Actually, this has existed since exchange integration was first added to PocketPC (a long time ago). It allows companies to control the security of their data.
Joining your personal phone to exchange is much like joining your personal computer to the corporate domain. You don't do it unless you want corporate IT to administer it and corporate policy allows it.
Edit: I sympathize with people who lost data, and do agree that the phone should warn you before completing the join. That said, as a business owner, I only allow exchange (and not POP or IMAP) for exactly this reason. I need to be able to wipe the company data if a phone is lost, or someone is fired (and not cooperative), etc. The real world isn't always nice.
Also, the full device wipe is by design, and the feature is called "Remote Device Wipe." The details can be found here:
Correct. Don't blame the feature. It's designed to protect from lost phones. Not only can IT wipe your phone (presumably at your request), but you can actually wipe your own phone from Outlook Web Access.
What's interesting is this: the ability to hook up a phone via ActiveSync (the protocol in question) can be configured per account. If IT did not want him to hook up his phone, they should have not given him those rights. Wiping devices like this is a bad idea.
You don't do it unless you want corporate IT to administer it
The problem is, there is no way a user will expect that they are giving away that privilege merely by adding an Exchange account to their personal phone. This is a gaping security hole in the mobile client software and it's entirely the fault of the phone developers. Just giving the server the name of my device without telling me is a breach, as far as I'm concerned.
It's not about data ownership, it's about access. Your data being on a device does not authorize you to access that device.
Wiping your company's email, sure. But you don't seem to have a problem with wiping the entire contents of someone's personal device and (if I read the article correctly) rendering that device unusable thereafter (after a restore it remote wipes again)
Would you be happy with just an email wipe, if that option were available?
After the remote device wipe completes the device is usable again unless they try to link to exchange again. In the cases I talked about they shouldn't be joining again.
In most cases there is more than just email, and the line between exchange and personal blurs. How do you remove the exchange data from a contact originating from exchange but updated with Facebook data? What about company restricted WiFi passwords? Attachments saved outside of the mail program?
It's complicated, and when properly used: a last resort.
Edit since I can't reply below:
Linking with activesync is optional. The policies are part of the bargain. Your examples either weren't optional (RIAA) or were things you'd choose not to do (EA).
There seems to be two quite distinct scenarios where this could be used; when a phone is stolen, or when an employee is no longer trusted with company data (they're fired or leave)
For the first scenario, I see no problem at all with remote wipe, but I do have a problem with the assumption that deliberate destruction of personal data is acceptable, for any reason. What if an employee had some paperwork at home? Would you condone burning their house to destroy it? Is a car bomb appropriate to destroy a briefcase left in a car?
What right does anyone have to destroy other people's property in the course of protecting their own? Would you support game manufacturers like EA being able to remote wipe your computer if they suspected you of running a pirate copy of a game? The RIAA if they suspect you of torrenting?
You're hyperventilating. Nobody has ever suggested that the RIAA or EA be able to wipe your phone. But plenty of companies have a policy that says that if you want to sync your phone with their corporate mail system, they need to be able to nuke your phone from orbit if something goes wrong.
When you find the example of the company that requires you to purchase a personal phone and sync it with their corporate mail server, you be sure and let us know. Until then, by all means, scream from the rooftops that this feature exists... but don't pretend there's no valid reason for it.
If my house has been broken into before, there's a "valid reason" for me to install a tripwire that automatically fires a shotgun blast at the intruder. That won't go over well in court, and neither should this.
hyperboling might be a better verb :) Looks like cross-cultural communication via a text only medium has meant you've completely missed both the tone and the content I was trying to present. Sorry about that
Do folks here not work in a regulated industry? We went through a yearly course on How To Not End Up On Front Page of The Paper For Leaking Customer Information. One core part of that is putting up with a little hassle with regards to managing one's cell phone, such as a) not using it for work if at all possible and b) very carefully regulating what got saved on it if it was used for work.
(Nobody at my office should have more than "P. McKenzie" and my phone number saved on their phone. Including full name, email address, a photo, my address, and the like would give me a cause of action against the company if the phone was ever lost or if that information were misused.)
