locked
Phones not wiping RRS feed

  • Question

  • Hello

    I am running Exchange 2013 on premise and we recently let an employee with two phones go.  I have one phone with me and he still has the other.  

    I used ECP to initiate a remote device wipe for both phones and neither are wiping.  Both have the status of Wipe Pending.  The phone that I have with me is on and attempting to sync.  I can see the "Sign-in failed" notification on the lock screen.  It could be that the other phone is powered off and sitting in a drawer somewhere.

    I realize that I can enter a bad password five times and the phone will reset itself but I'm not looking for a workaround.  I need to be able to reliably erase phones remotely.  

    The phones are both Android, Samsung Galaxy S4 and S6 Edge.  Can anyone enlighten me as to why these phones won't wipe?


    Hutch


    Thursday, November 5, 2015 5:29 PM

All replies

  • Hi,

    The phone that you have wipe itself so that's one down. As for the other phone that the ex-employee kept, you cannot do much except go into ECP -> phone and remove the device ID from his account. Disabled his account in AD.

    Friday, November 6, 2015 12:15 AM
  • The phone that I have has not wiped itself.  That's what I'm trying to do.  It appears that Microsoft Exchange cannot wipe phones.

    I cannot remove the device ID from his account because then I will never know if the phone was wiped.  I need to be able to see the status.  

    His account is already disabled and his password has been changed.  I'm not worried about him logging into his account or still receiving email.  I want to remove the existing email from his phones and it appears MS Exchange is not capable of doing that.  Am I wrong?



    Hutch


    Friday, November 6, 2015 2:30 PM
  • Is it possible that the phone needs to be unlocked?

    Hutch

    Friday, November 6, 2015 4:35 PM
  • For the wipe command to be sent to the device, the device needs to synchronize data with ActiveSync. There are several reasons this might not be happening:

    • The phone is off
    • The account has been removed from the device
    • The account is unable to authenticate

    I think the phone you have is unable to authenticate because the user account has been disabled and the password changed. This will prevent it from getting the wipe command.

    As for the phone retained by the employee, if that employee has removed the account then it will never get the wipe command.


    Byron Wright (http://fieldnotes.conexion.ca)

    Friday, November 6, 2015 6:28 PM
  • For the wipe command to be sent to the device, the device needs to synchronize data with ActiveSync. There are several reasons this might not be happening:

    • The phone is off
    • The account has been removed from the device
    • The account is unable to authenticate

    I think the phone you have is unable to authenticate because the user account has been disabled and the password changed. This will prevent it from getting the wipe command.

    As for the phone retained by the employee, if that employee has removed the account then it will never get the wipe command.


    Byron Wright (http://fieldnotes.conexion.ca)

    Spot on.

    The phone cannot get the wipe command.

    Rule number one with ActiveSync - do not touch the account until the wipe command has been sent and acknowledged. In most cases that will not take long.

    If you want something that will work with a dead account, then you will need a third party MDM - Blackberry BES, Airwatch, MobileIron etc.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Friday, November 6, 2015 7:06 PM
  • The phone is on and the account has not been removed.

    I did change the password for the user's account so it is unable to authenticate.  I don't see why that should matter though.  It is still contacting the server trying to authenticate and that should be enough to trigger the wipe.  

    What if this were a lost or stolen phone?  I would have to change the password immediately but if Exchange can't wipe the phone after that the thief has all the old mail.


    Hutch

    Friday, November 6, 2015 7:18 PM
  • Contacting the server and attempting to authenticate is not enough. It needs to authenticate to download the wipe command. The wipe command is inside the ActiveSync process, not out of band.

    If it were lost or stolen, you wipe before changing the password. The assumption is that the PIN you've enforced on the device prevents access to the device. So, changing the password is not required.


    Byron Wright (http://fieldnotes.conexion.ca)

    Friday, November 6, 2015 7:20 PM
  • The phone is on and the account has not been removed.

    I did change the password for the user's account so it is unable to authenticate.  I don't see why that should matter though.  It is still contacting the server trying to authenticate and that should be enough to trigger the wipe.  

    What if this were a lost or stolen phone?  I would have to change the password immediately but if Exchange can't wipe the phone after that the thief has all the old mail.


    Hutch

    The wipe command is set on the account. How is it going to see that option is set on the account if it cannot authenticate? It cannot.

    Same if the device is stolen. You need to wait to change the password until the wipe command is sent. However it would have to be a very stupid thief to leave the phone on. The first thing they do is remove the SIM from the phone so it cannot be tracked.

    That is how it works, your processes need to take that in to account. For a successful wipe the device needs to make a successful connection. If that isn't acceptable, then you need to look at third party tool.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Friday, November 6, 2015 7:21 PM