5

Exchange ActiveSync Script To Grandfather Existing Devices

As mentioned in the previous posts in this services, the configuration of Exchange ActiveSync was something that is commonly overlooked by many  a consultant.  Exchange ActiveSync allows any user to synchronise any device by default.  If this is what your organisation wants to do, then you are good to go.  If not, then changes must be made.  The issue is that if you simply change the global ActiveSync DefaultAccessLevel and set it to quarantine, then if that was the only rule that allowed the device to access ActiveSync then the devices will be set to quarantine even if they had already successfully connected and configured themselves.

  1. This post which covers background and my personal recommendations for ActiveSync global settings.

  2. What is the impact of changing these settings when devices are already synchronising with your Exchange infrastructure.

  3. What can we do to automate such issues (this post)

Please see the earlier posts in the series for more details on the default configuration, and the issues caused if the DefaultAccessLevel is changed from allow to either blocked or quarantine.

In this post we want to look at how to easily grandfather all existing devices using a script prior to changing the DefaultAccessLevel.  This allows currently synchronising devices to function after the organizational ActiveSync settings are changed.

Assumptions

The below are some assumptions made for the provided script:

  • You will take the below script and thoroughly test it in your test lab prior to executing it in production.
  • Script has received minimal testing. You acknowledge this and will thoroughly test it.
  • You do not have any other MDM solution in place.  We are only discussing native Exchange ActiveSync management.
  • This is to grandfather in *ALL* existing devices that are currently synchronising.  No exceptions.  The default time value specified is 30 days.  This can be edited as needed.
  • The intent is to run this to allow all devices currently synchronising access to Exchange after the DefaultAccessLevel has been changed.
  • Script is to be executed prior to changing the DefaultAccessLevel.
  • Script is executed from an existing Exchange Management Shell session.
  • Script is for Exchange 2010 and 2013.
  • Script is executed using an account that has the capability to make necessary changes
  • Minimal error handling is present.  You can add it if required.

Script Logic

As discussed above, if we simply just change the ActiveSync DefaultAccesslevel then devices that are currently synchronising will be quarantined if there is not other rule to allow them access.  To work around this we can either create rules to match all of the existing devices, or grandfather in all current devices.  The approach to take will depend upon how your organisation wants to manage devices.  The intent with this post is to grandfather in all of the current devices.  This will not be done using access rules, rather each device that is currently synchronising will be added as a allowed device to that specific user.  This allows for flexibility when creating new device rules.

Note that the above paragraph said “currently synchronising”.  Users will have devices associated that have not synchronised in months or years, so the script has an option to ignore devices that have not synchronised for a configurable time period.

Script Download

Update 17-6-2020: Script has been moved from the TechNet scripting centre, and is now on GitHub.

Download the sample script from GitHub.

Download ActiveSync Script To Allow All Currently Synchronising Devices

Please leave comments and feedback as a comment to this blog post or on GitHub.

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

5 Comments

  1. Is there anyone that's Successfully tested the script on Exchange 2016. We need to enable quarantine and don't want to manually grandfather in existing devices...

    • Hi Mark,

      I have had colleagues use his on Exchange 2016 and also EXO with no issues.

      Cheers,
      Rhoderick

  2. Hi Rhoderick, I have read other articles you have written on this that helped me understand the "DeviceAccessStateReason : Global" vs "DeviceAccessStateReason : Individual" differences, which helped me make this change previously to an on-premise Exchange server. However, running this script only finds 75 mailboxes with ActiveSync mobile devices, when in fact there are hundreds of mailboxes in our environment with ActiveSync devices. I had to use a different script from Paul Cunningham to find all the mobile devices then iterate through each device using the Set-CASMailbox -Identity $SMTPAddress -activesyncalloweddeviceid @{Add=$Did} to change the DeviceAccessStateReason. The line "$EASMailboxes = Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_{*"} -ResultSize Unlimited;" seems to be the reason it's only finding a much smaller number of ActiveSync devices but my brain just cannot figure why. Thanks for all your articles, I have learned a lot from your blogs.

Leave a Reply

Your email address will not be published. Required fields are marked *