FlyingDoctorwu

My company provides devices (iPhone 5s) and supports a BYOD policy (as well as own cellular provider). For years the company provided devices have been delivered with MobileIron installed. Those of us that BYOD have had access to the exchange service via the built in email client. Now, however, they would like the BYOD users to install MobileIron on our personal devices to access the exchange service and will be suspending access to non-MobileIron users... here's my questions...
1) does anyone have any experience with MobileIron on a BYOD device. My company is telling me that it will enable the auto lock function and passcode function as well as allow them to delete corporate emails. I fear/think that it will allow them to do more.
2) does anyone know any iOS mail clients that spoof a desktop connection or client? we will still have access via desktop clients.

thanks
FDW

stimpy

Yes they can wipe your entire phone with an MDM (like MobileIron) installed. And I think some snooping, but I haven't followed the latest developments with the current iOS.

But as the old saying goes, if you aren't doing anything wrong, you shouldn't care if they are watching.

CPRich

And if you don't like their terms to use your own device, it sounds like you have a company-provided alternative.

FastTrak2Elite

Yes.

It's all about policy enforcement. Once you accept the "device template", the MDM client can implement ANY controls on the device that the admin seems fit - including as mentioned above total wipe without notice, the restriction of application types, forcing browsing through a proxy server managed by the company and other nasty such things.

Bottom line - I would NEVER accept an MDM client on a personal device. If a company put this restriction on BYOD, I would stop and force them to supply a device that met my needs.

Assuming your company use O365, the outlook web client works very well on an iphone without needing MDM.

compubit

If you're connecting to a Microsoft Exchange Server at all (at least with Exchange 2010), the server admin can send a remote wipe (it's a built in function...). For my company, it's part of the statement of user responsibility, letting the use know that, if necessary, we can send a remote wipe to the phone...

J

FlyingDoctorwu

Well that's unfortunate.. I do plenty wrong on my phone.. such as spend waaay too much time on Flyertalk....

I guess my work is just going to have to adjust to me being less available and responsive via email. Immediate access will move to every couple hours at best; not at all on the weekend.. I'm not installing anything that'll give my work access to my personal device...

I'm going to be like Hilary and not carry two devices...

The web client does work fine on my phone.. just didn't know if there was an app that would spoof the web client or a desktop client. I'm not going to accept the client on my device for sure..

Does Exchange 2010 remotely wipe the entire phone or just the Exchange email/data?

thanks!
FDW

gfunkdave

If you use the built in iOS mail and account, Exchange can wipe the whole phone.

If you use MS's Outlook app, it will only wipe the account info off the app.

In any case, seeing as how your company has always been able to wipe your phone and hasn't, why are you worried? It's a baseline condition of having an Exchange account configured that is managed by someone else. Why would your company's IT go around arbitrarily wiping peoples' devices?

FlyingDoctorwu

So it is news to me that they have always had the ability to wipe my device... that baseline condition was never disclosed to me.. I only figured that I was configuring an email account/calendar/directory... basically like configuring my gmail account..

But from what I understand by intalling a MDM they will have potentially many many more capabilities and control over my device, which they haven't really fully disclosed either...

Sounds like the simplest route to go is to delete the exchange account and access only via the web client

FDW

elCheapoDeluxe

I'm not sure what the notification looks like on an iOS device, but on an Android device when adding an Exchange account you get a notification that you must grant the Exchange account access as a device admin which can, among other things, initialize a total device wipe, reset your passcode, set passcode complexity requirements, and more. You must click accept to complete the configuration. I seem to recall a similar notification when an iOS user attaches to our Exchange server. We don't use any additional MDM package.

I remember having the ability to remote wipe Exchange ActiveSync connected devices all the way back in Exchange 2003. My first smartphone was a Windows Mobile device circa 2005 and Exchange already supported that functionality at the time I hooked up that device.

Edited to add: Looks like it was Exchange Server 2003 SP2 that added this functionality. In any case, a LONG LONG time ago.

https://en.wikipedia.org/wiki/Exchange_ActiveSync

As for some of the things your Exchange 2010 server can do to your device, here is a small list:

gfunkdave

You should ask your IT department for their official policy as regards device management. At my previous employer, which had a BYOD option, a condition of having them reimburse your cell phone bill was signing a form that detailed that adding your account to your phone allowed them to wipe the device, and specifying that when you left the company you should have them remove the account from your device, because they always issue a wipe command to employees' phones after leaving the company.

In any case, as I mentioned, you can also install the Outlook app on your phone, which sandboxes your work stuff. If Outlook receives a remote wipe command, it will just wipe the app, not the phone. Be sure to remove the Exchange account from your main phone settings, though.

But it doesn't really matter that much in the first place if you back up your phone to iCloud. You can always just restore everything from back up in the worst case.

This seems to me an instance of making a mountain out of a mole hill.

CPRich

I'm not going to carry two devices, even though it's offered.
I'm not going to let anyone access my device, even though they always have been able to.
I'm going to significantly impact my ability to communicate and execute my job.
I'll show them....

Odd to me. YMMV, I suppose.

manda99

Our company did this for a while and when they decided to rescind the BYOD policy, they required everyone to bring in their devices for "imaging" and then have their devices wiped by information security. I suppose you could object, but at the risk of losing your job and being sued or something, and the documents they signed when opting in for BYOD basically allowed the company to do anything. Fortunately, I always kept my personal and work phones separate.

stimpy

What might be better is to setup forwarding from your exchange account to your personal email, or create a new gmail account just for your work emails. Then you can easily access your email on your personal device. Of course you won't be able to send email from your work domain, but maybe you can work around that.

gobluetwo

And that would be in violation of just about any corporate IT/data and email management policies I've ever seen.

gfunkdave

Agreed. Don't do that.