Exchange ActiveSync remote wipe and firing people

Darn it, Dr. J beat me to the punch:

Remote wipe in Exchange ActiveSync is only useful when a user loses his or her device, and even then, it is lacking since you cannot reach out to the device and wipe it. Remote wipe in Exchange ActiveSync is utterly useless when people are terminated from their employer.

In the case where you fire an employee and want to remove your organization’s confidential data from it, there’s a big ol’ hole that Jesper describes quite well. There are various mitigations that might seem to apply, but most of them revolve around preventing someone from connecting in the first place, or in blocking their ability to connect after you fire them or whatever. For example, you could use client certificates so that only devices with certificates could connect, but then only as long as the client cert remains valid. That doesn’t solve the wipe problem, though.

A related problem: the current device wipe implementation on most phones resets everything and completely erases the phone back to its factory state. Users lose all their apps, personal data, and so on: not a great experience for them (though one school of thought says that you just fired them, so who cares?)

It seems like it would be reasonable to do two things. First, allow sending the EAS wipe message to a device even if it fails to authenticate. If the device has an existing sync relationship, and it tries (but fails) to authenticate, just send the pending wipe message to it anyway. Second, give admins the choice of whether the wipe message requires a complete wipe or only deleting data that came from the organization originating the wipe message in the first place.

Advertisements

2 Comments

Filed under UC&C

2 responses to “Exchange ActiveSync remote wipe and firing people

  1. The other day I had a co-worker ask me why I thought BlackBerrys and BES servers are so popular in businesses. I told him that it’s a matter of control. You can do so much more to lock, control, wipe and manage a BlackBerry than you can with a Exchange ActiveSync phone. He tried to rally to the Microsoft battle flag, but sadly, this is an area where our tools just are lacking. We started a good push with System Center: Mobile Device Manager, but it died somewhere along the way.
    I don’t like supporting BlackBerry devices. I don’t like my mail going through a non-transparent service. I don’t like the access to my mail server that I have to give the BES service accounts. Even though I don’t like these things, sadly, BlackBerry Enterprise Server has better control for situations like this.

  2. I don’t like supporting BlackBerry devices. I don’t like my mail going through a non-transparent service. I don’t like the access to my mail server that I have to give the BES service accounts. Even though pandora jewelry I don’t like these things, sadly, BlackBerry Enterprise Server has better control for situations like this.