Solved

Kill Active sync for ex-employee

Posted on 2011-02-28
13
1,014 Views
Last Modified: 2012-05-11
I am at a client's site with Exchange 2007 and activesync.  An employee using an iPhone just resigned and left.  I have been running tests and unable to find a solid answer.  I want essentially remove all company data from his phone.

I have installed mobileadmin and have tested the wipe feature but it complete wipes out the entire phone.  Greate for a lost phone, but in this case i don't want to destroy any personal data he may have.  In reading the delete option it's unclear if it will stop him from any further syncs or actually remove all mail, contacts, and calendar items currently on his phone.  

Can anyone help clear up how the delete feature in mobile admin will be received on his phone?  If not mobile admin, is there another tool to accomplish what i am trying to do?

I have already changed his password but not disabled his account or mailbox yet.  Your help is appreciated.
0
Comment
Question by:tw525
  • 5
  • 4
  • 4
13 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Please read the following article for how to remote wipe a device on Exchange 2007:

http://technet.microsoft.com/en-us/library/aa998614(EXCHG.80).aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
A remote wipe will factory reset the phone and is the only way to erase company data on a phone you don't have access to.
0
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
0
 
LVL 1

Author Comment

by:tw525
Comment Utility
Alan,

That is what I have found so far.  Thank you for your prompt response.  I wonder if it was an MS decission to config it this way or where there perhaps technical hurdles to giving admins the ability to wipe out just their companies vital info without annihilating the entire handheld.  Wipe is useful if a device is lost, but not so much so when an employee leaves with their personal data.

By the way a suggestion from two of my fellow techs was if i knew the user's password to backup his mail data and delete everything while leaving the password the same.  This would sync the lose of data and clean out his account without needing any interaction from him.  While I'm not found of the approach it's the only option i have.  Obviously I've had to restrict his remote access.  But for anyone else looking it is an option before you reset the user's password.

Thanks for the help.
0
 
LVL 1

Author Closing Comment

by:tw525
Comment Utility
While there was no "direct solution to my question, Alan confirmed what I suspected, that it's not currently an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If the user has personal data - the data should be backed up on their personal computer via iTunes, so they should be able to recover it.

Assuming the iPhone was synced to a work computer, then they would need to connect to the work computer - which is not an option here by the sounds of things.

As an alternative - you could export their mailbox to a .PST file - delete ALL their mail / contacts / calendar etc - then their phone would replicate the changes essentially wiping the data from their phone.  You can then change the password to their account, import the mail back in again and then you have erased their data whilst leaving their personal info intact.

Slightly roundabout way to resolve your issue - but it should work like a charm.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 12

Expert Comment

by:Kent W
Comment Utility
With MobileAdmin, you can just delete the sync partnership, or wipe only active sync data.  Not wipe the whole device :)
0
 
LVL 1

Author Comment

by:tw525
Comment Utility
Actually I tested it on my own iPhone and can confirm MobileAdmin's "Wipe" wipes the entire device back to factory settings.  All personal data lost.  Of course I hooked it back up to itunes at home and was able to recover most everything(minus things added since last backup).  But for the time being the phone had lost complete functionality, just like you pulled it out of the box.  The only option you have is emergency calls.  But I couldn't receive or place calls and could not get into my iphone at all.
0
 
LVL 1

Author Comment

by:tw525
Comment Utility
Alan,

I did use a method like that.  Unfortunately there is no way to confirm when sync occurs.  So I used autoforward in exchange to forward any new incoming mail to another user and not leave a copy in his mailbox.  I disabled his ability to log in remotely.  The one area I was exposed on is he could still send messages from his handheld.  

Is there a way to disable his ability to send messages from the handheld while still allowing him to sync?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You can use a powershell command to see the last sync time for the user to see if they have synced since you emptied their mailbox - that would let you know that they now have an empty Exchange Inbox etc.

Alan
0
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
I'll have to try that again, I've tested with everything from the PalmOS up, and it has just wiped out active sync data.
Killing the sync partnership along with changing the users pass (or deleting account) also that should block them from all exchange data, even the mail they have already viewed, as they no longer have perms to display it.
Maybe wiping the whole device is what you want, if you are going to re-assign to another user, or, if the individual is allowed to keep the device?  Seems like a clean slate would be a not-so-bad starting point, and a definite acknowledgment that all company data is purged.  On our corp phones, individuals sign a form that says any personal data on the phone needs to be backed up elsewhere, especially if they are parting ways. IMHO, wiping it completely is preferred.
Also, and this may be your "catch", we don't allow non-company phones to be synced or on the network for this very reason.  
Even just changing the password, sometimes the iPhone will not "catch up" with that AD change for hours or days...I do believe disabling locks them out immediately, but killing the sync partnership stops it immediately, and (I believe) also dis-allows any old mail, contacts, or synced data to display...other than like attachments they may have manually saved.
Hope that helps.  Sound like you have a mini-lab setup to test? :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
@mugojava - the device is the personal property of the user who has resigned - hence the need to only wipe the Exchange info.
0
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
That does cause another layer of difficulty.  Have you tried, through MobileAdmin, just killing the sync partnership?  That has, in my experience, killed the activesync immediately.  I have not tried on the iPhone specifically yet, everyone just switch to them recently, so I'm only sure it work on Palm and Windows phone devices.  
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now