When Your Company Remote-Wipes Your Personal Phone

Xenographic writes "NPR has a story about someone whose personal iPhone got remotely wiped by their employer. It was actually a mistake, but it was something of a surprise because they didn't believe they had given their employer any kind of access to do that. This may already be very familiar to Microsoft Exchange admins, but the problem was her iPhone's integration with MS Exchange automatically gives the server admin access to do remote wipes. All you have to do is configure the phone to receive email from an MS Exchange server and the server admin can wipe your phone at will. The phone wasn't bricked, even though absolutely all of its data was wiped, because the data could be restored from backup, assuming that someone had remembered to make one. But this also works on other devices like iPads, Blackberry phones, and other smartphones that integrate with MS Exchange. So if you read your work email on your personal phone or tablet, you might want to make sure that you keep backups, just in case."

we have the same policy at work

[queen of everything]

We have the same policy and will only allow smart phones to connect to exchange when they have the remote wipe capability. It's to protect the company's interests should a phone be lost or stolen. When the users sign up for ActiveSync they have to "read" the terms and conditions where it states that it may be remotely wiped. I don't think most people read it but when you think about the type of proprietary (and often confidential) data your email inbox has, you have to understand why the company does it.

Bad photoshop?

[bigredradio]

Is it just me or does the iphone in the picture of the article look really small? Or the person has really large hands?

Re:we have the same policy at work

[geekoid]

sure,all those emails about yet ANOTHER birthday, whose turn it is to clean the fridge, who burnt the pop corn, meetings to discuss the next meeting. Jokes, bus passes.

Yeah, losing it would just ruin a company~

If you don't want this happening...

[rennerik]

... use IMAP. Connecting to Exchange via IMAP doesn't enable remote wipe, but still allows you to access your mail and get access to the GAL.

But honestly, if you're needing access to a company's Exchange server, there's no reason why the company can't enforce a security policy, like a PIN or password on your phone, or remote wipe capabilities. There may be sensitive data in your emails or in your contact list, that should not be accessed on a device which has no protection (or even weak protection like a PIN). It's in the best interest of the organization to be able to remotely-wipe a device connected to their Exchange server.

That being said, if you don't want to give the company access to do that to your phone, then don't connect to Exchange. If IMAP isn't enabled, then you have to take the tradeoff.

Re: Going to post as top level comment... but...

[colinnwn]

Unless your company specifically forbids it, I'd use TouchDown for Android. I've set it up for my mom and it seemed to work ok. I couldn't get her tasks to sync, but I'm sure I could have figured it out with some more effort. The email came down fine. It isn't quite as chic as having everything integrated into the native apps on your phone, but the interface seemed serviceable enough, and it keeps more of a firewall between your work and personal life.

Many companies don't specifically check the client string. If they do, and you really want to, you can masquerade as an iPhone. It supports Exchange remote wipe (but only for the TouchDown data store), all your personal data on the phone will be unaffected. I have Prey on my phone to wipe my personal data in case it gets stolen.

Re:we have the same policy at work

[Monkeedude1212]

We're actually dealing with a bit of backlash from having this policy - on both sides of the issue at the same time!

I'll try to be as vague as possible to cover my butt - but basically someone who deals with Clients for their job was going to be let go. We wiped their phone, as standard policy. Not sure if they copied the data prior to leaving or if another employee helped them out, but they basically took contact information, pricing/quotes, certain client rates, etc etc and took that to help land another job with a competitor.

Being in IT I know that it's going on as basically our "employee lifecycle" has come under review - but I'm not exactly on the legal team so I don't know how exactly it's progressing. But I know basically we pressed charges for selling trade secrets, and they are counter-suing for something along the lines of destruction of personal property for wiping EVERYTHING off of their phone.

I am not aware of any actual "Agreement" to phone wipes besides possibly verbal ones between managers and their employees and/or IT - there isn't a lot of documentation on the subject matter anywhere - however since starting any time anyone has asked "Can you get my email sync'd on my phone?" My common response is "Yes, but you will be handing over control of ALL The phones data to the company so we can wipe it should you be terminated or leave the company, which includes all your personal phone numbers and appointments". I say it not only to actually warn people of the danger - but its actually a great deterrent and a lot of people reconsider and don't want it anymore, less work for me!