My employer can wipe my iPhone?

[Top1Dog525]

Here is a link to most of the commands/restrictions that can be implemented via ActiveSync, but there are more...

http://technet.microsoft.com/en-us/library/bb123484(v=exchg.141).aspx

 

[Beelzbub]

This is why I don't have my phone connected to my work email/calendar. I log in via the web client. I also read an interesting article too that if your company ever gets sued that your device can be confiscated and considered evidence. I often wonder why would I want to use my personal device, and data plan that I pay for, for work? I will read my emails when I get to the office.

Some places reimburse the employee for their phone use, we do here. If the employee is approved to have email on their phone, number 1 they are notified of everything up front and they sign a form, and number 2 they are reimbursed for their phone usage, which is different between different managers, some get their whole phone bill paid for others half and others 3/4 of their bill is paid for.

 

[sulliweb]

Another IT Admin checking in, this has been a feature of Exchange for a decade, at least. They can wipe your phone with no credentials. Most companies don't have any policies regarding it because, in all honesty, we never intend to use it. Company phones, sure, but there will be policies. However, when it comes to your personal cell... Yeah, I have no need or intention of doing it, and if our users thought we could, they'd treat that as a fail safe if they lost their phone. That isn't something we want either.

The feature is there, but unless you give your employer a reason to use it or there is a policy in place, you can rest assured that most IT folks have no intention of using it.

There are a lot of features included in a lot of network stuff. Just because they're there doesn't mean that they will be used. Check your company policies, and when all else fails, bake your IT folks cookies. We love cookies.

 

[Liquidtrance]

I would say you had to agree to something whether it be a general use I.T. policy or if its was buried in a EULA when you set it up originally, overall if you have work data on your personal phone it can be subject to work policies without your consent.

My general thought process: don't use your personal hardware for work purposes - </thread>

 

[Top1Dog525]

Another IT Admin checking in, this has been a feature of Exchange for a decade, at least. They can wipe your phone with no credentials. Most companies don't have any policies regarding it because, in all honesty, we never intend to use it. Company phones, sure, but there will be policies. However, when it comes to your personal cell... Yeah, I have no need or intention of doing it, and if our users thought we could, they'd treat that as a fail safe if they lost their phone. That isn't something we want either.

The feature is there, but unless you give your employer a reason to use it or there is a policy in place, you can rest assured that most IT folks have no intention of using it.

There are a lot of features included in a lot of network stuff. Just because they're there doesn't mean that they will be used. Check your company policies, and when all else fails, bake your IT folks cookies. We love cookies.

Perfectly said... especially about the cookies

 

[Menel]

I'm not so sure about "well known". I've been an Apple nerd for ages seeking out every bit of knowledge I can find and I had never heard of this before today.

I'm not sure how I was supposed to know this before adding the account. It's a freaking email address! The ability for that to affect anything beyond emails on my phone seemed crazy to me.

Source, for those asking: https://discussions.apple.com/thread/3090996?start=0&tstart=0

http://technet.microsoft.com/en-us/library/aa998614(v=exchg.141).aspx

You quoted an anonymous user tech support message board as a reference source? ROFLMAO That's a new low point far below wiki.

http://help.apple.com/iosdeployment-exchange/mac/1.1/#exchange2e5bed3

It has added Exchange support, support for remote wipe, security and configuration policies (either through Exchange or with configuration profiles that can be loaded onto each device), VPN options and encryption -- both whole-device encryption on the iPhone 3GS and targeted app data encryption in iOS 4.

http://www.computerworld.com/s/article/9180268/Managing_and_securing_iOS_4_devices_at_work

And if the device falls into the wrong hands,
users and IT administrators can initiate a remote wipe command to help ensure that
private information is erased.

http://www.wired.com/images_blogs/gadgetlab/2009/07/iphone_security_overview.pdf

and remotely wipe or lock managed devices.

http://www.apple.com/iphone/business/it-center/deployment-mdm.html

Added summer of 2010 with iOS 4.0 alongside multitasking, gamecenter, and iAds.

this apparently gives my IT Department the ability to completely wipe my iPhone remotely.
Correct, well known, publicized and documented.

I reiterate, old news, well known, well documented.

