I have set up ActiveSync for a customer. They are trying to enforce strict policies.
This is the use case which gives me a problem:
1. Configure iPhone with ActiveSync.
2. Log in to ECP, allow the quarantined device.
3. Phone synchronizes.
4. Remote Wipe the device, the device is wiped.
5. Configure the same phone for ActiveSync again (same Device ID).
6. Phone synchronizes.
The problem here is that if the phones are to be reused, the phone could be handed out to others in the organization which should not be allowed to synchronize the device with ActiveSync. The phone would then unintentionally already be authorized for ActiveSync. I know, they could remove the user from ActiveSync group in AD etc. but what if the user should be allowed to use ActiveSync on some other deivce and not this one? Theres no granularity... Once a device is authorized it is authorized for life?
How do one go about deleting a phone from the organization, completely, enabling it to be "re-quarantined"?
Please see this Exchange team blog:
Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list
While I haven't tested it I would assume that if you remove/delete the device partnership from the user it would be re-usable for other users. Since we're talking about a controlled hand-over situation it shouldn't be a problem doing the wipe first (local or remote) and then remove it after you know the wipe has gone through. (When the device is synced for the first time entries are created in Active Directory; attached to the user object.)
Yeah, thats how I would prefer it to be, but it is not, as far as I can see. When it is wiped/removed/deleted you name it, the phone, when resynced, just pops back up on the user. Without going through quarantine first. This means that a previously used phone would be authorised for use by two or more users.
I wonder if anyone has tested this before since my testing gave me some mixed results. Out of all the times i tried wiping etc (maybe 15 in total), a couple of times the device would show up in the ABQ. I do not know if that was because of something I did or some other randomness.
I am certain though, that the command, "Remove-ActiveSyncDevice", does not work. The device ID is removed, which can be confirmed by doing "Get-ActiveSyncDevice -mailbox mailboxname", but when the phone synchronizes the device ID just gets added again.
In Exchange Management Shell:
- List all ActiveSync units:
- List all ActiveSync units registrered on a user:
Get-ActiveSyncDevice -mailbox "email@example.com"
- Delete partnership:
Run command #2 to find the string "Identity". A user may have more than one phone registered, so be sure to select the correct unit.
The complete command will look like this:
Remove-ActiveSyncDevice -identity contoso.com/Users/Username/ExchangeActiveSyncDevices/iPhone§Appl7R11845XXXX
- Proposed as answer by oes Thursday, September 20, 2012 5:04 PM
- List all ActiveSync units: