Important Note: The Remote Wipe functionality of the Exchange ActiveSync Web Admin Tool will NOT wipe a storage card. URL: https://<servername>/mobileadmin/ The Microsoft Exchange Server ActiveSync Web Administration Tool enables administrators to manage the process of remotely erasing lost, stolen, or otherwise compromised mobile devices. By using the Exchange Server ActiveSync Web Administration Web tool, administrators can perform the following actions: • View a list of all devices that are being used by any enterprise user • Select/De-select devices to be remotely erased • View the status of pending remote erase requests for each device • View a transaction log that indicates which administrators have issued remote erase commands, in addition to the devices those commands pertained to The Microsoft Exchange Server ActiveSync Web Administration Tool is designed for use With Exchange Server 2003 Service Pack 2 and compatible mobile devices. Remote Wipe Details Remote Wipe is a new feature in E2K3 SP2 that will enable the Exchange admins to force a device to delete its contents remotely. This can come in very handy when an end user loses their device or if the device is stolen and there is a risk that someone could access personal or confidential data. There are a number of other policy/security related features in E2K3 SP2 to help mitigate this risk. For example, an Exchange admin can also enforce the user to use a PIN, can enforce a length for the PIN, can enforce whether the PIN is numeric or alphanumeric, and can enforce a specific PIN timeout. This coupled with the local wipe capability -- which removes all data from the device when someone enters an incorrect PIN x number of times provides good risk mitigation when a device is lost of stolen. But, remote wipe is intended to provide an additional layer of security on top of all this. Once the setup is run, a vdir with the name "MobileAdmin" is created and only Network Service/ASP.NET or administrator have access to it. A directory called "Microsoft Exchange ActiveSync Administration" is also created under Program Files. Remote Wipe UI To view the website SSL is required. This might require a cert to be issued. If that is the case, it will be issued automatically. To view the webpage type: https://<ServerName>/MobileAdmin To give a user permission to access this page you can either go to IIS Manager. Right click on MobileAdmin vdir and click on Permissions and add the user you want to give permissions to. Alternatively, you can go to <installDrive>\Program Files. Right click on "Microsoft Exchange ActiveSync Administration". Select Sharing and Security and go to Security Tab and add the user here. Internal Process of A Remote Wipe Initiation A remote wipe is requested by setting the "wipeinitiated" property on the mailbox of the user to a non-zero time value. By "the mailbox", I really mean the folder where we store sync related stuff. For a user of "salman", a device type of "smartphone", and a device id of "testdevice", that folder would be: /exchange/salman/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/smartphone/testdevice We can issue a PROPPATCH to set this property. PROPPATCH /exchange/<mailbox>/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync<DeviceType>/<DeviceID> Host: <Server> Brief: t Accept-Language: en Content-Type: text/xml Content-Length: 406 Connection: Keep-Alive <?xml version="1.0" encoding="utf-8"?> <propertyupdate xmlns="DAV:" xmlns:A="AirSyncCustom:"> <set> <prop> <A:wipeinitiated>2005-03-22T00:00:30.078Z</A:wipeinitiated> </prop> </set> </propertyupdate> The specific time isn't important -- the only thing that matters is that it is non-zero when mapped to a FILETIME, where zero means something like January 1, 1601. What Happens at Protocol layer At protocol level, the server determines the admin has scheduled the device for remote wipe and sends back HTTP 449 in response. The device then provisions and acknowledges receipt of the remote wipe and subsequently executes the Remote Wipe command. When the admin schedules the device for remote wipe, and the user issues a provision command, it sends down a Remote Wipe element indicating that the recipient is to initiate the remote wipe sequence. In the 2nd phase or Acknowledgement part of provision command, an acknowledgement is provided that the remote Wipe directive has been received. Upon receiving the remote Wipe from the server via Provision response, the client issues an acknowledgement indicating its success or failure in receiving it. The status of remote wipe should only indicate success if device processed command correctly and intends to execute a wipe of local contents. Download Microsoft Exchange Server ActiveSync Web Administration Tool http://www.microsoft.com/downloads/details.aspx? FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453 </pre> <!--------------------------------------------------------------------------> <!--------------------------------------------------------------------------> <script>footer(1)</script> </body> </html>