Solved

Kill Active sync for ex-employee

Posted on 2011-02-28
13
1,024 Views
Last Modified: 2012-05-11
I am at a client's site with Exchange 2007 and activesync.  An employee using an iPhone just resigned and left.  I have been running tests and unable to find a solid answer.  I want essentially remove all company data from his phone.

I have installed mobileadmin and have tested the wipe feature but it complete wipes out the entire phone.  Greate for a lost phone, but in this case i don't want to destroy any personal data he may have.  In reading the delete option it's unclear if it will stop him from any further syncs or actually remove all mail, contacts, and calendar items currently on his phone.  

Can anyone help clear up how the delete feature in mobile admin will be received on his phone?  If not mobile admin, is there another tool to accomplish what i am trying to do?

I have already changed his password but not disabled his account or mailbox yet.  Your help is appreciated.
0
Comment
Question by:tw525
  • 5
  • 4
  • 4
13 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35001559
Please read the following article for how to remote wipe a device on Exchange 2007:

http://technet.microsoft.com/en-us/library/aa998614(EXCHG.80).aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35001571
A remote wipe will factory reset the phone and is the only way to erase company data on a phone you don't have access to.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35001593
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:tw525
ID: 35002256
Alan,

That is what I have found so far.  Thank you for your prompt response.  I wonder if it was an MS decission to config it this way or where there perhaps technical hurdles to giving admins the ability to wipe out just their companies vital info without annihilating the entire handheld.  Wipe is useful if a device is lost, but not so much so when an employee leaves with their personal data.

By the way a suggestion from two of my fellow techs was if i knew the user's password to backup his mail data and delete everything while leaving the password the same.  This would sync the lose of data and clean out his account without needing any interaction from him.  While I'm not found of the approach it's the only option i have.  Obviously I've had to restrict his remote access.  But for anyone else looking it is an option before you reset the user's password.

Thanks for the help.
0
 
LVL 1

Author Closing Comment

by:tw525
ID: 35002266
While there was no "direct solution to my question, Alan confirmed what I suspected, that it's not currently an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35002298
If the user has personal data - the data should be backed up on their personal computer via iTunes, so they should be able to recover it.

Assuming the iPhone was synced to a work computer, then they would need to connect to the work computer - which is not an option here by the sounds of things.

As an alternative - you could export their mailbox to a .PST file - delete ALL their mail / contacts / calendar etc - then their phone would replicate the changes essentially wiping the data from their phone.  You can then change the password to their account, import the mail back in again and then you have erased their data whilst leaving their personal info intact.

Slightly roundabout way to resolve your issue - but it should work like a charm.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35002554
With MobileAdmin, you can just delete the sync partnership, or wipe only active sync data.  Not wipe the whole device :)
0
 
LVL 1

Author Comment

by:tw525
ID: 35017456
Actually I tested it on my own iPhone and can confirm MobileAdmin's "Wipe" wipes the entire device back to factory settings.  All personal data lost.  Of course I hooked it back up to itunes at home and was able to recover most everything(minus things added since last backup).  But for the time being the phone had lost complete functionality, just like you pulled it out of the box.  The only option you have is emergency calls.  But I couldn't receive or place calls and could not get into my iphone at all.
0
 
LVL 1

Author Comment

by:tw525
ID: 35018615
Alan,

I did use a method like that.  Unfortunately there is no way to confirm when sync occurs.  So I used autoforward in exchange to forward any new incoming mail to another user and not leave a copy in his mailbox.  I disabled his ability to log in remotely.  The one area I was exposed on is he could still send messages from his handheld.  

Is there a way to disable his ability to send messages from the handheld while still allowing him to sync?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35019587
You can use a powershell command to see the last sync time for the user to see if they have synced since you emptied their mailbox - that would let you know that they now have an empty Exchange Inbox etc.

Alan
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35021086
I'll have to try that again, I've tested with everything from the PalmOS up, and it has just wiped out active sync data.
Killing the sync partnership along with changing the users pass (or deleting account) also that should block them from all exchange data, even the mail they have already viewed, as they no longer have perms to display it.
Maybe wiping the whole device is what you want, if you are going to re-assign to another user, or, if the individual is allowed to keep the device?  Seems like a clean slate would be a not-so-bad starting point, and a definite acknowledgment that all company data is purged.  On our corp phones, individuals sign a form that says any personal data on the phone needs to be backed up elsewhere, especially if they are parting ways. IMHO, wiping it completely is preferred.
Also, and this may be your "catch", we don't allow non-company phones to be synced or on the network for this very reason.  
Even just changing the password, sometimes the iPhone will not "catch up" with that AD change for hours or days...I do believe disabling locks them out immediately, but killing the sync partnership stops it immediately, and (I believe) also dis-allows any old mail, contacts, or synced data to display...other than like attachments they may have manually saved.
Hope that helps.  Sound like you have a mini-lab setup to test? :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35022458
@mugojava - the device is the personal property of the user who has resigned - hence the need to only wipe the Exchange info.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35022802
That does cause another layer of difficulty.  Have you tried, through MobileAdmin, just killing the sync partnership?  That has, in my experience, killed the activesync immediately.  I have not tried on the iPhone specifically yet, everyone just switch to them recently, so I'm only sure it work on Palm and Windows phone devices.  
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Email is way too noisy, prone to hiding the important stuff, and really becoming unreliable for critical/timely communications. There are better ways to communicate.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question