Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Kill Active sync for ex-employee

Posted on 2011-02-28
13
Medium Priority
?
1,051 Views
Last Modified: 2012-05-11
I am at a client's site with Exchange 2007 and activesync.  An employee using an iPhone just resigned and left.  I have been running tests and unable to find a solid answer.  I want essentially remove all company data from his phone.

I have installed mobileadmin and have tested the wipe feature but it complete wipes out the entire phone.  Greate for a lost phone, but in this case i don't want to destroy any personal data he may have.  In reading the delete option it's unclear if it will stop him from any further syncs or actually remove all mail, contacts, and calendar items currently on his phone.  

Can anyone help clear up how the delete feature in mobile admin will be received on his phone?  If not mobile admin, is there another tool to accomplish what i am trying to do?

I have already changed his password but not disabled his account or mailbox yet.  Your help is appreciated.
0
Comment
Question by:tw525
  • 5
  • 4
  • 4
13 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35001559
Please read the following article for how to remote wipe a device on Exchange 2007:

http://technet.microsoft.com/en-us/library/aa998614(EXCHG.80).aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 35001571
A remote wipe will factory reset the phone and is the only way to erase company data on a phone you don't have access to.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35001593
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:tw525
ID: 35002256
Alan,

That is what I have found so far.  Thank you for your prompt response.  I wonder if it was an MS decission to config it this way or where there perhaps technical hurdles to giving admins the ability to wipe out just their companies vital info without annihilating the entire handheld.  Wipe is useful if a device is lost, but not so much so when an employee leaves with their personal data.

By the way a suggestion from two of my fellow techs was if i knew the user's password to backup his mail data and delete everything while leaving the password the same.  This would sync the lose of data and clean out his account without needing any interaction from him.  While I'm not found of the approach it's the only option i have.  Obviously I've had to restrict his remote access.  But for anyone else looking it is an option before you reset the user's password.

Thanks for the help.
0
 
LVL 1

Author Closing Comment

by:tw525
ID: 35002266
While there was no "direct solution to my question, Alan confirmed what I suspected, that it's not currently an option.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35002298
If the user has personal data - the data should be backed up on their personal computer via iTunes, so they should be able to recover it.

Assuming the iPhone was synced to a work computer, then they would need to connect to the work computer - which is not an option here by the sounds of things.

As an alternative - you could export their mailbox to a .PST file - delete ALL their mail / contacts / calendar etc - then their phone would replicate the changes essentially wiping the data from their phone.  You can then change the password to their account, import the mail back in again and then you have erased their data whilst leaving their personal info intact.

Slightly roundabout way to resolve your issue - but it should work like a charm.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35002554
With MobileAdmin, you can just delete the sync partnership, or wipe only active sync data.  Not wipe the whole device :)
0
 
LVL 1

Author Comment

by:tw525
ID: 35017456
Actually I tested it on my own iPhone and can confirm MobileAdmin's "Wipe" wipes the entire device back to factory settings.  All personal data lost.  Of course I hooked it back up to itunes at home and was able to recover most everything(minus things added since last backup).  But for the time being the phone had lost complete functionality, just like you pulled it out of the box.  The only option you have is emergency calls.  But I couldn't receive or place calls and could not get into my iphone at all.
0
 
LVL 1

Author Comment

by:tw525
ID: 35018615
Alan,

I did use a method like that.  Unfortunately there is no way to confirm when sync occurs.  So I used autoforward in exchange to forward any new incoming mail to another user and not leave a copy in his mailbox.  I disabled his ability to log in remotely.  The one area I was exposed on is he could still send messages from his handheld.  

Is there a way to disable his ability to send messages from the handheld while still allowing him to sync?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35019587
You can use a powershell command to see the last sync time for the user to see if they have synced since you emptied their mailbox - that would let you know that they now have an empty Exchange Inbox etc.

Alan
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35021086
I'll have to try that again, I've tested with everything from the PalmOS up, and it has just wiped out active sync data.
Killing the sync partnership along with changing the users pass (or deleting account) also that should block them from all exchange data, even the mail they have already viewed, as they no longer have perms to display it.
Maybe wiping the whole device is what you want, if you are going to re-assign to another user, or, if the individual is allowed to keep the device?  Seems like a clean slate would be a not-so-bad starting point, and a definite acknowledgment that all company data is purged.  On our corp phones, individuals sign a form that says any personal data on the phone needs to be backed up elsewhere, especially if they are parting ways. IMHO, wiping it completely is preferred.
Also, and this may be your "catch", we don't allow non-company phones to be synced or on the network for this very reason.  
Even just changing the password, sometimes the iPhone will not "catch up" with that AD change for hours or days...I do believe disabling locks them out immediately, but killing the sync partnership stops it immediately, and (I believe) also dis-allows any old mail, contacts, or synced data to display...other than like attachments they may have manually saved.
Hope that helps.  Sound like you have a mini-lab setup to test? :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35022458
@mugojava - the device is the personal property of the user who has resigned - hence the need to only wipe the Exchange info.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35022802
That does cause another layer of difficulty.  Have you tried, through MobileAdmin, just killing the sync partnership?  That has, in my experience, killed the activesync immediately.  I have not tried on the iPhone specifically yet, everyone just switch to them recently, so I'm only sure it work on Palm and Windows phone devices.  
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
Creating a Cordova application which allow user to save to/load from his Dropbox account the application database.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question