A smart device capable of downloading an email attachment could cause a multi-million dollar incident if it was lost. All it would take is a bug tracking system report with an attached file showing e.g. the wrong number of lines printed per page of radioactively sensitive customer data.
> (Nobody at my office should have more than "P. McKenzie" and my phone number saved on their phone. Including full name, email address, a photo, my address, and the like would give me a cause of action against the company if the phone was ever lost or if that information were misused.)
That really can give you cause of action against a company?
In a similar matter what if I had all of that information on my personal phone, am I correct in assuming that it shouldn't give you the right to sue if that information were released. (As it assumes you either gave me that information, or it was obtained through you in some way)
And in the case of the email attachment, if you are sending radioactively sensitive customer data in any way through email isn't that the real problem and not that the phone could get out.
No, that's not the real problem. The transmission of sensitive information through corporate email is commonplace. Formally-classified protected information like HIPAA PI or payment card data shouldn't, of course, be emailed, but information that can be traced back to PI is sent routinely.
Regardless of whether it should or shouldn't happen, IT controls people have to assume it will. The contract for syncing with a corporate Exchange server, in many places, simply requires you to allow your phone to be wiped.
If you don't like it, don't sync with your company's Exchange server. What's so hard about that?
> The contract for syncing with a corporate Exchange server, in many places, simply requires you to allow your phone to be wiped.
> If you don't like it, don't sync with your company's Exchange server. What's so hard about that?
The problem that the posts points out is that there's no warning about this "contract" whatsoever. No matter what mobile device I've ever used, I have never, ever had a dialog tell me that by syncing my phone with an Exchange server I'm letting my company's IT department hold my personal information by the balls.
Additionally, we're talking about a lack of separation between two entities' data (personal & company-owned data).
If I had a user access clause for my website, "by accessing content on this website I am granted full access to indiscriminately wipe any and all data on your device, belonging to me or not" and was given the capability to do it - that would be ludicrous. The only difference I see is that I'm not in an employer relationship with my users. Even still, an employer-employee relationship with a company does not grant them the right to delete any and all data on any device of mine.
Also, since we're in HN (startup city, what?) who has ever worked for a startup that DISCOURAGED working from home on a personal laptop or having access to email 24x7? I've certainly never worked for one.
We simply disallow people working on company projects with personal equipment.
If I drank enough rye to kill the requisite number of brain cells required for me to allow people to sync their personal gear with our IT, I'd definitely tell people "we will be nuking your gear from orbit periodically as a precautionary measure".
> The problem that the posts points out is that there's no warning about this "contract" whatsoever.
But the post wrongly blames Microsoft and Exchange, when it's the person's workplace he should be blaming for supposedly not having clear enough policies.
Also, since we're in HN (startup city, what?) who has ever worked for a startup that DISCOURAGED working from home on a personal laptop or having access to email 24x7?
The policy where I work is: linux laptop (I imagine BSD might also be ok), access to code is via sshfs (or TRAMP) only. I don't think this is that unusual.
This is one of the reasons I use a third-party app (NitroDesk TouchDown) for reading Exchange mail on my Android phone. If someone hits "remote wipe" it'll only delete your Exchange data, the rest of your phone remains untouched.
If it's a major security risk, don't sync it to someone's pocket. By syncing it to someone's pocket... it's out. Especially if it's on their personal phone, you can't control what they (or an attacker) will do.
Either that's an acceptable convenience / risk tradeoff, or it's not. If it's not, you need to focus your efforts on tagging confidential data and keeping it inside the "walls" of your organization... but that's not a technology problem, it's a people problem.
But you can't guarantee that you can wipe it. What if it's not connected to the 3G network? What if the data has already been pulled off? What if it's been copied to a memory card on the phone? What if the phone doesn't properly implement this feature?
If you're using a Blackberry then you encrypt the entire device. The entire memory is encrypted with the device password and a wipe is triggered from too many incorrect passwords.
I don't know if the Exchange devices do the same thing - our company requires this kind of security, so we still only allow Blackberry.
This isn't an evil feature. It isn't a pointless feature. In fact it's a critical feature in the running of an organisation.
