Re-quarantine ActiveSync device RRS feed

  • Question

  • I have set up ActiveSync for a customer. They are trying to enforce strict policies.

    This is the use case which gives me a problem:

    1. Configure iPhone with ActiveSync.
    2. Log in to ECP, allow the quarantined device.
    3. Phone synchronizes.
    4. Remote Wipe the device, the device is wiped.
    5. Configure the same phone for ActiveSync again (same Device ID).
    6. Phone synchronizes.

    The problem here is that if the phones are to be reused, the phone could be handed out to others in the organization which should not be allowed to synchronize the device with ActiveSync. The phone would then unintentionally already be authorized for ActiveSync. I know, they could remove the user from ActiveSync group in AD etc. but what if the user should be allowed to use ActiveSync on some other deivce and not this one? Theres no granularity... Once a device is authorized it is authorized for life?

    How do one go about deleting a phone from the organization, completely, enabling it to be "re-quarantined"?


    Tuesday, September 20, 2011 12:30 PM

All replies

  • Hi Shagma1,

    Please see this Exchange team blog:

    Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list


    Frank Wang

    Thursday, September 22, 2011 8:38 AM
  • Hi Shagma1,

    Any updates?

    Frank Wang

    Monday, September 26, 2011 1:55 AM
  • No updates, I read that link before I posted here. I know how ABQ works, generally speaking. What I don't know, is written in the first post. Is there something you want med to clarify?

    Monday, September 26, 2011 8:45 AM
  • While I haven't tested it I would assume that if you remove/delete the device partnership from the user it would be re-usable for other users. Since we're talking about a controlled hand-over situation it shouldn't be a problem doing the wipe first (local or remote) and then remove it after you know the wipe has gone through. (When the device is synced for the first time entries are created in Active Directory; attached to the user object.)
    Monday, September 26, 2011 10:58 AM
  • Yeah, thats how I would prefer it to be, but it is not, as far as I can see. When it is wiped/removed/deleted you name it, the phone, when resynced, just pops back up on the user. Without going through quarantine first. This means that a previously used phone would be authorised for use by two or more users.

    I wonder if anyone has tested this before since my testing gave me some mixed results. Out of all the times i tried wiping etc (maybe 15 in total), a couple of times the device would show up in the ABQ. I do not know if that was because of something I did or some other randomness.

    I am certain though, that the command, "Remove-ActiveSyncDevice", does not work. The device ID is removed, which can be confirmed by doing "Get-ActiveSyncDevice -mailbox mailboxname", but when the phone synchronizes the device ID just gets added again.

    Monday, September 26, 2011 11:36 AM
  • Hi,

    Did you find a resolution to this issue?


    Tuesday, September 18, 2012 4:19 PM
  • Sort of:

    In Exchange Management Shell:

      • List all ActiveSync units:
      • List all ActiveSync units registrered on a user:
        Get-ActiveSyncDevice -mailbox "user@contoso.com"
      • Delete partnership:
        Run command #2 to find the string "Identity". A user may have more than one phone registered, so be sure to select the correct unit.

        The complete command will look like this:
        Remove-ActiveSyncDevice -identity contoso.com/Users/Username/ExchangeActiveSyncDevices/iPhone§Appl7R11845XXXX
    • Proposed as answer by oes Thursday, September 20, 2012 5:04 PM
    Wednesday, September 19, 2012 7:04 PM
  • Wow, I've been searching hard to find the answer and just ran across your post describing exactly the issue we're seeing (where formerly authorized devices re-authorize w/o going to quarantine) and it doesn't look like it's changed one bit (running Exchanged 2013 SP1 w/ CU15)!

    I did find that the proposed solution isn't any different than removing it from the web "GUI", the devices still can come back - but only for that user account.  If the SAME user adds their account to the device it will re-pair to the account, if a different user tries it the device properly goes quarantine.  

    I'm sure you've either found a solution or moved one but thought I'd add that nugget for anyone else searching for answers to the same problem.

    Thursday, May 25, 2017 8:07 PM