Amazing 'bug' in Outlook web application

chuckles

chuckles

Messages
4,463
Name
Barry
Edit My Images
Yes
Spent some time attempting to get my colleague's new phone connected to Microsoft Active-Sync mail account through Microsoft Exchange Server. It just wouldn't work so I tried my account on his phone. That worked so it has to be a Server side problem. In doing that I exceeded my Mobile device count in Exchange, suggesting I should remove devices.

Unbelievable - who'd have thought you could completely 'wipe' (which is an option within the portal) a mobile phone from a Outlook Web Application (OWA) which is linked to that e-mail address?

Yep! It does it - Utterly and completely - right back to Factory Default. No warning or anything else - just obliterate!

I really did assume 'wipe' meant remove device from Exchange Server - Wrong :eek:
 
I think that function has been there for a while to perform a remote wipe.
I think it is designed so if your phone gets lost/stolen you can get to an internet connection and fritz it.
 
I hate to defend M$, but wouldn't that be a phone OS bug? Surely a remote email service shouldn't have the authority to delete anything other than email. Or is that an old fashioned view?
 
JonathanRyan said:
I hate to defend M$, but wouldn't that be a phone OS bug? Surely a remote email service shouldn't have the authority to delete anything other than email. Or is that an old fashioned view?
Click to expand...

It's quite common now. BlackBerry introduced it and many email services have an option where an admin can make it a retirement of connecting to the server. If your company has a BYOD policy, don't annoy them if you quit.
 
Mr Bump said:
I think that function has been there for a while to perform a remote wipe.
I think it is designed so if your phone gets lost/stolen you can get to an internet connection and fritz it.
Click to expand...

I realise now it's not a bug, it's a feature! Sheesh :(

JonathanRyan said:
I hate to defend M$, but wouldn't that be a phone OS bug? Surely a remote email service shouldn't have the authority to delete anything other than email. Or is that an old fashioned view?
Click to expand...

Falls entirely within my my remit - Old Fashioned - I like old fashioned

EdinDevon said:
It's quite common now. BlackBerry introduced it and many email services have an option where an admin can make it a retirement of connecting to the server. If your company has a BYOD policy, don't annoy them if you quit.
Click to expand...

I know - quite an interesting philosophy

Mr Bump said:
Are they Windows Phones? :)
Click to expand...

They were :naughty:
 
EdinDevon said:
It's quite common now. BlackBerry introduced it and many email services have an option where an admin can make it a retirement of connecting to the server. If your company has a BYOD policy, don't annoy them if you quit.
Click to expand...

That really is crazy. I remember when sandboxes were all the rage.......
 
chuckles said:
Unbelievable - who'd have thought you could completely 'wipe' (which is an option within the portal) a mobile phone from a Outlook Web Application
Click to expand...
Remember that if you deal with a big, fat, lazy company with poor mobile and web heritage, you will pay the cost at some stage. They don't usually lose customers because of it, as many will claim they don't have a choice, so sit their and take it.
 
Last edited:
just to play devils advocate..its usually Remove Device to remove a device...

i'll have to check my settings on OWA as i have a few devices on mine which would not be very cool to reset, though windows phones do sync up and reaquire the info backed up from them very easily.
 
This was initiated by me as a User - it wasn't particularly clear that you could delete or wipe..... in fact, "Delete" was as vague as a vague thing - "Wipe" was far easier!
 
neil_g said:
actually incredibly useful when inevitably a user loses their phone with confidential emails on.
Click to expand...

That makes total sense. Since the company kind of "own" the emails.

But I still can't get my head round an email app running with sufficient level of privilege to nuke everything. Presumably apart from the U2 album that Apple gifted everybody, right?
 
JonathanRyan said:
That makes total sense. Since the company kind of "own" the emails.

But I still can't get my head round an email app running with sufficient level of privilege to nuke everything. Presumably apart from the U2 album that Apple gifted everybody, right?
Click to expand...
but then OWA is mostly operated by business.

i think it just an underlying protocol on the device that can be accessed. i mean look at the likes of cerberus on andriod for tracking and wiping lost phones.
 
neil_g said:
but then OWA is mostly operated by business.

i think it just an underlying protocol on the device that can be accessed. i mean look at the likes of cerberus on andriod for tracking and wiping lost phones.
Click to expand...