Email. Calendar. Address Book. A gold mine of absurdly sensitive data.
If you want corporate email on your phone, expect to have the possibility of a remote wipe.
It isnt Microsofts fault that people use it maliciously.
If you ask the user "do you wish to allow administrators to remote wipe your phone allow/deny?" what do you think they'll click ???
People don't care about data loss. Educate someone on how to not lose data, then a week later give them a laptop with a password protected screen saver/login - first thing they'll try to do is remove password.
The amount of company phones I see with no passcode lock is astounding - I can pick your phone up, forward emails to myself and have all your information. Bang.
Don't think data loss is a big deal? If you google "PA Consulting" a top link is how they lost a USB drive.
"Solved" unless they don't read it or don't remember it.
All you've solved is the ability for IT to say "told you so". You haven't solved the careless didn't-read-it end user from losing their data and thinking their phone is faulty.
That solves nothing. You'd then have to buy company blackberries (probably for the best) as no one would be able to use corporate email on their home phones.
I'm confused by all the arguments that this feature should exist. Of course it should exist. Re-read the OP: The bug isn't the remote wipe ability, the bug is leaving it up to the administrators of the server to decide whether to inform users that the feature exists.
Google decided to do an end run around Apple's lack of support for push notifications by making Gmail an Exchange server. Until now, I had no idea that by going along with this I was granting Google remote wipe privileges on my phone.
Sure, Google do not appear at this time to want to wipe my phone for any reason, but how is it that I've been unknowingly trusting them with this power? This privilege is decidedly non-obvious. When I connect to an email server I kind of expect that I'm giving someone, somewhere the ability to read my mail. That's "obvious," and I don't need a warning dialog.
But what is obvious about granting Google the right to erase the pictures I've taken of my father-son Lego Jawa Sand Crawler project? Or my voice memos? Or the extensive notes I've been making of design ideas for my Javascript framework?
Let's stay on topic, folks. The question to be debated isn't whether companies should have remote wipe privileges, it's whether a device should allow a user to grant such privileges without putting up a simple warning dialog.
If an IT department did this to me without warning, I'd quit that day, CC'ing my manager and the IT guy's manager telling them exactly why they'll now have to spend months finding and training my replacement.
I parked my personal car in the company fleet car garage and they clamped it. I didn't understand what was happening and called the rescue company telling them it had broken down and wasted lots of time.
This was so unfair I quit that day, causing a dramatic fuss pointing out exactly how much they'll suffer. That'll show them.
Not a true story, an attempt to frame the parent post I was replying to in a different light to show how much of a prima Donna overreaction it would be, and as you say, directed at the wrong people too.
Your analogy would be more apt if you once parked your car in the company lot, and then years later some IT guy sneaks into your house at night and clamps your car.
Not sure about other Android versions, but my 2.2 warned me about this when I set up my Exchange account. It also warns me about this every time it first connects to Exchange after a reboot.
Not much I can do about it. I more or less trust my IT guys not to be dicks so I don't lose any sleep over it. But short of carrying two phones, there's no way for me to separate personal and work devices. I do keep a nandroid backup on my personal netbook though.
In defense of this feature, it's very important for when a phone is lost. However, I agree, deleting peoples' data for reasons other than the device was compromised is just a sadistic thing to do.
Well, if people are using un-approved personal devices on the corporate network, it seems there is some fault on both sides. Assuming there is policy addressing this issue.
Sure, but you send out an Email warning people first. There's no reason to wipe people's devices unless they are willfully defying policy, and even then, you've got a list of the people doing it - just go to their office and talk to them in person (involve their manager if needed).
Wiping a personal device to "send a message" is passive-aggressive and totally destructive to morale.
They typed "AGREE" to the policy on day one when they were hired. IT is 2000 miles away. No one from IT is going to visit their office. They are going to wipe the device per corporate policy.
They have the right to do that, perhaps, but it's still not very nice.
People don't do good work when their employer is mean to them, regardless of what they signed. What is your "destroying potentially confidential data" is their "leaving to improve your competitor's product while you spend nine months trying to find a replacement".
