Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

boulderuser

macrumors newbie
Original poster
Apr 14, 2016
4
0
Our company has MS Office 365. Many of us have set up email exchange with this service to access company email. Recently I learned that the company has the ability to remotely wipe my personal iPhone. This seems like a pretty big backdoor in my iPhone. Other than my companies access of the phone, are there other security concerns using this service?

Thanks
 
The only way they could remotely wipe your personal phone is if you let them manage it using MDM software, outside of that the only thing that it would do is just wipe the emails from the device and prevent it from reconnecting until a valid username and password were entered back into the device.
 

dave006

macrumors 68040
Jul 3, 2008
3,921
1,120
Just West of East
Sounds like your company has a BYOD program that allows you to access company resources from your personal iPhone. Do they have a published policy?

You should review any policy to insure that you fully understand your responsibilities while employed and what happens when you leave the company or lose your device.

A BYOD program allows users to set up and configure their own devices. To gain access to corporate resources, users can configure settings manually, install a configuration profile, or more commonly, enroll their devices with an MDM solution.

An advantage of using MDM to enroll personal devices is that it allows corporate resources and data to be managed in a way that is secure, yet also respectful of the user’s personal privacy, data, and apps. IT can enforce settings, monitor corporate compliance, and remove corporate data and apps, while leaving personal data and apps on each user’s device intact.

Dave
 

boulderuser

macrumors newbie
Original poster
Apr 14, 2016
4
0
Thank you for the replies. We are a small group, who unfortunately use our personal phone for work. Some of our members have microsoft exchange setup for email. I do not currently have this set up on my phone. Our office manager and our president have told me that they have the ability to lock the phones and do a complete wipe of all data in case they are stolen or lost. If they are able to do this with the phone, I am concerned that this could be exploited. We currently do not have a policy in place. I know very little about security but MS has a history of exploitable problems with their software.
 

dave006

macrumors 68040
Jul 3, 2008
3,921
1,120
Just West of East
It really has very little to do with Microsoft and more to do with Apple in this case. MS Office 365 is just mail and other MS apps. The ability to lock a device and remotely erase a device are controlled by Apple Enterprise software or a third party MDM system. A full MDM system can control many key features of your iPhone. I will post a list if you are interested.

You really should ask a few questions, so that you are an informed employee.

Dave
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,392
19,461
Our company has MS Office 365. Many of us have set up email exchange with this service to access company email. Recently I learned that the company has the ability to remotely wipe my personal iPhone. This seems like a pretty big backdoor in my iPhone. Other than my companies access of the phone, are there other security concerns using this service?

Thanks
Simply adding an Exchange account can affect some other things, like being required to have a passcode (sometimes even a longer one), or having to use shorter auto-lock options, etc.
 

noanker

macrumors regular
Sep 30, 2015
133
101
Good for Enterprise is one such app that can allow controlled access to your company's Exchange server. From the Good Management Console you can then remotely wipe the app and any contacts associated with your company's Global Address List.

If anyone is ever offered the choice between using a company's app on your iPhone or being given a company-provided (and paid for) phone, choose the latter. I always believe in keeping personal and work a minimum of a universe apart.
 

boulderuser

macrumors newbie
Original poster
Apr 14, 2016
4
0
I really appreciate the quick replies. We are a small group, I would not be surprised if we end up going the company phone route, I have never liked have both personal information and personal information on the same device.
 

Rigby

macrumors 603
Aug 5, 2008
6,257
10,215
San Jose, CA
Our company has MS Office 365. Many of us have set up email exchange with this service to access company email. Recently I learned that the company has the ability to remotely wipe my personal iPhone. This seems like a pretty big backdoor in my iPhone.
This is not a backdoor. What you see are so-called Exchange policies that an Exchange server can communicate to the device via the EAS protocol. The policies are actually enforced by Apple's Mail client. Besides remote wiping, an Exchange server can also instruct the device to enforce a few other policies such as a minimum length of the device passcode.
Other than my companies access of the phone, are there other security concerns using this service
Exchange policies are not a security concern. They don't give your company or Microsoft access to any other data on your device. They are just a means to protect data that belongs to the company. If you don't like it, don't access corporate mail on your device.

Now, if the company requires you to install a proprietary app on your device, that's a different story ...
 

dave006

macrumors 68040
Jul 3, 2008
3,921
1,120
Just West of East
There is much more than just remote wiping and a few other policies such as a minimum length of the device passcode and as a means to protect data that belongs to the company. Here are a few other capabilities:

Enable / Disable - SMS Txt messaging / iMessaging
Enable / Disable - Camera
Enable / Disable - Bluetooth / IrDA, WiFi
Enable / Disable - Non-Exchange mail accounts
Enable / Disable - Web browser access
Remote Wipe - mentioned by OP
Remote Lock
Remote Passcode Change
Enable / Disable - Siri

There are many more that also don't "need" a proprietary company app to be installed.

You really need to know your company's policy covering use of Personal Devices that access company resources / data and what you privacy / security you give away by just trying to be a good productive employee.

Now, a good Mobile Device Management (MDM) system would allow the company to protect their data while also securing your privacy. Using a good MDM system they can only wipe their data from your device, leaving all of your data save and secure.

Dave
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,392
19,461
There is much more than just remote wiping and a few other policies such as a minimum length of the device passcode and as a means to protect data that belongs to the company. Here are a few other capabilities:

Enable / Disable - SMS Txt messaging / iMessaging
Enable / Disable - Camera
Enable / Disable - Bluetooth / IrDA, WiFi
Enable / Disable - Non-Exchange mail accounts
Enable / Disable - Web browser access
Remote Wipe - mentioned by OP
Remote Lock
Remote Passcode Change
Enable / Disable - Siri

There are many more that also don't "need" a proprietary company app to be installed.

You really need to know your company's policy covering use of Personal Devices that access company resources / data and what you privacy / security you give away by just trying to be a good productive employee.

Now, a good Mobile Device Management (MDM) system would allow the company to protect their data while also securing your privacy. Using a good MDM system they can only wipe their data from your device, leaving all of your data save and secure.

Dave
You are saying any/all of those things can be affected/changed simply by connecting to an Exchange account on the device (and nothing more)?
 

Beelzbub

macrumors 6502
Feb 6, 2012
425
187
These are features of the exchange server.

They are there to keep company data safe. I have the same features on my server at work. I would suggest using the Outlook App, it is free, then the company cannot wipe your phone as the data is only contained in the app. This is what I advise my users to do when they are using their personal phones.

Company phones are a different matter. They are setup like you normally would setup email, and the policy's on the server are sent to the phone.

Wiping of the phone allows admins to wipe the phone if it is lost or stolen, or the employee refuses to turn the device back in when they leave the company. I actually had that happen to me, an employee left, took the phone with them to a competitor and thought we would not notice. I sent the wipe command and got a reply back that it was successful and then called AT&T and had them suspend the number. Rumor had it this employee was giving a Best Buy employee an earful wanting them to pull the pictures off their SIM card a day later. I also had a high level person in the office lose their iPhone. So the wipe command was sent. That is why that command exists. And any good admin would have two factor authentication setup on the administrator account to prevent malicious access, I do.

There are other features like the ability to shut off the camera, Bluetooth and so on, even only allow certain wireless access points to be used. Again, these features are there to keep things safe. One office I worked in would not allow camera phones, so with this you can give someone an iPhone to use for their email and such and disable the camera. Might sound mean, but if the company has high level proprietary designs, they do not want someone snapping pictures of them. There are lots of things you can do, enforce password policy's and so on.

I would use the Outlook app like I mentioned earlier on. It is free and will work with Office 365, so will Word and Excel. You can also use your Touch ID with the Outlook app. So if you are letting your kid play with your phone, they cannot get into your email. An Admin cannot wipe your phone when you are using that or disable anything, Exchange policies do not apply when to the phone when using the Outlook app.
 

dave006

macrumors 68040
Jul 3, 2008
3,921
1,120
Just West of East
You are saying any/all of those things can be affected/changed simply by connecting to an Exchange account on the device (and nothing more)?
Yes. If you are using Exchange, ActiveSync ( mail, calendar, contacts ), it is that easy. It has taken Apple a while to implement the bulk of the Exchange protocol features but use caution and understand what the impact might be to you.

Dave
 

Rigby

macrumors 603
Aug 5, 2008
6,257
10,215
San Jose, CA
There is much more than just remote wiping and a few other policies such as a minimum length of the device passcode and as a means to protect data that belongs to the company. Here are a few other capabilities:

Enable / Disable - SMS Txt messaging / iMessaging
Enable / Disable - Camera
Enable / Disable - Bluetooth / IrDA, WiFi
Enable / Disable - Non-Exchange mail accounts
Enable / Disable - Web browser access
Remote Wipe - mentioned by OP
Remote Lock
Remote Passcode Change
Enable / Disable - Siri
This list is not correct. For example, disabling texting/messaging or Bluetooth/Wifi via Activesync is not supported by iOS. Here's the actual list according to Apple:

Supported Exchange ActiveSync
security policies
• Remote wipe
• Enforce password on device
• Minimum password length
• Maximum failed password attempts
(before local wipe)
• Require both numbers and letters
• Inactivity time in minutes (1 to 60 minutes)

Additional Exchange ActiveSync policies
(for Exchange 2007 and 2010 only)
• Allow or prohibit simple password
• Password expiration
• Password history
• Policy refresh interval
• Minimum number of complex characters
in password
• Require manual syncing while roaming
• Allow camera
• Allow web browsing

Source: https://www.apple.com/cn/ipad/business/docs/iOS_6_EAS_Sep12.pdf
Now, a good Mobile Device Management (MDM) system would allow the company to protect their data while also securing your privacy. Using a good MDM system they can only wipe their data from your device, leaving all of your data save and secure.
MDM policies are far more powerful (and thus intrusive) than Activesync policies. I would never allow my employer to manage my personal phone using MDM.
[doublepost=1460775216][/doublepost]
These are features of the exchange server.

They are there to keep company data safe. I have the same features on my server at work. I would suggest using the Outlook App, it is free, then the company cannot wipe your phone as the data is only contained in the app. This is what I advise my users to do when they are using their personal phones.
I'd strongly advise to check with the IT department first. Many companies prohibit the use of this app because it exposes your access credentials and all emails to Microsoft.
 

dave006

macrumors 68040
Jul 3, 2008
3,921
1,120
Just West of East
This list is not correct. For example, disabling texting/messaging or Bluetooth/Wifi via Activesync is not supported by iOS. Here's the actual list according to Apple:....
Actually your list is obsolete. You referenced iOS 6 EAS information. You need to spend a little more time in your research and see the magic that has happened since your version. We are now as iOS 9 with ActiveSync V16. Keep researching and you will find the "correct" information. :rolleyes::eek::D

Let me know if you need the latest list... look for the allowChat key - Value: Optional. When false, disables the use of the Messages app with supervised devices. Availability: Available in iOS 6.0 and later.

Dave
 

Rigby

macrumors 603
Aug 5, 2008
6,257
10,215
San Jose, CA
Actually your list is obsolete. You referenced iOS 6 EAS information. You need to spend a little more time in your research and see the magic that has happened since your version. We are now as iOS 9 with ActiveSync V16. Keep researching and you will find the "correct" information. :rolleyes::eek::D
Let me know if you need the latest list...
If you have a newer source, be so kind and share it with us.
 

IHelpId10t5

macrumors 6502
Nov 28, 2014
486
348
All posts so far have missed the important distinction between accepting the ActiveSync policy when using the built-in iOS Mail app and using the Microsoft Outlook app instead. Once an iOS user has added an Exchange account to the iOS native apps then remote policy an wipe is certainly possible.

However, if the user instead uses the Microsoft Outlook app instead, then the scope of the wipe is the app itself and not the iOS device. This is a very important difference to those users that are doing BYOD and value their own iPhone control and security over their employer's policy.
 

Rigby

macrumors 603
Aug 5, 2008
6,257
10,215
San Jose, CA
All posts so far have missed the important distinction between accepting the ActiveSync policy when using the built-in iOS Mail app and using the Microsoft Outlook app instead.
This was actually mentioned above. But the Outlook app is a big security risk for enterprises. It stores your corporate mail password on Microsoft servers (oauth is not supported for corporate Exchange servers), and routes all your emails through Microsoft as well. This violates the security policies of many companies. Do not use this app for work email unless you have cleared it with your employer first. Many companies block the app in their Exchange servers anyway.

Of course this is less a concern if your employer uses Office 365 (as opposed to their own Exchange servers), since then the data is already in the Microsoft cloud anyway.

Besides, no administrator will just wipe your phone for fun. In reality this will only happen if you report the phone lost or stolen.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.