When Your Company Remote-Wipes Your Personal Phone

Xenographic writes "NPR has a story about someone whose personal iPhone got remotely wiped by their employer. It was actually a mistake, but it was something of a surprise because they didn't believe they had given their employer any kind of access to do that. This may already be very familiar to Microsoft Exchange admins, but the problem was her iPhone's integration with MS Exchange automatically gives the server admin access to do remote wipes. All you have to do is configure the phone to receive email from an MS Exchange server and the server admin can wipe your phone at will. The phone wasn't bricked, even though absolutely all of its data was wiped, because the data could be restored from backup, assuming that someone had remembered to make one. But this also works on other devices like iPads, Blackberry phones, and other smartphones that integrate with MS Exchange. So if you read your work email on your personal phone or tablet, you might want to make sure that you keep backups, just in case."

Nonsense

[Anonymous Coward]

Wiping someones personal data is a felony. I think it likely that the employer prosecute if the tables were turned. Hacking tools are illegal in some jusridictions, I think anything providing this level of unauthorised access would be illegal under German law. Guess they don't use exchange there?

Re:Hmmmmmm

[Anonymous Coward]

The solution is a simple one. If a company requires you to use a phone for business purposes that will be sending/receiving business e-mails and subject to remote wiping by that company, then that company needs to issue phones to their employees that may not be used for non-business purposes. Then there wouldn't be any problems with a company wiping a phone that is actually company property.

That was probably their policy and they gave everyone a free Black Berry. Then a few Apple "Fanatics" started whining they wanted to user their UBER sweet iPhones and the company is being racist against their phones if they don't let them use it.

The company gives in after all the whining but the policy regarding a phone being used with their exchange server never changes. And so the policy stands that they can wipe any phone that was had connected to their server.

Keep

[Anonymous Coward]

Keep personal items and work items separate. CRAZY I KNOW.

Our university is even worse...

[Rhywden]

... they're using an Exchange-Server for all the students' email. Fun parts include: You're only able to install a Forwarding rule if you use the Internet Explorer (otherwise the button for rules is simply not there - something their FAQ omits.) SMTP does not work at all for some strange reason. I finally tried to configure my Android phone to use the Exchange account as an additional email account. That worked. However, whenever the screen went black to conserve power, I had to reenter my Exchange password to unlock the phone! With a nontrivial password containing special characters, numbers, small and big letters at a length of 10 characters, this became a serious pain in the ass. Normally, to unlock the phone I just have to swipe the on-screen button from right to left. Needless to say, I quickly removed the Exchange account. And it was only a month later that I actually got an answer from them regarding my problems. So, if our university of incompetent morons Exchange server means that they could erase my data, I won't touch their offering with a ten-feet pole. Fun fact: They're "offering" a user administration tool for all the dorms' routers based on PHP. This little "tool" does an include of remote PHP files based on the unsanitized GET request data. As a plus, this tool has to be run as root. Which means that any disgruntled dorm administrator could do a pretty powerful attack on nearly the whole dorm network infrastructure.

Re:we have the same policy at work

[steppin_razor_LA]

My $.02 on policy:

Employees should backup their own data. If they are uncomfortable with the possibility of Employer wiping their personal phone, then they should not connect their personal phone to work email.

  If an Employer *wants* its Employees to be reading their email from cell phones and the Employee doesn't feel like using their own personal property to do so, then the Employer needs to buy the Employee a work owned device or "STFU". If the Employee doesn't want to carry around two devices then they either need to submit to their phone being wiped or "STFU" and carry around both devices.

Re:we have the same policy at work

[Hatta]

We have the same policy and will only allow smart phones to connect to exchange when they have the remote wipe capability. It's to protect the company's interests should a phone be lost or stolen.

Do you have the same policy for PCs?

Re:we have the same policy at work

[nitehawk214]

Then don't connect your personal phone to the company network.

This.

Furthermore, there is no way in hell I am going to spend my own money on a phone for work purposes. If they want me to pretend to have email access anywhere, they can very well buy me a phone that I can leave locked up in my desk at work, then pretend the network wasn't available when they tried to get in touch with me.

Wait, what were we talking about again?

What about laptops?

[lullabud]

What's so special about a phone that they get extra special wipe privileges? Can an Exchange admin remote-wipe my laptop if I have it hooked up to my corporate account?

No.

Why my phone then?