Disabled user account prevents ActiveSync remote wipe to succeed

It is a common security practice to disable user accounts before a former employee’s device is wiped. But Exchange ActiveSync remote wipe command is received successfully only when the target device can connect and authenticate to Exchange.

Remote wipe command queued.wipe pending

ActiveSync device attempts to connect to Exchange server while the AD account is disabled or password is invalid. The attempt fails with HTTP Error 401: Unauthorized

10:10:54 10.1.1.10 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=…&cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 401 1 1326 437

ActiveSync device successfully connects to the Exchange server

10:42:17 10.1.1.10 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 15

ActiveSync device successfully retrives policy update

10:42:18 10.1.1.10 POST /Microsoft-Server-ActiveSync/default.eas User=jsmith&DeviceId=…&DeviceType=iPhone&Cmd=Provision&CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 93

ActiveSync device successfully confirms device wipe started

10:42:18 10.1.1.10 POST /Microsoft-Server-ActiveSync/default.eas User=jsmith&DeviceId=..&DeviceType=iPhone&Cmd=Provision&CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 62

Device wiped successfully .wipe successfull

Now you can disable the user account in Active Directory.

(example logs truncated for readability.)

Advertisements