Then it has no business being borged into the corporate IT system of a company which demands rigorous enough control of data to use remote device wipe.
Their "approval" is insufficient. If they want me to carry a device with data which they have the power to destroy, it's not really mine, so they are going to have to buy one for me. Remote wipe is the kind of thing you could be prosecuted for … if you weren't doing it to a private citizen.
No, not really. If using an un-approved device on the company exchange compromises corporate security, you need to either lecture me, take "disciplinary action", or both. Nuking my iPhone from orbit is neither.
You leave your phone in a bar. You tell your IT team about it the next day. You're holding out hope that it'll get turned in. Meanwhile, god only knows what's on it and who's got it. Sure, you're fired and all, but meanwhile: you handed a bunch of sensitive data out to the world, and firing you doesn't solve that problem.
Should you be told that this is the policy? Of course. But what's the rest of the complaint here?
I don't have a problem with them wiping my phone if I leave it in a bar, that's what the feature is for.
I have a problem with them, having on their screen a message saying "User X connected an unapproved device to Exchange", choosing to clicking "wipe", knowing they might destroy my personal stuff, instead of writing an e-mail telling me to get off the Exchange within 24 hours, and don't ever do it again, or face a remote wipe.
There could be important data still on the device itself, I imagine the argument would be.
Seems to me how it should work is that the device's user defines a PIN number for his device. Should the device be lost, the user could provide the IT guys with that PIN number, which would be required for the "remote nuke" feature to be used.
That assumes the user is a willing participant in that matter and will give over the PIN.
Suppose the user is a remote employee who's just been sacked -- the boss and IT are hundreds of miles away and can't just take the phone from him. That phone has some product-related emails on it that, if they were to get out, would tank the company's stock price. They have to be able to wipe that data without waiting for the user to hand over the key.
Look I have a degree in Computer Science, I wrote software to send the strings necessary to use IPOP, heck I even memorized the RFC number (1939).
And in all this time, never did I once see anything on that protocol that could do anything more than download mail and delete the mail you had in your account.
So I hear about Exchange and figure "oh just another protocol MS came up with, properly has extensions for calendars and stuff".
Now if I don't know this is going on, how can anybody know?
It would be one thing if the device said "by connecting to this system, you allow it to removely wipe this device allow/deny?" but it doesn't.
No, it is not criminal, it is an essential component of ensuring security in lost devices. It would be completely useless if it asked if it was ok to wipe the device.
If you are unable to understand that Microsoft added a lot of stuff to the exchange protocol, and this is one of them, perhaps you are in the wrong field. This is not top secret information, it has been around since Windows CE, and is requested by all big businesses.
It's my phone, my property. Nobody gets to access it without my permission, period. If someone sneaks a back door onto my phone, that is criminal.
If experienced developers don't know about this feature, there is no earthly way that the average user can be considered to have consented to access.
My boss can't kick down my door and ransack my house to find secret documents he gave me. If I violate my NDA, he can seek to remedy that in civil court.
It's my phone, my property. Nobody gets to access it without my permission, period.
And by connecting to ActiveSync you are telling your phone to "do ActiveSync things" and that includes letting it push policies such as "require a PIN/Password" and "be erased when needed". That you didn't know it meant that is not really grounds for saying it's criminal or whatever.
Hey, you know one earthly way you could know about this feature? Asked. "Hey IT people, can I connect my home phone to my work email? What should I know?".
"No, it is not criminal, it is an essential component of ensuring security in lost devices."
You say that as if that is some sort of an argument. But there is no actual law or force in the universe that says that necessary steps to do something that you consider "securing your network" will therefore automatically not be "criminal". In fact once you start trying to think of what criminal activities someone might take in the name of "securing their network" it isn't that hard to come up with a very long list.
Something does not become legal merely because you have an excuse!
(Note I'm not saying this is illegal or not. That would take careful analysis of the law and probably a detailed specification of what jurisdiction we're talking about and the precise details of a specific hypothetical since it almost certainly goes both ways, depending. I'm just claiming the argument doesn't make much sense.)