Yes....but.......the phone shouldn't allow it. Isn't it a principle of good security that apps only have the privileges they actually need to run? If there's a flappy bit of code on a phone that allows some random junk written by another firm to wipe it then it's like golden arches for any hackers who are bored.

Cerberus* is different in that I'd have to install a piece of software on my phone that specifically allows it to destroy all the data. iOS and Android also have this functionality fairly natively. But the idea that an app whose job is to do something entirely different could do this just seems fundamentally wrong.

* honestly, I'm surprised Cerberus is allowed in the app store. If you know enough to willingly install it, you could get it from a 3rd party install.
 
neil_g said:
i think you're being a little paranoid. i cant see anyone using it maliciously, it doesnt make anyone any money.
Click to expand...

Then you really need to think outside the cubicle ;)

"Pay me £x or I nuke your phone" seems a decent sort of ransom-ware.
 
I really don't see what the problem is? Standard protocols part of any solid enterprise mdm solution. Blackberry has done that for years. I'd be concerned if wipe didn't wipe.
 
dejongj said:
I really don't see what the problem is? Standard protocols part of any solid enterprise mdm solution. Blackberry has done that for years. I'd be concerned if wipe didn't wipe.
Click to expand...

Wipe is a wipe. No dispute, but an E-mail application completely trashing a device back to Factory Default? Come on. Wipe the email account and and mails but not the complete device! As EdinDevon said - what about if it's your own phone and you're, say, contracting for a company?
 
chuckles said:
Wipe is a wipe. No dispute, but an E-mail application completely trashing a device back to Factory Default? Come on. Wipe the email account and and mails but not the complete device! As EdinDevon said - what about if it's your own phone and you're, say, contracting for a company?
Click to expand...
Then you wouldn't use that function obviously. You would not integrate the device to such a degree but perhaps use IMAP instead. It really is quite common across various solutions. Get the password wrong a few times where I work and bingo an automatic remote wipe will kick in. However it is also quite quickly reinstated following proper authentication and re activation.

When I was in charge of closing down a quango I used it on a lot of devices where users didn't return them despite several request. I love that big red button :)
 
I'm thinking this is basically a PC vs Mac thing (isn't everything when it comes down to it....?)

PC-style - make everything easy for sysadmins. BRB lets you nuke all data from afar to impose security. Also exposes you to hack attacks because where a door exists somebody will try to use it.
Mac-style - box stuff off so nothing can do any harm to things it shouldn't. Nightmare to administrate because users can lock stuff off but (more) secure against hack attacks - if there's no way an external process can nuke it then hackers can't do that either.

Data architects would like the Mac way. Possibly users would as well. Sysadmins like the PC way. And guess who gets to choose :D
 
neil_g said:
Meh. All my stuff is saved elsewhere. There is no money in wiping someone's phone.

You know you can remote wipe iOS too don't you? ;)

But its not a feature of email software, its part of all mobile os.
Click to expand...
Indeed, queue the next thread where someone will get upset that Google, Apple, Microsoft etc also have kill switches and can uninstall apps without your intervention etc.
 
Karl12347 said:
This whole thread sounds like a lack of understanding of mobile device management terms. Wipe = wipe device, retire = remove the policies and active sync configurations.

Its the same in every platform.
Click to expand...

And "Delete" ??? ---- I still maintain context is everything. Wiping from a mail application (even Web based) should relate to the mail account on the phone. Not wipe back to Default state of the phone itself.



delete_OWA.jpg
 
Looks like someone let programmers design the user interface.

And yes, context is hugely important.

When you wipe most phones you get a clear warning. This will remove all of your data on the phone. Do you wish to continue.?
 
Last edited:
chuckles said:
And "Delete" ??? ---- I still maintain context is everything. Wiping from a mail application (even Web based) should relate to the mail account on the phone. Not wipe back to Default state of the phone itself.



delete_OWA.jpg
Click to expand...
Delete in that context with what you provided I would take as remove from that list, not wipe the whole device.

However if that is a list of managed devices then I would expect a delete to remove all management facilities from that device and restore it to factory default. As you say context is everything and that screen shot doesn't provide it.
 
Last edited:
You must log in or register to reply here.
Back
Top