[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

Inhibit mobile device access to Exchange

Hello,

We've got problem with a device connecting to one of our mailbox.

One of our customers recently lost his mobile phone that was configured to connect to his mailbox on Exchange, now we configured the new phone to access that same box but we want to inhibit access from the old one for security reasons.

We managed to isolate the S/N of the old one and, with the comand Remove-ActiveSyncDevice -Identity *identity of the old device* we succesfuly remove the old device.
After a couple of minutes if we execute Get-ActiveSyncDeviceStatistics -mailbox *mailbox* we discover that it's still synching

Is there a way to permanently disallow a device, of which we have the ID, to sync with Exchange?

Thanks
0
r3helpdesk
Asked:
r3helpdesk
  • 2
  • 2
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
If the device has gone walkabout, why not send a wipe command?

The connection is still established. Running IISRESET will force the device to create a new connection and the new settings will apply.

Simon.
0
 
Jamie McKillopCommented:
Hello,

I agree with Simon. The first thing you should do when a phone is lost of stolen is wipe it to prevent company data from falling into the wrong hands. If you remove the partnership, like you have, the phone will just automatically re-establish the partnership. If you change the user's password and do an IISRESET, that should prevent the phone from syncing as you force the phone to re-authenticate and now the password in the phone doesn't match. The problem with that is that it can result in the account getting locked out as the phone keeps trying the wrong password.

If for some reason, you don't want to wipe it, you can set a list of allowed device IDs on the mailbox. This will prevent any devices not on that list from syncing. To do that, get the serial number of the new device and run:

Set-CasMailbox <email address> -ActiveSyncAllowedDeviceIDs <serial number>

JJ
0
 
r3helpdeskAuthor Commented:
Hello jjmck,

this command looks helpful
Set-CasMailbox <email address> -ActiveSyncAllowedDeviceIDs <serial number>

If for any reasons I chose to go back to not having an Allowed device ID list, is there a command to undo this action?

Wouldn't it be easier to just blacklist the lost one instead of allowing all the other devices?
Is there an ActiveSync "disallowed" listed device list instead?
0
 
Jamie McKillopCommented:
To go back to not having an allowed list, run:

Set-CasMailbox <email address> -ActiveSyncAllowedDeviceIDs $null

There is no blacklist option.

JJ
0
 
r3helpdeskAuthor Commented:
Thank you very much,

We'll test this command and see if it resolves our problem
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now