ActiveSync Remote Wipe caveat

Today I had to remotely wipe a users phone that was setup to our Exchange 2010 server through ActiveSync.  I haven’t done this yet, since we are migrating from BlackBerry’s and usually just do a Remote Wipe on the BES server, so I figured I would try it out with ActiveSync and get a documented process and KB article created.

Ran the following commands in the Exchange Management Shell

Get-ActiveSyncDeviceStatistics -Mailbox bstollfus | fl Identity

Identity: internal.domain.com/Information_Systems/SystemsAdmins/Users/Brad Stollfus/ExchangeActiveSyncDevices/SAMSUNGPHD710SAMSUNGA00000F78349FA

Clear-ActiveSyncDevice -Identity internal.domain.com/Information_Systems/SystemsAdmins/Users/Brad Stollfus/ExchangeActiveSyncDevices/SAMSUNGPHD710SAMSUNGA00000F78349FA -NotificationEmailAddress “bstollfus@internal.domain.com

Initially the wipe didnt work so I rebooted the phone which didnt resolve the issue so I started to look into why.  It turns out that because the way ActiveSync works with the remote wipe flag, if the user is disabled in Active Directory, the phone is unable to authenticate (obviously) and the remote wipe flag can not get received by the phone if it is unable to authenticate.

Here is an article that goes into the details a little bit more.
http://msinfluentials.com/blogs/jesper/archive/2010/04/08/don-t-fire-people-until-after-you-wipe-their-phones.aspx

Leave a Reply

Your email address will not be published. Required fields are marked *