In twenty years I have never seen any message in any publicly documented protocol that means "nuke yourself utterly", much less ever expect to see anyone knowingly implement such a thing. So I was also unaware of this appalling misfeature, as was the author of the article. I believe this has not been widely disclosed outside the sadistic IT control freak set, and that they are not getting informed consent that this is possible before devices are reconfigured to permit it.
Exactly. Everyone defending this feature seems to miss that point entirely. If I set up my work email on my iPhone and was offered the following options:
POP3
IMAP
Exchange
What would I choose? With those options, one has more "features" and push email, but also allows my company to wipe my phone without asking me. This is not communicated to me through the UI.
I think it would significantly affect my decision over which to use if that information was presented to me.
Yeah, and girls who walk home alone at night had it coming if they're raped.
Of course, we know it's a bad idea to mix work-devices and private devices, and we probably also have little trouble procuring a work-smartphone if we need that. But for a non-IT person with his new iPhone, exited that pointing the Exchange app to mail.work.com just works, it's unacceptable.
So to connect to an Exchange server in iOS, Android or WebOS you have to give the server root on your phone? What sort of crazy security policy is that?
So you connect and store a bunch of confidential and important information on a device that you can leave at a bar?! What sort of security policy is that?
I had no idea there were so many people unfamiliar with secure networks. Anyone who is anywhere near U.S. govt classified networks knows that if they hook up their device up to one of them, they will be lucky to get their equipment sans storage media--and quite likely delivered with a pink slip.
Corporations may not have national security in mind when they protect their data but to them their data is every bit as important.
What I want to know is, can Google wipe my iPhone if I have Exchange synching? Looks like that's a "yes". How about an option to wipe my device, myself? Wouldn't mind getting that without paying for Mobile Me.
He's blames the remote wipes on the local IT guys. Calls them sadists. But I bet they are just doing what their corporate policies require them to do. The policies are written by the suits in management, not the local IT guys. If you want to bitch, bitch at them.
As far as they new, someone was hacking their servers, downloading unauthorized emails. This is completely what you would expect them to do.
The fact you can't see this, and change your world view to understand what is really going on, suggests that you are very young and being unreasonable.
Is the "remote wipe" command really supposed to delete all the data on the device? It sounds to me like it's meant to erase just the data associated with the Exchange account, but that the implementors misinterpreted it to mean "erase the whole volume".
Maybe it's because I've had a reasonable amount of exposure to the security measures taken by large companies (and the associated unpleasant legal measures that can be taken) but I follow these rules:
- No corporate data on personal devices (not even email)
- I expect to be given a work smartphone
- I use my own phone and iPad for personal stuff
- Assume that anything you do through a device attached in any way (even a VPN) to a corporate network may have everything you do monitored
Of course, these rules apply mostly when you are working for a large company, but even when you are in a startup you occasionally may have to work at a client site - and often these are large corporates.
As has been said elsewhere in the comments, it overreaches because once that data hits your phone it can leak in to other applications, the phone can store attachments on it's flash storage or the SD card, etc.
This is a feature, not a bug. If you don't want your personal device to fall under your organization's security policy, don't connect it to your organization's Exchange (or any other) servers.
It's saved our bacon in regards to stolen devices a few times.
The problem is that right now there aren't granular enough controls of remote devices to allow people to adequately differentiate between approved ones and illicit ones. The fault lies on both the side of the client device software and the server side software.
The same goes for Gmail (Google Apps Premium Edition only) and Android (or anything else using Google Sync). You can enable/disable IMAP & POP for the domain and if you enable it you open the floodgates. You can selectively enable/disable users via API but they can toggle it back on their own. If you setup Google Sync instead of IMAP/POP you can remotely wipe devices but you can't do anything except wipe everything and there is no inbuilt method to notify the user first.
Exchange, as described in the blog post, is equally bad. I'm confident things will improve in 2011 but it's unpleasant right now. The best thing companies can do is to set a clear policy on what's allowed and what isn't based on their data security needs, and never violate the users' trust.
