Exchange 2003 Service Pack 2 (SP2) Remote Wipe functionality


Remote Wipe is a new feature in E2K3 SP2 that will enable the Exchange admins to force a device to delete its contents remotely. This can come in very handy when an end user loses their device or if the device is stolen — and there is a risk that someone could access personal or confidential data. I should point out that there are a number of other policy/security related features in E2K3 SP2 to help mitigate this risk. For example, an Exchange admin can also enforce the user to use a PIN, can enforce a length for the PIN, can enforce whether the PIN is numeric or alphanumeric, and can enforce a specific PIN timeout. This coupled with the local wipe capability — which removes all data from the device when someone enters an incorrect PIN x number of times provides good risk mitigation when a device is lost of stolen. But, remote wipe is intended to provide an additional layer of security on top of all this.


Remote Wipe UI


There is an ASP.NET administration web page which will allow the admin to view the list of devices for a particular user at which point the admin can send wipe commands for a given user, delete old or unused partnership between devices and users or even cancel the wipe command issued for a particular device for that user.


The web page has a transaction log which can be viewed by any admin that accesses that webpage and it shows a list of all actions taken on a particular user and device partnership containing the Date and Time when the activity took place, the user name, the SMTP address, Device ID, Device Type and the action that was taken (e.g. Cancel Wipe, Delete).


The setup will only work for administrators. IIS6 is required for the install. With IIS5 we have an auth issue with the tool. The way we designed it is we wanted admins to be able to give permissions to other users to access the page if needed. For that requirement we had to use the System account the app pool runs under to do an admin logon to the BE. This works great in IIS 6 since the app pool runs as local system. However, in IIS 5 the settings are to run asp.net WP under IWAM_machinename which is a restricted account.


What gets installed when we run the setup


Once the setup is run, a vdir with the name “MobileAdmin” is created and only Network Service/ASP.NET or administrator have access to it. A directory called “Microsoft Exchange ActiveSync Administration” is also created under Program Files.


Using the MobileAdmin webpage


To view the website we require SSL. This might require a cert to be issued. If that is the case, it will be issued automatically. To view the webpage type


            https://<ServerName>/MobileAdmin


Note: since we require SSL you have to use HTTPS. If you use HTTP, you will get the following error message “The page must be viewed over a secure channel”


Once you enter the URL using https you might get the following security alert asking you if you want to install the cert if you don’t have one already.


Note: You might or might not see this depending on if you need the cert to be installed or not.


At this time, either the admin or those users who have permission to view this page will be able to view the main page. The admin will be required to enter their credentials before proceeding.


To give a user permission to access this page you can either go to IIS Manager. Right click on MobileAdmin vdir and click on Permissions and add the user you want to give permissions to.


Alternatively, you can go to <installDrive>\Program Files. Right click on “Microsoft Exchange ActiveSync Administration”. Select Sharing and Security and go to Security Tab and add the user here.


Click on Remote Wipe on main page to view partnerships for a particular user and to issue wipe, Cancel wipe and delete partnerships as shown:



The snapshot above shows all the partnerships for user Sync1. The admin issued a RemoteWipe for DeviceID=Device1 and DeviceType=PocketPC which was acknowledged by the device. The data shows when the Wipe was initiated, when it was sent to the device, when the device acknowledged it and the status of the wipe command which in this case is the wipe operation completed successfully.


Also note, that DeviceID=NSFJITNAA has not yet sent acknowledgement yet.


If a user does not exist or does not have any partnerships an error message will be displayed which will specify if user does not exist or mailbox is not enabled or no devices were found for that mailbox.



What Happens at Protocol layer


At protocol level, the server determines the admin has scheduled the device for remote wipe and sends back HTTP 449 in response. The device then provisions and acknowledges receipt of the remote wipe and subsequently executes the Remote Wipe command.


When the admin schedules the device for remote wipe, and the user issues a provision command, it sends down a Remote Wipe element indicating that the recipient is to initiate the remote wipe sequence.


In the 2nd phase or Acknowledgement part of provision command, an acknowledgement is provided that the remote Wipe directive has been received. Upon receiving the remote Wipe from the server via Provision response, the client issues an acknowledgement indicating its success or failure in receiving it. The status of remote wipe should only indicate success if device processed command correctly and intends to execute a wipe of local contents.


When we process a PROVISION command for a device that is to be remote wiped, we consider the following:

























Timestamp Value


Remote Wipe bit True?


State Description


Action


Sent:<time>


Yes


Client didn’t ack last time and is re-sending PROVISION (i.e. if PROVISION response from server was lost last time)


Issue PROVISION response with remoteWipe element


Default


Yes


Expected case.  Device is connecting for the first time after admin specified remote wipe


Issue PROVISION response with remoteWipe element


Ack:<time>


Yes


Error – implies that device ack’d but did not carry out remote wipe command.


Issue PROVISION command with remoteWipe element


This shows up on the webpage as:



Salman Zafar

Comments (13)
  1. Nino Benvenuti says:

    There has been a bit of discussion concerning the fact that the Remote Wipe functionality will _not_ wipe a storage card. I would love to hear the team’s thoughts on this issue.

    I can understand the folks in both the pro- and anti- storage card wipe camps, and I wonder about a compromise approach – making storage card wipes administrator selectable. How feasible is that?

    In lieu of that, what are some thoughts about an additional <something> that administrators can implement to remotely wipe the storage card ?

    Thanks!

  2. Anonymous says:

    Looky there, Daniel Moth has taken the orange pill &amp;ndash; he&amp;rsquo;ll be coming aboard in early September.&amp;nbsp;My…

  3. Anonymous says:

    Looky there, Daniel Moth has taken the orange pill – he’ll be coming aboard in early September.&amp;nbsp;My…

  4. Anonymous says:

    Looky there, Daniel Moth has taken the orange pill – he’ll be coming aboard in early September.&amp;nbsp;My…

  5. Exchange says:

    Nino,

    What you are mention is something that is being looked into, but at this time there is nothing else we have to say about it and – no promises made!

  6. Matt says:

    I am using the SP2 beta and am wondering how I can get my hands on this "setup" to use the remote wipe functionality. Is there a link to download another installer on the Beta site? Did I miss an install option for the full SP2 package?

    The features so far sound (and look) great!

    Thanks,

    Matt

  7. Exchange says:

    Matt,

    Please ping your Beta support contacts on this – at this time, we should not discuss this in the open blog such as this one.

  8. Anonymous says:

    In a word: Keyloggers. The Client Menace.

    A particularly sharp chap at Tech.Ed asked me what I worried…

  9. Randy says:

    I’ve downloaded SP2 as well, and don’t see the MobileAdmin VirDir. What am I missing???

    BTW–I like the Sharepoint looking interface :-)

  10. Randy says:

    Hello? Anyone monitoring this Blog?

  11. Salman Zafar says:

    The remote wipe tool will ship as part of WebRelease which should be available in October/November time frame.

  12. Randy says:

    Any hints as to which PDA OS platforms will be supported?

  13. Anonymous says:

    I was just on Microsoft BetaPlace downloading the Microsoft Device Emulator 1.0 Community Preview to test Windows Mobile 5.0 with Exchange ActiveSync and the download timed-out at 98%. 2% remaining? Such a tease… I then tried accessing http://beta.microsoft.com

Comments are closed.