Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Kill Active sync for ex-employee

Posted on 2011-02-28
13
Medium Priority
?
1,043 Views
Last Modified: 2012-05-11
I am at a client's site with Exchange 2007 and activesync.  An employee using an iPhone just resigned and left.  I have been running tests and unable to find a solid answer.  I want essentially remove all company data from his phone.

I have installed mobileadmin and have tested the wipe feature but it complete wipes out the entire phone.  Greate for a lost phone, but in this case i don't want to destroy any personal data he may have.  In reading the delete option it's unclear if it will stop him from any further syncs or actually remove all mail, contacts, and calendar items currently on his phone.  

Can anyone help clear up how the delete feature in mobile admin will be received on his phone?  If not mobile admin, is there another tool to accomplish what i am trying to do?

I have already changed his password but not disabled his account or mailbox yet.  Your help is appreciated.
0
Comment
Question by:tw525
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
13 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35001559
Please read the following article for how to remote wipe a device on Exchange 2007:

http://technet.microsoft.com/en-us/library/aa998614(EXCHG.80).aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 35001571
A remote wipe will factory reset the phone and is the only way to erase company data on a phone you don't have access to.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35001593
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 1

Author Comment

by:tw525
ID: 35002256
Alan,

That is what I have found so far.  Thank you for your prompt response.  I wonder if it was an MS decission to config it this way or where there perhaps technical hurdles to giving admins the ability to wipe out just their companies vital info without annihilating the entire handheld.  Wipe is useful if a device is lost, but not so much so when an employee leaves with their personal data.

By the way a suggestion from two of my fellow techs was if i knew the user's password to backup his mail data and delete everything while leaving the password the same.  This would sync the lose of data and clean out his account without needing any interaction from him.  While I'm not found of the approach it's the only option i have.  Obviously I've had to restrict his remote access.  But for anyone else looking it is an option before you reset the user's password.

Thanks for the help.
0
 
LVL 1

Author Closing Comment

by:tw525
ID: 35002266
While there was no "direct solution to my question, Alan confirmed what I suspected, that it's not currently an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35002298
If the user has personal data - the data should be backed up on their personal computer via iTunes, so they should be able to recover it.

Assuming the iPhone was synced to a work computer, then they would need to connect to the work computer - which is not an option here by the sounds of things.

As an alternative - you could export their mailbox to a .PST file - delete ALL their mail / contacts / calendar etc - then their phone would replicate the changes essentially wiping the data from their phone.  You can then change the password to their account, import the mail back in again and then you have erased their data whilst leaving their personal info intact.

Slightly roundabout way to resolve your issue - but it should work like a charm.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35002554
With MobileAdmin, you can just delete the sync partnership, or wipe only active sync data.  Not wipe the whole device :)
0
 
LVL 1

Author Comment

by:tw525
ID: 35017456
Actually I tested it on my own iPhone and can confirm MobileAdmin's "Wipe" wipes the entire device back to factory settings.  All personal data lost.  Of course I hooked it back up to itunes at home and was able to recover most everything(minus things added since last backup).  But for the time being the phone had lost complete functionality, just like you pulled it out of the box.  The only option you have is emergency calls.  But I couldn't receive or place calls and could not get into my iphone at all.
0
 
LVL 1

Author Comment

by:tw525
ID: 35018615
Alan,

I did use a method like that.  Unfortunately there is no way to confirm when sync occurs.  So I used autoforward in exchange to forward any new incoming mail to another user and not leave a copy in his mailbox.  I disabled his ability to log in remotely.  The one area I was exposed on is he could still send messages from his handheld.  

Is there a way to disable his ability to send messages from the handheld while still allowing him to sync?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35019587
You can use a powershell command to see the last sync time for the user to see if they have synced since you emptied their mailbox - that would let you know that they now have an empty Exchange Inbox etc.

Alan
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35021086
I'll have to try that again, I've tested with everything from the PalmOS up, and it has just wiped out active sync data.
Killing the sync partnership along with changing the users pass (or deleting account) also that should block them from all exchange data, even the mail they have already viewed, as they no longer have perms to display it.
Maybe wiping the whole device is what you want, if you are going to re-assign to another user, or, if the individual is allowed to keep the device?  Seems like a clean slate would be a not-so-bad starting point, and a definite acknowledgment that all company data is purged.  On our corp phones, individuals sign a form that says any personal data on the phone needs to be backed up elsewhere, especially if they are parting ways. IMHO, wiping it completely is preferred.
Also, and this may be your "catch", we don't allow non-company phones to be synced or on the network for this very reason.  
Even just changing the password, sometimes the iPhone will not "catch up" with that AD change for hours or days...I do believe disabling locks them out immediately, but killing the sync partnership stops it immediately, and (I believe) also dis-allows any old mail, contacts, or synced data to display...other than like attachments they may have manually saved.
Hope that helps.  Sound like you have a mini-lab setup to test? :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35022458
@mugojava - the device is the personal property of the user who has resigned - hence the need to only wipe the Exchange info.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35022802
That does cause another layer of difficulty.  Have you tried, through MobileAdmin, just killing the sync partnership?  That has, in my experience, killed the activesync immediately.  I have not tried on the iPhone specifically yet, everyone just switch to them recently, so I'm only sure it work on Palm and Windows phone devices.  
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question