When implementing Exchange ActiveSync (EAS) on Android devices, the Device Administrator permission requirement often triggers security warnings about remote wipe capabilities. This creates user resistance despite organizational security policies allowing relaxed controls.

For Exchange 2010 SP3 environments, we have two primary approaches to disable this functionality:

Method 1: PowerShell Configuration

# Connect to Exchange Management Shell
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ExchangeServer/PowerShell/ -Authentication Kerberos
Import-PSSession $Session

# Disable remote wipe for entire organization
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Allow 
-DeviceWipeThreshold $null 
-DeviceWipeEnabled $false

# Verify settings
Get-ActiveSyncOrganizationSettings | fl DeviceWipeEnabled,DeviceWipeThreshold

Method 2: Registry Modification

For standalone servers without PowerShell access:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSync\Parameters]
"DeviceWipeThreshold"=dword:00000000
"DeviceWipeEnabled"=dword:00000000

Even after server-side changes, Android may still display warnings due to:

• Existing device policies cached on mobile devices
• Outlook app-specific implementations
• Device manufacturer EAS client variations

Test the configuration with:

# Check effective mobile device policies
Get-ActiveSyncDeviceStatistics -Mailbox user@domain.com | 
Select-Object DeviceType,DeviceWipeStatus,DeviceWipeRequestTime

Monitor the Application event log for Event ID 1050 from source MSExchange ActiveSync to confirm policy application.

For targeted device management without global changes:

# Create exception policy for Android devices
New-ActiveSyncMailboxPolicy -Name "AndroidNoWipe" -DeviceWipeEnabled $false
Set-CASMailbox -Identity user@domain.com -ActiveSyncMailboxPolicy "AndroidNoWipe"

# Apply to multiple users
Get-Mailbox -Filter "RecipientTypeDetails -eq 'UserMailbox'" | 
Where {$_.ActiveSyncEnabled -eq $true} | 
Set-CASMailbox -ActiveSyncMailboxPolicy "AndroidNoWipe"

In Exchange 2010 ActiveSync implementations, Android devices often require Device Administrator privileges to establish synchronization. This automatically enables the remote wipe capability, which triggers alarming permission prompts during setup. Many organizations find this security feature excessive for their use cases, particularly when:

• BYOD policies already mandate basic security compliance
• The corporate environment has alternative security layers
• User adoption suffers due to perceived invasiveness

The most effective method involves modifying ActiveSync mailbox policies. Here's the PowerShell approach:

Set-ActiveSyncMailboxPolicy -Identity "Default" -AllowNonProvisionableDevices $true -DevicePolicyRefreshInterval "Unlimited" -AllowSimplePassword $false -PasswordEnabled $false -AlphanumericPasswordRequired $false -RequireStorageCardEncryption $false -RequireDeviceEncryption $false -AllowStorageCard $true -AllowCamera $true -AllowWiFi $true -AllowBluetooth $true -AllowIrDA $true -RequireManualSyncWhenRoaming $false -RequireManualSyncWhenRoaming $false -MaxAttachmentSize "Unlimited" -MaxCalendarAgeFilter "Unlimited" -MaxEmailAgeFilter "Unlimited" -MaxEmailBodyTruncationSize "Unlimited" -MaxEmailHTMLBodyTruncationSize "Unlimited" -MaxInactivityTimeDeviceLock "Unlimited" -MinDevicePasswordLength 0 -PasswordRecoveryEnabled $false -DevicePasswordEnabled $false

For environments where PowerShell changes don't propagate effectively, modify the registry on the Exchange server:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange ActiveSync\Parameters]
"RemoteWipeThreshold"=dword:00000000
"DisableRemoteWipe"=dword:00000001

When server-side changes aren't possible, consider these mobile client configurations:

<!-- AndroidManifest.xml excerpt for custom EAS client -->
<uses-permission android:name="android.permission.BIND_DEVICE_ADMIN" tools:node="remove" />
<receiver android:name=".security.DeviceAdminSample"
    android:permission="android.permission.BIND_DEVICE_ADMIN"
    tools:node="remove">
    <meta-data android:name="android.app.device_admin"
        android:resource="@xml/device_admin_sample" tools:node="remove" />
    <intent-filter>
        <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" tools:node="remove"/>
    </intent-filter>
</receiver>

After implementation, verify the changes using:

Get-ActiveSyncDeviceStatistics -Mailbox user@domain.com | Select-Object DeviceType, DeviceModel, DeviceID, DeviceAccessState, DeviceAccessStateReason

Test with various Android clients (Samsung Mail, Nine, Outlook for Android) to confirm the wipe capability remains disabled.

For organizations needing granular control:

New-ActiveSyncMailboxPolicy -Name "NoRemoteWipePolicy" -DevicePasswordEnabled $false
Set-CASMailbox -Identity user@domain.com -ActiveSyncMailboxPolicy "NoRemoteWipePolicy"