How to Wipe Mobile Devices Through Outlook Web Access (OWA)

Mobility is a fact of modern IT life. Devices are mobile, users are mobile — and, most importantly, so is their data. That data mobility can create sleepless nights for diligent IT admins, and remote wiping of mobile devices is a critical feature of mobile device management for precisely this reason. Unfortunately there is often a delay between when a remote wipe becomes necessary and when IT is notified by the user of this fact. During this time the data stored on the device is exposed and vulnerable.

Empowering users to wipe their devices themselves is a great way to eliminate, or at least reduce, the “vulnerability gap” between when a remote wipe is needed and when it is performed. In an Exchange 2007/2010 or Office365 environment where Outlook Web Access and Exchange ActiveSync are enabled, the process is quick, easy, and safe. Train users to follow the instructions I’ve provided below, and they will have the knowledge needed to remove sensitive data from lost or stolen devices.

First, open an Internet browser such as Internet Explorer, navigate to the Outlook Web Access (OWA) URL, and log in.

Fig 1 - Outlook Web Access Sign-In Screen

Once logged in, the OWA Inbox will display. Click Options in the upper right, then click See All Options.

Fig 2 - OWA See All Options

The account options screen will display.

Fig 3 - OWA Options Account

On the left side of the screen, click Phone. The Phone options screen will display. Click Mobile Phones at the top. A list will appear of all mobile devices that have used Exchange ActiveSync to connect to this mailbox.
Fig 4 - OWA Options Phone

Find the device in the list, click once to highlight, and then click Wipe Device.

Fig 5 - OWA Options Phone Wipe Device

When prompted, click Yes to confirm you want to wipe the device. Note: Clicking Yes will initiate a remote wipe erasing all data on the device and returning it to an out of box state. Be sure this is your goal!

Fig 6 - OWA Options Phone Wipe Device Prompt

The screen will return to the Phone options, but the device will be listed with a status of Wipe Pending.

Fig 7 - OWA Options Phone Wipe Pending

Wait a minute or two and then click the Refresh button, which looks like two arrows chasing each other in a circle. The status should change to Remote Device Wipe — if that’s what you see, then congratulations! However, if Wipe Pending is still displayed, wait a few minutes and click the refresh button again. Repeat this process as necessary until Remote Device Wipe Successful appears.

Fig 8 - OWA Options Phone Wipe Successful

We’ve completed the most important step, and the device is wiped. However, to keep everything nice and neat it’s important to remove the device association from the mailbox. Simply click the Delete button, which looks like an X.

Fig 9 - OWA Options Phone Delete Device

Click Yes to confirm deleting this mobile phone profile.

Fig 10 - OWA Options Phone Delete Device Prompt

That’s it! The mobile device no longer appears in the list of associated devices for the account.

Fig 11 - OWA Options Phone Device Deleted

The next time the user checks e-mail, he or she will notice a confirmation message that the mobile device was wiped. It will also remind him or her to delete the device association if it hasn’t already been done.
Fig 12 - OWA Remote Wipe Confirmation email

In the mobile era, it’s often just a matter of time that someone’s device is lost or stolen. Teach users how to erase data from their own devices and the risk of compromised data diminishes. The above method is just one of many. Watch for more Petri articles in the future to learn other techniques.