Petri

Performing a Remote Device Wipe with Exchange

The ability to securely and remotely wipe a mobile device, be it phone or tablet, iOS, Android, or Windows device is absolutely critical to the success of any enterprise mobility initiative. With data out walking around, IT pros must have the confidence they can reach out and erase that data at a moment’s notice.

Sponsored

Remote device wipe capability is a core tenant of mobile security. As such, the tools available for performing a wipe are practically as numerous as the reasons for doing one. All major mobile device management solutions support the capability. Many devices have the functionality baked into their OS, such is the case with iCloud-integrated iPhones and iPads. There are even self-help methods allowing users to perform their own remote wipes. I described how a user can take this initiative using Outlook Web Access in a previous Petri IT Knowledgebase article, How to Wipe Mobile Devices Through Outlook Web Access (OWA).

Yet another option for Exchange-integrated mobile devices is the ability for IT admins to complete a remote device wipe. Today is a buy one get one free day: I’ll show you not one, but two methods for completing this task using Exchange 2010’s administration tools — the Exchange Management Console and the Exchange Management Shell.

How to Remotely Wipe a Device with Exchange Management Console

  • Open the Exchange Management Console (EMC)
  • Expand Microsoft Exchange On-Premises.
  • Expand Recipient Configuration.
  • Click Mailbox.
  • Scroll through the list of mailboxes until you find the user mailbox for the device to be wiped.
  • Click once on the user name.
  • Under Actions on the right side of the EMC, click Manage Mobile Phone. Or, if you prefer, right-click the user and select Manage Mobile Phone from the context-sensitive menu that appears.

 

EMC Manage Mobile Phone

 

  • In the Manage Mobile Phone Wizard, verify the device to be wiped is highlighted. If it isn’t, single-click to highlight.
  • Under Action, click the radio button next to Perform a remote wipe to clear mobile phone data.
  • Click the Clear button.

 

Manage Mobile Phone Wizard

 

  • Click Yes when prompted to confirm “Are you sure you want to clear the device for {device name}.”

 

EMC Confirm clear

 

The wizard will proceed to the completion screen where you should be presented with a message indicating the successful remote wipe command has been queued. Look closely and you’ll also notice the actual PowerShell cmdlet that’s executed by the GUI. Recall that Exchange 2010 is built to leverage the “power” of PowerShell; the GUI really just acts as a point and click front-end for the shell. Remote wipes are no exception, as they can be handled quite succinctly via two Exchange cmdlets: Get-ActiveSyncDevice and Clear-ActiveSyncDevice. Let’s jump right into that now.

How to Remotely Wipe a Device with Exchange Management Console

  • Open the Exchange Management Shell
  • Type Get-ActiveSyncDevice –Mailbox {mailbox name} | Format-List Name and press Enter. Your output will be similar to the image below.

Get-ActiveSyncDevice

 

Sponsored

Notice that I’m piping to Format-List, fl for short, and displaying only the Name property. In this case, less is more; the name property is all that’s required for us to successfully execute the Clear-ActiveSyncDevice cmdlet.

  • Type Clear-ActiveSyncDevice –Identity {name returned from Get-ActiveSyncDevice} –NotificationEmailAddresses {desired email address to send notice of wipe to}
  • Press Enter.

The –NotificationEmailAddresses parameter is completely optional, but it allows you to receive a confirmation when the wipe is complete. Not a bad idea in most cases.

  • You will be asked to confirm the wipe. Type Y and press Enter.

PowerShell is all about efficiency so why should we do this on two steps when we can easily do everything we need in a concise one-liner? Disclaimer: the below example is designed for a scenario where only one mobile device is attached to the mailbox.

  • Type Get-ActiveSyncDevice –Mailbox {mailbox name} | Clear-ActiveSyncDevice –NotificationEmailAddresses ‘JONeillSr@awesomewildstuff.com’ and press Enter. Confirm the wipe when prompted.

 

MS Clear-ActiveSyncDevice Complete

 

Sponsored

Of course, the remote device wipe isn’t actually executed on the device until it connects via Exchange ActiveSync and receives the command. When that happens, one of the last things the device will do before performing the wipe is confirm to the server the command has been accepted. If you’re interested in keeping track of your wipe, the Manage Mobile Devices wizard will show you information such as the remote wipe request time and when the device acknowledged receiving the command.

Keeping track of progress in the EMS is as simple as running the Get-ActiveSyncDeviceStatistics cmdlet and paying attention to the DeviceWipeSentTime, DeviceWipeAckTime, and Status properties. Here’s a handy one liner for your toolbox: Get-ActiveSyncDevice –Mailbox {mailbox name} | Get-ActiveSyncDeviceStatistics.

Mobility is all about security. The ability for administrators to quickly, efficiently, and securely initiate remote wipes is part of the foundation upon which mobile security is built. Knowing how to leverage the above Exchange 2010 tools will empower Exchange administrators to be ready at a moment’s notice to complete this critical mobile device management task.

Tagged , , ,

Sponsored

Join The Conversation

Sponsors

Sponsors