One point not being made here is that nearly every wireless carrier requires you to add an Enterprise Data Plan to your service in order to use an Exchange connector. AT&T requires this with the iPhone. Verizon, T-Mobile, etc. all require it for the Blackberry. I haven't heard of a single device/provider that doesn't require an elevated service level to allow for enterprise mail access.
So there's a security by obscurity to start with: the average user doesn't know to ask for the Enterprise plan, let alone what Enterprise even means in context. So the scenario here requires that a) the salesman talked them into it, b) they bought into that service for the extra $15 on top of the data plan, or c) they consulted with the company's IT department or policies and knew they had to get that service. If they didn't, they simply cannot connect to the Exchange account. There's very little "oops, I didn't know what I was doing" here. I hope that most companies have a clear policy against checking your work e-mail from personal devices, and on your own time. There are legal implications for overtime pay. We may look the other way in startups, but this can't always be done.
Most law firms require this, unilaterally. It's part of the deal-- we'll pay your enterprise data plan in exchange for knowing that we may wipe the device, control which apps you can install [this is another can of worms], so on and so forth, per the requirements of malpractice insurance and data security.
In a perfect world this wouldn't be required, but I think we all know this can't possibly be the case in many industries.
Can someone confirm that the remote wipe actually works as described on each mobile OS? And that it can be done through a Google domain just by using their sync feature with a company account?
This is remote wipe as used by Microsoft Activesync and mobile OS's which support Activesync (Windows Mobile, iOS and Nokia with third party extensions). What do Google domains have to do with it?
just had some fun with the phone of a coworker of mine (of course after warning him and making sure that he won't lose data).
His iPhone was connected to our Google Apps account and with one click I managed to wipe his phone (it rebooted and came up with the "connect me to iTunes to activate me" screen).
Seems like we need something like vmware on phones. Then I can run the company's phone on my device. They can wipe, er, administer it any way they must. And I can still have one phone.
Amazed your question doesn't have upmods, it's very original.
Can my personal laptop be remotely wiped if I connect my email client to an exchange server? If not, why not? It seems to me that a laptop is even more likely to leak sensitive information out of email, like spread sheets and word documents.
I'm a sysadmin at a place that wants this sort of protection, and historically we've only used Blackberries.
Now that lots of people have iPhones, I'm explaining the "remote wipe" situation pretty often.
The best compromise I have at the moment is an iPhone optimised web interface. This lets you get your emails on the device without (much) danger of them ending up saved there.
So our company will not let iPhones connect to the Exchange servers from outside the corp firewall. Solution: Set up a separate mailbox on an external web host and use an exchange rule through Outlook to redirect emails to that address, all the while filtering for things like confidential or classified documents, and check the mail from my phone.
What is the offending module or piece of software on, for example, Android that does this? If it's an Exchange specific thing and works on many phones, why does it come preinstalled with root access and can I just disable or enable Exchange support to be sure nobody ever nukes my phone?
I work in IT and my boss is precisely like this. We don't manage mobiles but wireless. He's talked about scanning the multi-campus network to find unauthorized microwaves that he can have removed.
Because of course, it might cause _some_ interference for 30 seconds at a time right? Yeah.
If you are in the US, it's likely illegal for your boss to try to regulate microwave ovens based on causing wifi interference - that's solely the job of the FCC.
The regulations that allow the use of 2.4Ghz ISM band require you to accept that interference....
<grumble>I think it's an intelligent idea if you're providing blanket coverage and idiots are setting up their own linksys's that can't even dhcp on due to mac filtering. </grumble>
Joining your personal phone to exchange is much like joining your personal computer to the corporate domain. You don't do it unless you want corporate IT to administer it and corporate policy allows it.
Edit: I sympathize with people who lost data, and do agree that the phone should warn you before completing the join. That said, as a business owner, I only allow exchange (and not POP or IMAP) for exactly this reason. I need to be able to wipe the company data if a phone is lost, or someone is fired (and not cooperative), etc. The real world isn't always nice.
Also, the full device wipe is by design, and the feature is called "Remote Device Wipe." The details can be found here:
http://technet.microsoft.com/en-us/library/bb124591.aspx
Note that the storage card is also wiped (where attachments and other sensitive data may be saved).