It is a common security practice to disable user accounts before a former employee’s device is wiped. But Exchange ActiveSync remote wipe command is received successfully only when the target device can connect and authenticate to Exchange.
Remote wipe command queued.
ActiveSync device attempts to connect to Exchange server while the AD account is disabled or password is invalid. The attempt fails with HTTP Error 401: Unauthorized
10:10:54 10.1.1.10 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=…&cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 401 1 1326 437
ActiveSync device successfully connects to the Exchange server
10:42:17 10.1.1.10 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 15
ActiveSync device successfully retrives policy update
10:42:18 10.1.1.10 POST /Microsoft-Server-ActiveSync/default.eas User=jsmith&DeviceId=…&DeviceType=iPhone&Cmd=Provision&CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 93
ActiveSync device successfully confirms device wipe started
10:42:18 10.1.1.10 POST /Microsoft-Server-ActiveSync/default.eas User=jsmith&DeviceId=..&DeviceType=iPhone&Cmd=Provision&CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 62
Device wiped successfully .
Now you can disable the user account in Active Directory.
(example logs truncated for readability.)