 

[GoCubsGo]

Why wouldn't you want someone to be able to wipe your phone in the event it is lost or stolen? I wouldn't care if they did because I care more about the data than the hardware. I would care if they could access all phone contents, but they cannot just by me setting up work e-mail via Exchange on my phone.

 

[VulchR]

Y...Shouldn't iOS notify me that this is a possibility? I'm in a little bit of shock that such a simple thing could lead to big problems without me knowing....

Seems to me this wouldn't hurt.

Anybody know what EU law is in this regard?

 

[Menel]

Seems to me this wouldn't hurt.

Anybody know what EU law is in this regard?

What would be even remotely illegal? That you didn't bother to educate yourself by studying your company's security policy? Good luck

 

[0309385]

Just jailbreak your iPhone, then remove the active sync hooks in the root file system.

 

[Corrode]

I reiterate, old news, well known, well documented.

Yo, I was on my lunch break, on my phone, had read 10+ articles on the thing and just posted the top two search results on google. Stop trying to prove that you have nothing better to do than post alllllll the links on the topic.

Also, "widely documented" does not mean widely known. How many people have read this thread today and learned something new?

 

[Feed Me]

wooooahh I never knew anything about this. I use Exchange to get my email at University here - so theoretically they can just remotely wipe my phone by clicking one button? That's a bit worrying.

 

[Corrode]

What would be even remotely illegal? That you didn't bother to educate yourself by studying your company's security policy? Good luck

Do you have anything actually helpful to add?

 

[0309385]

wooooahh I never knew anything about this. I use Exchange to get my email at University here - so theoretically they can just remotely wipe my phone by clicking one button? That's a bit worrying.

You know, that would most likely be Illegal and I believe that no one but an employer has the right to do that.

 

[aristobrat]

I can't seem to find any concrete answers on google.

FWIW, in addition to remote wiping your device, here are the other ways Microsoft's ActiveSync can be used by your [school, employer, etc] to manage your iOS device (emphasis mine):

The following Exchange Server policies are supported:

Enforce passcode on device

Minimum passcode length

Maximum failed passcode attempts
... The device is wiped once the specified value is exceeded.

Passcode requires both numbers and letters
... The user must enter a device passcode that contains at least one letter and one number.

Inactivity time in minutes
...The value specified by the inactivity time policy determines the maximum value that users can select both in Settings > General > Auto-Lock and in Settings > General > Passcode Lock > Require Passcode.

The following Exchange Server 2007 and 2010 policies are also supported:

Prohibit simple passcode
Passcode expiration in days
Passcode history
Minimum number of complex characters in passcode
Require manual syncing while roaming
Allow camera
Allow web browser
Maximum age of email messages synced
Require device encryption

iPhone 3G and iPod touch models prior to Fall 2009 don’t support device encryption and won’t connect to an Exchange Server that requires it.

http://help.apple.com/iosdeployment-exchange/mac/1.1/#exchange2e5930c

 

[charlituna]

Apparently I was very wrong. I use my personal phone to access my work email and calendar through our Exchange Server as it allows me to keep on top of things outside of work. I pretty much do it so I can be a better employee. After doing some research, this apparently gives my IT Department the ability to completely wipe my iPhone remotely.

Yep. If the Exchange server is set up with remote wiping it sure can. And most companies have it set up that way since they are concerned with keeping their business data out of the wrong hands.

How was I not notified of this when I added the account to my iPhone. Shouldn't iOS notify me that this is a possibility?

Because it's not their job to tell you. If you look in the T&C you'll likely find some kind of clause regarding the rules of outside systems like email servers etc. And then there's the issue of your companies rules about using personal devices. I bet if you had bothered to read company policy there's something about this ability

----------

totally agree, but you can't do it remotely without the proper credentials.

Which means having admin access to the exchange server, NOT the personal account credentials as you tried to state before.

 

[Mr Kram]

Wtf? I already stand corrected. Please read the entire thread. Thanks.

 

[charlituna]

I guess the responsibility is on the IT department to inform employees of this, which they obviously failed to do so. I will encourage my employer to develop some policies around this.

Now you are getting the picture.

