel the device wipe before it completes, otherwise they can continue to monitor the status here.

The next time the device connects to Exchange (if it ever does), the remote wipe is initiated.

To the person in possession of the device there are no warnings or other messages before the remote wipe begins. In the case of the iPhone I’m using to demonstrate this, the device reverts to factory defaults and goes through the initial configuration steps when it starts up again.

The user receives a confirmation email letting them know that the remote device wipe has completed.

They can also check the status of the wipe request in the Exchange Control Panel.

Finally, they can remove the device from their list of associated mobile devices by highlighting it and clicking the Delete button.

As you’ve seen in this article, Exchange Server 2010 puts some very useful and powerful mobile device management capabilities in the hands of end users, allowing organizations to give more control to their staff and relieve some of the burden from IT staff.

If this is something you’d like to see first-hand, but you don’t have spare mobile devices available, you can use virtual Android devices instead.

Comments

  1. Jonathan says

    Hi Paul,

    I love this feature of Exchange we have used it on several occassions… primarily for reissuing company owned phones in that they can get a fresh start. I was quite surprised Apple would allow Microsoft to use ActiveSync with the iphones to wipe it back to factory defaults.

    I even love that even in the ActiveSync device password policy you can set a number of failed attempts before it wipes the device. A very nice security feature… although caution is advised. This option has a double edge sword, if you can’t remember your pin to unlock your phone, and you yourself exceed that number, bye bye phone data.

    I do want to ask to see if you’ve come across this unusual situation. I posted a technet article a while back regarding the mobile wipe option. We have an issue where if a user syncs their mobile device with Exchange, and after the sync is made, we move that user to another OU. If it comes to where we need to wipe the phone, the mobile wipe fails (this is from the EMC). The error log says it can’t find the object because it’s looking for the original location where the sync occurred.

    We can easily move the user back to the original OU and the remote wipe works.. or someone posted on my technet question that you can use EMS to point to the user with the full OU path and it will work (have not tested this yet).

    Upon further investigation i ran a Get-ActiveSyncDevice and Get-ActiveSyncDeviceStatistics on a persons mailbox. The IDENTITIES came up different from each command. 1 pointed to the correct location of the user object, the other pointed to the original location of the user when the sync was first made. I’ve looked all through ADSI and could not find the original location anywhere on the the Device object itself or the ocntainer it resides in under the user.

    It’s a very strange situation, I was wondering if you’ve encountered this and get your thoughts on it.

    JB

    • says

      I seem to remember reading that on TechNet recently.

      My thoughts are that it sucks. But I’d say you’ve found part of the solution (or workaround) with the different result that each of those cmdlets gives you. I’ll dig into it a bit more, maybe there is a scripting solution to this or at the very lease a scripted report that can flag the ones that have been moved.

      • Jonathan says

        Hi Paul,

        Thanks for taking the time to look into this. I will do some testing with the scripts on this link and see what comes up.

        Jonathan

      • Jonathan says

        My apologies for this being so long ago. Just FYI, The best solution is to script it in powershell as you stated in your link. I’ve had a lot of PowerShell to learn from the time I had this issue come up.

        But just as your article states if you can pull the information of the actual location.. the full path, stick that in a variable, then run Clear-ActiveSyncDevice $devicePath. I had to set it up where a device had to be selected from a list and then give the user the option to either Wipe it or remove the partnership. Works like a charm.

        PowerShell scripting has been a life saver on many tasks that i do.

        Thanks again Paul!

        JB

  2. John says

    Hi Paul,

    Thanks for this very helpful article. I’m just wondering if you were able to perform this device wipe on the ECP page instead of OWA? In my organization, this OWA seems to work as long as you have mailbox rights to the user receiving the wipe command.

    But on the ECP Page > My Organization….managing a device of a user doesn’t seem to work. We get ‘Access is denied’ when saving after a Wipe Device is initiated. Please note that we already have the appropriate Role Group created for this as well.

    Can you advise on the resolution of this issue? Thanks so much.

    John

      • John says

        Yes, just ‘Access Denied’ error. should I be seeing more details of the error in checking IIS logs? I’ve explored that before already but it doesn’t give me any helpful information on this. I’m just thinking that there might be a missing role that we should assign to the role group we have created.

        The role group we created is almost similar to this: http://blogs.technet.com/b/exchange/archive/2012/09/12/rbac-walkthrough-of-creating-a-role-that-can-wipe-activesync-devices.aspx

        Basically our goal here is to have the security team of our organization be able to remotely wipe any user’s activesync device without having to log in to individual’s mailboxes through OWA (either a password reset or mailbox full access) so we have the best option of assigning them to this role group then perform the wipe through ECP managing the entire organization’s ActiveSync users but it’s not working. If you have a good solution or probably a better workaround on this, I would greatly appreciate it. Thanks Paul!

  3. N. Palmer says

    Is there any technical difference between an ActiveSync device wipe performed by a user via their web console versus an Exchange/ActiveSync admin device wipe? Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *