My employer can wipe my iPhone?

[YanniDepp]

It's not just Microsoft Exchange that does this: Apple has enterprise features in iOS that let an IT manager remotely manage your device. You install a 'management certificate' on the devices that lets an IT team remotely change settings on your device.

I work for a very big organisation that has many iPads. We use a service called Meraki to manage them. It has helped us stop these devices from "going missing".

It isn't just wiping devices: if an iOS device is set up using a management certificate, the IT team can:

• Remotely install apps on your device and set up 'web shortcuts' on the homescreen that you can't remove yourself. (We put links to our web site and intranet on all devices).
• Force users to have a security code on the device. You can also force an alphanumeric passcode, rather than just a 4 digit number.
• Remotely wipe the device.
• Get serial numbers of all devices, for asset management.
• Configure network settings, such as wifi hotspots. So you can set up devices to connect to wifi without giving users the password. This is how we get users on-board. Want to use our wifi? You'll need to sign the device up for our management service.
• Set up geofencing, so you get alerts if a device is taken outside a certain area. I live outside the city I work in, so the IT guys were getting emails every night when I went home with the iPad Air my work gave me

I'm not sure how it works with Microsoft Exchange, but with third party management services like this, you can remove them from iOS devices at any time from the Settings app.

 

[C DM]

It's not just Microsoft Exchange that does this: Apple has enterprise features in iOS that let an IT manager remotely manage your device. You install a 'management certificate' on the devices that lets an IT team remotely change settings on your device.

I work for a very big organisation that has many iPads. We use a service called Meraki to manage them. It has helped us stop these devices from "going missing".

It isn't just wiping devices: if an iOS device is set up using a management certificate, the IT team can:

• Remotely install apps on your device and set up 'web shortcuts' on the homescreen that you can't remove yourself. (We put links to our web site and intranet on all devices).
• Force users to have a security code on the device. You can also force an alphanumeric passcode, rather than just a 4 digit number.
• Remotely wipe the device.
• Get serial numbers of all devices, for asset management.
• Configure network settings, such as wifi hotspots. So you can set up devices to connect to wifi without giving users the password. This is how we get users on-board. Want to use our wifi? You'll need to sign the device up for our management service.
• Set up geofencing, so you get alerts if a device is taken outside a certain area. I live outside the city I work in, so the IT guys were getting emails every night when I went home with the iPad Air my work gave me

I'm not sure how it works with Microsoft Exchange, but with third party management services like this, you can remove them from iOS devices at any time from the Settings app.

Yeah, this is a bit different as it's done through a profile/configuration specifically for that. With Exchange, just by adding a mail account you essentially automatically get all those other things (like ability to wipe the phone or set passcode restrictions, etc.) basically without any notification to the user.

 

[Alpinedude]

Does the wipe potential survive removal of the Exchange link that caused it?

I have an iPad1 (yes, they still exist and still work!) which has been connected to my company's Exchange server for all of 3 days, until I received a company-owned iPhone, whereupon I deleted the Exchange from my personal iPad and went on with my life (as desdinova70 says, the password enforcement requirement went away, so I thought I was now free from any Exchange security mandate).

This was 6 months ago. Just this morning I was playing with my own Exchange OWA account, and discovered a menu where I can perform wipes myself. To my shock, that personal iPad1, the one that had Exchange on it for 3 days and then not at all for more than half a year since then, is still on the list -- I could wipe it myself if I wanted! How is that possible? Since that device no longer has any connection to my employer, surely I should be able to remove the permission I'd implicitly given them back when I did?

 

[C DM]

I have an iPad1 (yes, they still exist and still work!) which has been connected to my company's Exchange server for all of 3 days, until I received a company-owned iPhone, whereupon I deleted the Exchange from my personal iPad and went on with my life (as desdinova70 says, the password enforcement requirement went away, so I thought I was now free from any Exchange security mandate).

This was 6 months ago. Just this morning I was playing with my own Exchange OWA account, and discovered a menu where I can perform wipes myself. To my shock, that personal iPad1, the one that had Exchange on it for 3 days and then not at all for more than half a year since then, is still on the list -- I could wipe it myself if I wanted! How is that possible? Since that device no longer has any connection to my employer, surely I should be able to remove the permission I'd implicitly given them back when I did?

Just because it was still on the list, I'm not really sure you could do anything with it, even if you saw the options to wipe or do something else (if you actually tried using them it's likely they wouldn't result in anything and probably give you an error or prompt you to remove the no longer connected device from the list of devices that have been associated with that account at any point basically).

 

[CDWIII]

how exactly are they able to accomplish this?

Through an app called "Air Watch"

At a previous employer I had a company IPHONE connected to the company server. In order to use some of the IPHONE services, I made the mistake of using my personal ICLOUD account to access App Store etc from the work phone.

My ICloud account was synced to my personal IPHONE as well as an IPAD via ICLOUD

When I left the employer, they wiped my WORK phone which wiped out ALL my emails and contacts from ICLOUD across ALL my devices. So it CAN be done ....

 

[locoboi187]

Sorry to bring up an old thread. I know iPhones can be controlled by employers with exchange accounts but if I set up exchange on my Mac is there anything they could do to my computer?

 

[Cineplex]

Sorry to bring up an old thread. I know iPhones can be controlled by employers with exchange accounts but if I set up exchange on my Mac is there anything they could do to my computer?

No. If you just setup exchange email with Microsoft Exchange or the mail client....nobody there can access anything. It is just email. They can turn email off...but that is all. It does not grant access to your Mac.

 

[CDWIII]

No. If you just setup exchange email with Microsoft Exchange or the mail client....nobody there can access anything. It is just email. They can turn email off...but that is all. It does not grant access to your Mac.

There is a commonly used software program called Air Watch. If you have this installed on ANY of your apple devices (such as your work phone) and you sync with ICloud to other Apple devices that you own personally, an administrator can wipe your data (emails and contacts) remotely on any and all devices that are connected to the cloud.

 

[Cineplex]

There is a commonly used software program called Air Watch. If you have this installed on ANY of your apple devices (such as your work phone) and you sync with ICloud to other Apple devices that you own personally, an administrator can wipe your data (emails and contacts) remotely on any and all devices that are connected to the cloud.

That's right, but he asked if "he" installed exchange, not if my company installed exchange.

 

[locoboi187]

No. If you just setup exchange email with Microsoft Exchange or the mail client....nobody there can access anything. It is just email. They can turn email off...but that is all. It does not grant access to your Mac.

Thanks for the reply! Also my IT department doesn't require any certificates to be installed on our end and we can use most third party apps for our exchange mail. However, if I decide to use the Exchange system that was built into iOS what can they do or access without the certificate? Also if I set up exchange but uncheck mail and only have calander enabled does this change anything with what IT can do even though the account itself is still logged in but just for calendar?

 

[Cineplex]

Thanks for the reply! Also my IT department doesn't require any certificates to be installed on our end and we can use most third party apps for our exchange mail. However, if I decide to use the Exchange system that was built into iOS what can they do or access without the certificate? Also if I set up exchange but uncheck mail and only have calander enabled does this change anything with what IT can do even though the account itself is still logged in but just for calendar?

Certificates have nothing to do with controlling your device. It is a security tool for the data. Simply setting up email or calendar functions will not give them any control of the device. They would have to install specific tools on it for that. So if you are just setting up exchange on things....you have nothing to worry about. Exchange is not a tool used for controlling or managing devices..... only email, calendar, messaging, and cloud files.

 

[C DM]

Certificates have nothing to do with controlling your device. It is a security tool for the data. Simply setting up email or calendar functions will not give them any control of the device. They would have to install specific tools on it for that. So if you are just setting up exchange on things....you have nothing to worry about. Exchange is not a tool used for controlling or managing devices..... only email, calendar, messaging, and cloud files.

As has been pointed out in the thread, adding an Exchange account in iOS, depending on how things are configured on the server side of things, can give the Exchange administrators permission to do something like wipe the device.

 

[locoboi187]

As has been pointed out in the thread, adding an Exchange account in iOS, depending on how things are configured on the server side of things, and give the Exchange administrators permission to do something like wipe the device.

What else can they do from the server side of things?

 

[C DM]

What else can they do from the server side of things?

I don't really recall all the details (and probably might not even be aware of all of them specifically), but I believe this thread goes into various aspects of it all, so there's probably something about at least some of it in the previous replies in this thread.

 

[Cineplex]

As has been pointed out in the thread, adding an Exchange account in iOS, depending on how things are configured on the server side of things, and give the Exchange administrators permission to do something like wipe the device.

I stand corrected. Don't know how I've missed this over the years. But yes, they can remote wipe.

 

[Shirasaki]

I stand corrected. Don't know how I've missed this over the years. But yes, they can remote wipe.

I have an enterprise e3 office 365 subscription and curious about how this can be done.
I could not find any settings related to remote device management. Is this a feature for even higher end of office 365?

 

[Cineplex]

I have an enterprise e3 office 365 subscription and curious about how this can be done.
I could not find any settings related to remote device management. Is this a feature for even higher end of office 365?

https://support.microsoft.com/en-us/kb/2791863
Most things I've seen say any device that has been synced with ActiveSync only. So IMAP or POP are not affected. I have been doing this for years and never notices (or conceived) of such a thing. Seems odd Apple would allow an email app so much control.

 

[Shirasaki]

https://support.microsoft.com/en-us/kb/2791863
Most things I've seen say any device that has been synced with ActiveSync only. So IMAP or POP are not affected. I have been doing this for years and never notices (or conceived) of such a thing. Seems odd Apple would allow an email app so much control.

Ok found ya. Thank you for your link.
I don't know if this actually wipes the entire device, or just data used for Microsoft exchange though.

 

[Cineplex]

Ok found ya. Thank you for your link.
I don't know if this actually wipes the entire device, or just data used for Microsoft exchange though.

Ya, I couldn't find conclusive evidence either way. I saw enough to say okay sure and moved on. I'd be interested to see more documents or proof. With Apples enterprise push with iOS I could see them allowing MS to do it, but I still don't 100% believe it.

 

[BrianBaughn]

I've never seen a remote wipe done via Exchange but everything I've read leads me to believe it's a complete device wipe.

 

[762999]

it's not only Exchange.. my employer have a Wifi system that push policies (like Exchange). On Android, it even requires an app to enforce the policy. If you don't have the policy, you can't use the wifi. Well I don't use it and put an Outlook web access instead of using Exchange directly.

 

[Cineplex]

Despite all this. Perhaps Americans should not be putting work email on their personal phones. Are you being paid to check mail after hours? Are you getting a portion of your phone bill paid to be on demand 24/7? Are you getting an on call stipend? If the answer is no...to hell with them. Americans should stop letting work run their lives and actually live. Slavery by phone. ...but I digress.

 

[762999]

Despite all this. Perhaps Americans should not be putting work email on their personal phones. Are you being paid to check mail after hours? Are you getting a portion of your phone bill paid to be on demand 24/7? Are you getting an on call stipend? If the answer is no...to hell with them. Americans should stop letting work run their lives and actually live. Slavery by phone. ...but I digress.

here, an iPhone 6s plus (64gb) is 459$ (with a 2 years term), that phone also requires a 75$/monthly bill (for 3gb data). + plus 15% taxes on every numbers you see here.

my employer supplies us with whatever phone that we like but is it logical to buy another pay all this for the 5-10 min I check my personal emails?

 

[Shirasaki]

Despite all this. Perhaps Americans should not be putting work email on their personal phones. Are you being paid to check mail after hours? Are you getting a portion of your phone bill paid to be on demand 24/7? Are you getting an on call stipend? If the answer is no...to hell with them. Americans should stop letting work run their lives and actually live. Slavery by phone. ...but I digress.

Well. People living in Japan would need to work about 16hrs per day if body condition allow. But maybe Those companies should change policies to let employees happy.

 

[Cineplex]

here, an iPhone 6s plus (64gb) is 459$ (with a 2 years term), that phone also requires a 75$/monthly bill (for 3gb data).

my employer supplies us with whatever phone that we like but is it logical to buy another pay all this for the 5-10 min I check my personal emails?

To not be obligated to my employer on MY time.....yes. When I was younger I would use my personal phone for business....then I realize it became expected for me to respond to people on my days off. That was the end of that. I'm my view, life is too short to be worrying and attached to work on my days off. Work can wait until I am on their clock, on mine....screw that. Employers just want more and more of your personal time to benefit them. When you are at the end of your life....are those employer emails going to matter to you, or would you have rather had that 5 minutes more with your family or friends every day? After 25 years that is 758 hours, or 1.3 months of your life dedicated to email for your employer. Is it really worth it to trade time of your life to some money making machine that will spit you out at a moments notice? I don't think so.
[doublepost=1470660325][/doublepost]

Well. People living in Japan would need to work about 16hrs per day if body condition allow. But maybe Those companies should change policies to let employees happy.

They should. People around the world should stand up against this new form of slavery.