As for informing you, does your employer actually allow you to put your work email on personal devices. Most actually don't. So you might want to check that before you go to raise a flag and inform them you are violating access policies. And don't assume that a lack of statement saying you can not is the same as a statement saying you can. You may find that your boss very much disagrees

 

[Corrode]

Now you are getting the picture.

As for informing you, does your employer actually allow you to put your work email on personal devices. Most actually don't. So you might want to check that before you go to raise a flag and inform them you are violating access policies. And don't assume that a lack of statement saying you can not is the same as a statement saying you can. You may find that your boss very much disagrees

Can people please stop accusing me of failing to read my company policies? I've read them many times. There is nothing on this protocol. There is, however, a step by step guide on how to access my work mail on an iPhone (and my company only provides Blackberrys for work so this obviously isn't for company phones).

This thread isn't about whether or not it's their right. It's about the mere ability to do so.

 

[VulchR]

What would be even remotely illegal? That you didn't bother to educate yourself by studying your company's security policy? Good luck

The Data Protection Act comes to mind, as do court rulings stating that an employer cannot intrude routinely into your private e-mails etc. even if you access them from a work machine (they have to have some justification). Also, with respect to my company's security policy, it says nothing about blanking private phones, so it would be nice if iOS alerted the user if creating a profile allows this.

Finally, I must say the tone of your post rang of the bad old days of IT support when the attitude was RTFM... That is hardly how Apple has managed to position itself so strongly.

 

[Menel]

The Data Protection Act comes to mind, as do court rulings stating that an employer cannot intrude routinely into your private e-mails etc. even if you access them from a work machine (they have to have some justification). Also, with respect to my company's security policy, it says nothing about blanking private phones, so it would be nice if iOS alerted the user if creating a profile allows this.

Finally, I must say the tone of your post rang of the bad old days of IT support when the attitude was RTFM... That is hardly how Apple has managed to position itself so strongly.

Follow the thread, they can't intrude on your personal email. They can only wipe it when they feel there is a threat of security to their data that you have voluntarily stores on your handset. There is their justification.

 

[aristobrat]

exactly, i havent even heard this type of issue before!

It's a feature of Microsoft Exchange ActiveSync, not Apple or iOS.

Microsoft Exchange ActiveSync can wipe virtually any remote device that is capable of using ActiveSync. This includes Androids, all of the Windows Phone variants, Palm, iOS, etc.

This capability has been around since Exchange 2003.

 

[SkippyThorson]

One of the many reasons why everything we do here is Google, and all my work data is in the separate Google apps, all in their own separate folder, on a separate page from my personal home screen. Separately, of course.

 

[aristobrat]

One of the many reasons why everything we do here is Google, and all my work data is in the separate Google apps, all in their own separate folder, on a separate page from my personal home screen. Separately, of course.

I guess if you have to login separately to those Google apps, that lessens the chance that if you lose your phone, someone can easily gain access to your work data.

My company tried something like that, using a product called Good (for iOS and Android). It puts all of your work data (email, calendar, address book) into a separate app. If you lose your phone/leave the company/whatever, they can just remotely disable that app, and all of the work data is gone.

The problem with that was that users hated it. On iOS, that app couldn't run in the background, which meant that every time you opened it, you had to wait for it to pull down new data. Also, their email and calendar apps weren't the same as iOS's email and calendar apps, which confused new people, and irritated experienced people when they'd find differences in capabilities between the two.

Ultimately, the company ditched Good, and now uses Exchange ActiveSync. Before they'll set your account up to use that, you have to sign a document that acknowledges that they have the right to wipe your device if you lose it, as well as that they enforce a passcode on the device.

 

[TheAppleFairy]

Incorrect, if the phone is syncing with the built-in Exchange Mail app the phone can be remotely wiped.

You can also wipe it yourself using the Outlook Web Access Portal.

Here is what it looks like to an Exchange Admin

Image

Yup, I have done it myself. With an Android phone on Verizon (was just testing the wipe feature), I even had to reactivate the phone by calling *228.

I also did this with my iPhone on AT&T, right back to factory settings.

Pretty cool feature if you ask me, oh and when I added my work email account to my phones it made me put a security lock on my phone.