As mentioned in the previous posts in this services, the configuration of Exchange ActiveSync was something that is commonly overlooked by many a consultant. Exchange ActiveSync allows any user to synchronise any device by default. If this is what your organisation wants to do, then you are good to go. If not, then changes must be made. The issue is that if you simply change the global ActiveSync DefaultAccessLevel and set it to quarantine, then if that was the only rule that allowed the device to access ActiveSync then the devices will be set to quarantine even if they had already successfully connected and configured themselves.
What can we do to automate such issues (this post)
Please see the earlier posts in the series for more details on the default configuration, and the issues caused if the DefaultAccessLevel is changed from allow to either blocked or quarantine.
In this post we want to look at how to easily grandfather all existing devices using a script prior to changing the DefaultAccessLevel. This allows currently synchronising devices to function after the organizational ActiveSync settings are changed.
The below are some assumptions made for the provided script:
You will take the below script and thoroughly test it in your test lab prior to executing it in production.
Script has received minimal testing. You acknowledge this and will thoroughly test it.
You do not have any other MDM solution in place. We are only discussing native Exchange ActiveSync management.
This is to grandfather in *ALL* existing devices that are currently synchronising. No exceptions. The default time value specified is 30 days. This can be edited as needed.
The intent is to run this to allow all devices currently synchronising access to Exchange after the DefaultAccessLevel has been changed.
- Script is to be executed prior to changing the DefaultAccessLevel.
Script is executed from an existing Exchange Management Shell session.
- Script is for Exchange 2010 and 2013.
Script is executed using an account that has the capability to make necessary changes
Minimal error handling is present. You can add it if required.
As discussed above, if we simply just change the ActiveSync DefaultAccesslevel then devices that are currently synchronising will be quarantined if there is not other rule to allow them access. To work around this we can either create rules to match all of the existing devices, or grandfather in all current devices. The approach to take will depend upon how your organisation wants to manage devices. The intent with this post is to grandfather in all of the current devices. This will not be done using access rules, rather each device that is currently synchronising will be added as a allowed device to that specific user. This allows for flexibility when creating new device rules.
Note that the above paragraph said “currently synchronising”. Users will have devices associated that have not synchronised in months or years, so the script has an option to ignore devices that have not synchronised for a configurable time period.
Update 17-6-2020: Script has been moved from the TechNet scripting centre, and is now on GitHub.
Please leave comments and feedback as a comment to this blog post or on GitHub.