Solved

Kill Active sync for ex-employee

Posted on 2011-02-28
13
1,038 Views
Last Modified: 2012-05-11
I am at a client's site with Exchange 2007 and activesync.  An employee using an iPhone just resigned and left.  I have been running tests and unable to find a solid answer.  I want essentially remove all company data from his phone.

I have installed mobileadmin and have tested the wipe feature but it complete wipes out the entire phone.  Greate for a lost phone, but in this case i don't want to destroy any personal data he may have.  In reading the delete option it's unclear if it will stop him from any further syncs or actually remove all mail, contacts, and calendar items currently on his phone.  

Can anyone help clear up how the delete feature in mobile admin will be received on his phone?  If not mobile admin, is there another tool to accomplish what i am trying to do?

I have already changed his password but not disabled his account or mailbox yet.  Your help is appreciated.
0
Comment
Question by:tw525
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
13 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35001559
Please read the following article for how to remote wipe a device on Exchange 2007:

http://technet.microsoft.com/en-us/library/aa998614(EXCHG.80).aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35001571
A remote wipe will factory reset the phone and is the only way to erase company data on a phone you don't have access to.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35001593
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:tw525
ID: 35002256
Alan,

That is what I have found so far.  Thank you for your prompt response.  I wonder if it was an MS decission to config it this way or where there perhaps technical hurdles to giving admins the ability to wipe out just their companies vital info without annihilating the entire handheld.  Wipe is useful if a device is lost, but not so much so when an employee leaves with their personal data.

By the way a suggestion from two of my fellow techs was if i knew the user's password to backup his mail data and delete everything while leaving the password the same.  This would sync the lose of data and clean out his account without needing any interaction from him.  While I'm not found of the approach it's the only option i have.  Obviously I've had to restrict his remote access.  But for anyone else looking it is an option before you reset the user's password.

Thanks for the help.
0
 
LVL 1

Author Closing Comment

by:tw525
ID: 35002266
While there was no "direct solution to my question, Alan confirmed what I suspected, that it's not currently an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35002298
If the user has personal data - the data should be backed up on their personal computer via iTunes, so they should be able to recover it.

Assuming the iPhone was synced to a work computer, then they would need to connect to the work computer - which is not an option here by the sounds of things.

As an alternative - you could export their mailbox to a .PST file - delete ALL their mail / contacts / calendar etc - then their phone would replicate the changes essentially wiping the data from their phone.  You can then change the password to their account, import the mail back in again and then you have erased their data whilst leaving their personal info intact.

Slightly roundabout way to resolve your issue - but it should work like a charm.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35002554
With MobileAdmin, you can just delete the sync partnership, or wipe only active sync data.  Not wipe the whole device :)
0
 
LVL 1

Author Comment

by:tw525
ID: 35017456
Actually I tested it on my own iPhone and can confirm MobileAdmin's "Wipe" wipes the entire device back to factory settings.  All personal data lost.  Of course I hooked it back up to itunes at home and was able to recover most everything(minus things added since last backup).  But for the time being the phone had lost complete functionality, just like you pulled it out of the box.  The only option you have is emergency calls.  But I couldn't receive or place calls and could not get into my iphone at all.
0
 
LVL 1

Author Comment

by:tw525
ID: 35018615
Alan,

I did use a method like that.  Unfortunately there is no way to confirm when sync occurs.  So I used autoforward in exchange to forward any new incoming mail to another user and not leave a copy in his mailbox.  I disabled his ability to log in remotely.  The one area I was exposed on is he could still send messages from his handheld.  

Is there a way to disable his ability to send messages from the handheld while still allowing him to sync?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35019587
You can use a powershell command to see the last sync time for the user to see if they have synced since you emptied their mailbox - that would let you know that they now have an empty Exchange Inbox etc.

Alan
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35021086
I'll have to try that again, I've tested with everything from the PalmOS up, and it has just wiped out active sync data.
Killing the sync partnership along with changing the users pass (or deleting account) also that should block them from all exchange data, even the mail they have already viewed, as they no longer have perms to display it.
Maybe wiping the whole device is what you want, if you are going to re-assign to another user, or, if the individual is allowed to keep the device?  Seems like a clean slate would be a not-so-bad starting point, and a definite acknowledgment that all company data is purged.  On our corp phones, individuals sign a form that says any personal data on the phone needs to be backed up elsewhere, especially if they are parting ways. IMHO, wiping it completely is preferred.
Also, and this may be your "catch", we don't allow non-company phones to be synced or on the network for this very reason.  
Even just changing the password, sometimes the iPhone will not "catch up" with that AD change for hours or days...I do believe disabling locks them out immediately, but killing the sync partnership stops it immediately, and (I believe) also dis-allows any old mail, contacts, or synced data to display...other than like attachments they may have manually saved.
Hope that helps.  Sound like you have a mini-lab setup to test? :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35022458
@mugojava - the device is the personal property of the user who has resigned - hence the need to only wipe the Exchange info.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35022802
That does cause another layer of difficulty.  Have you tried, through MobileAdmin, just killing the sync partnership?  That has, in my experience, killed the activesync immediately.  I have not tried on the iPhone specifically yet, everyone just switch to them recently, so I'm only sure it work on Palm and Windows phone devices.  
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use the Google Now Launcher, as an aftermarket add on, have a Samsung Note 5 and are worried about power consumption be wary of using the ultra power saving mode.  Here is what happened to me when I made the mistake of trying this out...
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question