Exchange server permissions

[preusstang]

Ok, first off I searched for this in the tapatalk app and found nothing useful. I found an old discussion in a google help thread here but it proved un-useful:
http://www.google.com/support/forum/p/android/thread?tid=74dfa2a2ba23dc49&hl=en

Ive never been able to actually test the exchange client on android until the other day (usually the IT department allowed IMAP, but not at my new workplace.) The network dude set up something and gave me the domain and whatnot so I typed it in. I was greeted by a security permissions dialog that stated that the server REQUIRED the ability to remotely wipe my entire phone data without warning, along with requiring a password unlock and an automatic wipe if too many incorrect passwords were entered.

Obviously I did not accept this. This is my phone - not the exchange servers. I researched this and some people reported not getting this message in other roms. Even so, is this "feature" still silently active? Can I get rid of it?
Im sure the network guy will be glad to address my concerns, but I know he's a security nut..

Anyone have any info on this?

EDIT: sorry, im on LGB v0.6

 

[Ivory Bill]

The wipe policy is a function of the IT department, not of your phone's software. Your employer allows you to download their data (some or all of which may be proprietary) and you are allowing them to delete the data if they feel like it (say, once you no longer work there, or if the phone is reported lost or stolen.) Because once it has been downloaded, the data can be stored anywhere on your phone the company needs the ability to wipe all of the user storage on the device. We make a virtually identical deal with our users.

I will emphasize that your email and anything else kept on the company's servers continues belong to the company once it is downloaded to your phone. Since those emails may contain trade secrets or confidential client/customer data, IT is nowhere near out of line in making that request.

Your choice -- Get your work email on your phone or do not allow your employer to wipe your phone.

I made nearly the same deal with my employer to get my email on my phone. I backed up all my .apk's before I agreed to the conditions and connected to the mail server.

 

[preusstang]

Thank you for the quick response. Does that mean there's no way to block that feature on my end? Like, are there any workarounds known? Like a patch

 

[Ivory Bill]

This policy is controlled by IT. Any patch would be a violation of policy and a breach of your contract wtih your employer. I have seen people fired for less. Your employer is imposing a reasonable polcy to protect company and customer data. Most companies with knowledgeable IT departments have similar policies.

Once again, (and I feel like Jiminy Cricket here) remember that company email belongs to the company. The ability to receive company email on your phone is a privelege which your employer extends to you. They can impose whatever condiditons they want to impose. Just be glad that they allow Android phones at all. Many companies are blackberry only.

 

[bkendrick]

Should termination seem imminent just put your phone in airplane mode and delete the account. Remote wipe is a function of MS Exchange 2010 and is primarily reserved for stolen phones or issuing used phones to a new employee. However, if your boss is an a-hole then I would take precautions.

DX. CFU. LIB GB.7

 

[preusstang]

Should termination seem imminent just put your phone in airplane mode and delete the account. Remote wipe is a function of MS Exchange 2010 and is primarily reserved for stolen phones or issuing used phones to a new employee. However, if your boss is an a-hole then I would take precautions.

DX. CFU. LIB GB.7

So they can't still wipe me after I remove the account? Cause I've seen some pretty shady stuff go on at this place; they locked one lady out of her vpn account and then fired her.

Also, the "wipe" is just like a factory reset, correct? So, my SD card - with all of my subsequent backups - will remain unscathed?

 

[bkendrick]

By removing the account you are deleting client/host credentials so there's no way a remote wipe can occur. I don't know what a remote entails.

DX. CFU. LIB GB.7

 

[preusstang]

Just to let everyone know, I worked everything out with the networking guy, but its official, in exchange server 2007 and later admins have the ability to not only wipe ALL data on the device but also ALL data on external storage. Yeah, they can wipe your SD.

 

[mikejad]

The ability to receive company email on your phone is a privelege which your employer extends to you.

That must be in the same privilege group of taking work home in the evening and working all weekend.

Sorry to bump an old thread, but I just ran into this as well. Despite years of connecting iPhones, Androids, and even a co-workers WM7 phone to exchange, I just recently, after upgrading my phone, got the prompt that says I agree to give the exchange admins these rights over my phone.

So my question is, while I got prompted and had to accept or reject the terms, what about all the people who didn't have to accept those terms when syncing the phone. Do the exchange admins have that right over there phones as well and they just don't know it?

And secondary, what policy options are available for Exchange admins when setting this up? Is there anything less strict that they could use (such as giving them permission to wipe all exchange data, not the entire phone)?

IT department says nothing has changed recently, especially not overnight the night I upgraded my phone, so it has me wondering if they're really concerned about this or if it was just something that was setup but not really enforced. I'm preparing to go make the case for looser restrictions (or a company provided phone) but I'd like to know what solutions I can provide rather than just saying "remove these restrictions, please"...

Thanks in advance.

 

[Quotas47]

Permissions on Exchange

The Permissions are what they are. It's one policy and in my opinion, all of them are required for data integrity.
By the way, Simply removing the account in "airplane mode" might screw you over a bit.

It doesn't just let them delete your data, but you agree to encrypt it. That means that the entire phone becomes essentially passworded. If you take the phone's memory card out and put it in another device, it would be unreadable.

I enforce these policies at my place of employment. We offer options.
We issue cell phones for people whose job requires it/supervisor requests it.
We also offer to subsidize a small amount of an employee's cell phone bill every month, allowing them to use their personal phone.

We stopped issuing Blackberries, though they still comprise 30% of our phone population. We largely issue iphones, with the occasional Android if requested.
As you may or may not know, iPhones can't even be connected to a computer as easily as an Android, nor do they have a removeable memory card. When that data gets lost, it's LOST.

Lots of our people have begun to use their personal phones with the subsidy, and I don't think they understand what they're doing when they accept the permissions on the phone.
They just don't want to carry two phones around, but want to keep their personal phone.
These people will be very disappointed when their personal phone is wiped when they lose it or leave the company.
Tough ****.


The best thing you can do is backups. Keep your phone synced with your Google account, and don't keep anything on your phone you can't afford to lose.
You should be practicing these steps anyway, or you're just asking for trouble.