Work Exchange Servers On Your Phone Enables Remote Wiping

You had IT set up Microsoft Exchange Server on your personal phone so you could get corporate email and stay in touch. You also, likely unbeknownst to you, gave them the power to remotely control and wipe your phone.

Photo by Gonzalo Baeza Hernández.

If you've linked your personal smartphone to your company's network via their Microsoft Exchange Server, you need to be extra diligent about backing up your data to your personal computer or syncing it to the cloud. In doing so, you gave them the power to control your phone from afar, turn functions on and off and nuke it from space. NPR reports:

The phone doesn't need to download any new software. All that's necessary is for the phone's user to configure it to receive e-mail from a Microsoft Exchange Server - the kind most big companies use.

Once that's been set up, an IT department has the capability to wipe the phone and turn off functions like Bluetooth, the Web browser and even the phone's camera.

"The reason why you see such a long list of various policies and controls is because different organizations want those controls," says Adam Glick, senior technical product manager for Microsoft Exchange.

He points to the peace of mind the system offers to people whose phones have been stolen, and who can rest assured that all the personal information contained inside can be erased from afar.

Glick says employers sometimes need remote control of other functions, like the camera, to prevent leaks. "If you're having an important meeting about the future finances of the organisation and people put that up on a slide, and someone might take out their camera phone and take a picture. And then they might go and, say, post that to the Internet," Glick says.

If you're thinking that sounds like a far fetched scenario that wouldn't affect most people, consider how a simple toggle in the upgrade of a Lifehacker reader's corporate email server altered his phone. Reader Juan Smith shares his experience:

If your company has an up-to-date Exchange server, merely adding your Exchange-based work email to your iPhone also enables a remote wipe option.

I first discovered this when my boss (the network admin) upgraded Exchange and accidentally disabled all of our phones' camera features (since "disable camera" was the default for some reason). Exchange can also enforce passcode complexity and change frequency requirements, and/or force you to enable the feature that wipes your phone if someone repeatedly enters the wrong code.

There's also an option to remotely wipe all data from the phone at any time. If your company has the Outlook Web App configured, you can view which devices have access to your email and wipe any of them remotely yourself.

While these features exist for a reason (such as wiping a phone with sensitive corporate data when it is reported missing) that doesn't change the fact that an accidental activation could wipe your personal data. Back up your your contacts, photos and other personal data on a regular basis to ensure such accidents don't deep six your data. Visit the link below to read the full article at NPR.

Wipeout: When Your Company Kills Your iPhone [NPR]


Comments

    Cool, another GOOD reason to avoid iPhone!

    Jason Fitzpatrick, Please alter Your article to indicate iPhone instead of Phone. Not all phones behave this way!

    No, it shouldn't be updated to say 'iPhone'. The article should be updated to indicate that this affects only phones (ANY phone) that accesses Exchange as an Exchange client AND support Exchange remote administration. Phones set up to access mail via POP or IMAP should not be affected. Also, it is sometimes possible to set a device to ignore these policies in the client settings.

    This works for ANY SMART PHONE that connects to an exchange server.
    Also, if webmail is setup, you can initiate the remote wipe yourself from within the webmail application.
    Handy if you loose your phone.

    This is one of the core reasons I upgraded from exchange 2003. So far, we've only used it to enforce pin lock on personal phones. In the event of one going missing with a slim chance of return, I've made it clear to all users we're going to wipe it clean. They all seem to be fine with the idea, as long as we actually let them know first.

    Why do people complain about this? Are they completely ignorant of the reality of information security?

    Work email is owned by your employer - access your work email on your own personal device is a privilege, as well as being a potential security liability for the employer.

    In my workplace (i'm the SysAdmin), as a matter of policy, if staff wish to access work email on their own device, they must agree to certain conditions, including remote wiping.

    Don't like this? Don't use your work email on your personal device. Tough bickies folks.

Join the discussion!

Trending Stories Right Now