11

When connecting android mobile devices to Exchange ActiveSync some require granting device administrator privileges which permit an exchange administrator to remotely wipe the phone. The warning messages are scaring some mobile users and turning them away from using Exchange ActiveSync altogether.

How can I disable his functionality on Exchange Server 2010? [security breaches are not an issue here]

Rory
  • 597
  • 1
  • 6
  • 23

3 Answers3

9

UPDATED (again)

The short answer to your question is NO.


Outlook/Exchange clients either are capable or aren't capable of Remote-wipe. The Exchange policy simply expects that they support that feature.. If the phone supports Remote-wipe and you've accepted the policy (by being a so-called "Provisional Device"), then Exchange may send a request to wipe the phone (on behalf of the Admin or the user may request it from their web/PC logged in account.)

If your users want to be sure their email won't get wiped then they need to find an Exchange client that doesn't support remote-wipe and convince you to drop that as a requirement from your policy (By turning on AllowNonProvisionalDevices). Period. There is no other way to "turn it off".

Features of the client can't be disabled by the server, they can just be required by it. And in this case it seems the requirement is part of Exchange Sync in general. :-( I don't see anyway out of it.


The policy on Exchange says "if you don't agree with these settings, you don't get email" and then has a list of settings. You can also set "AllowNonProvisionalDevices" to ON which will allow devices that reject the policy to still get email.

As other have said, the message from the client to the user on the phone isn't configurable so you never know if it will STILL scare them even though you've turned that request off.

http://technet.microsoft.com/en-us/library/bb123484.aspx

and here is the link to how to create a new policy and apply it to users: http://technet.microsoft.com/en-us/library/bb124120.aspx

Mark
  • 2,248
  • 12
  • 15
  • Thanks Mark. I don't see anywhere to "turn off remote-wipe as one of the features of the mailbox policy". I want to know how I can disable this functionality. Also, AllowNonProvisionableDevices are for "older phones that may not support application of all policy settings are allowed to connect to Exchange 2010 by using Exchange ActiveSync." The problem arises with provisionable devices. – Rory Nov 15 '11 at 11:34
  • I wasn't clear. All you can do in a policy is not demand that the devices offer and allow Remote-Wipe to the server -- as a condition of connecting. I'll update the body of the post. – Mark Nov 15 '11 at 16:45
  • Ok Mark, but the problem is that it is impossible (for me, for now) to create an ActiveSync policy that does not include Remote Wipe. How can I create such a policy? If I could create such a policy without Remote Wipe then great but leaving it out simply doesn't appear to be an option available within ActiveSync policies. – Rory Nov 15 '11 at 17:02
  • You are correct. I misread a document. It appears that Remote-wipe is a required element of "Provisional Device". I'll update again. – Mark Nov 16 '11 at 19:32
1

I think your biggest issue is not going to be disabling your ability to remotely wipe from the server, but the permissions the Active Sync app requests on Android. From my understanding, many of the apps request that permission whether the policy is enabled on the server or not - because the policy can be changed after the Sync is established.

So I think you're running into a political/PR issue more than a technical one.

Driftpeasant
  • 3,207
  • 2
  • 20
  • 28
  • That's interesting DriftPeasant but I think it is a moot point unless remote wipe functionality can actually be disabled within a policy. – Rory Nov 11 '11 at 12:55
  • 1
    The way you phrased your question suggested that your users were freaked out that they had to grant permission to ActiveSync to wipe their device. My contention is that you can disable your ability to do that remote wipe, but the app will still request that permission. So regardless of your technical ability to wipe, your users will still have the concern that you can wipe. So I don't think it's a technical issue so much as a PR one. – Driftpeasant Nov 11 '11 at 13:27
  • Sure Driftpeasant, I understand. And my users are getting freaked out. But my question is how can you "disable your ability to do that remote wipe"? – Rory Nov 11 '11 at 15:33
0

You can create policy that disables the "Initiate a remote device wipe" for users and then assign that policy to organization, group, or whatever is appropriate.

http://technet.microsoft.com/en-us/library/ff459605.aspx

SBWorks
  • 289
  • 1
  • 3
  • 12
  • How can you create a policy that disables the "Initiate a remote device wipe"? The technet article has no information on this though there is mention of additional security options for Windows® phone users. – Rory Nov 08 '11 at 15:15