Exch2010 - Remove ActiveSyncAllowedDeviceIDs for devices with no activesyncdevice

Question

I have users with multiple ActiveSyncAllowedDeviceIDs, who only have 1 ActiveSyncDevice partnership. Note the android-deviceid is a real phone and testdevicepleaseignore is a device that was removed in the past with the device partnership.

[PS] C:\Windows\system32>Get-ActiveSyncDevice -Mailbox username

UserDisplayName         : org.local/Sites/IT Department/Users/Firstname Lastname
DeviceAccessState       : Allowed
DeviceAccessStateReason : Individual
Name                    : Android§android-deviceid
DistinguishedName       : CN=Android§android-deviceid,CN=ExchangeActiveSyncDevices,CN=Firstname Lastname,OU=Users,OU=IT Department,OU=Sites,DC=org,DC=local
Identity                : org.local/Sites/IT Department/Users/Firstname Lastname/ExchangeActiveSyncDevices/Android§android-deviceid
ObjectCategory          : org.local/Configuration/Schema/ms-Exch-Active-Sync-Device
ObjectClass             : {top, msExchActiveSyncDevice}


[PS] C:\Windows\system32>Get-CASMailbox username | fl


EmailAddresses                     : {SIP:username@orgname.tld, smtp:username@org.local, SMTP:username@orgname.tld}
PrimarySmtpAddress                 : username@orgname.tld
SamAccountName                     : username
DisplayName                        : Firstname Lastname
ActiveSyncAllowedDeviceIDs         : {testdevicepleaseignore, android-deviceid}
ActiveSyncBlockedDeviceIDs         : {}
ActiveSyncMailboxPolicy            : Default
DistinguishedName                  : CN=Firstname Lastname,OU=Users,OU=IT Department,OU=Sites,DC=org,DC=local
Identity                           : org.local/Sites/IT Department/Users/Firstname Lastname
ObjectCategory                     : org.local/Configuration/Schema/Person
ObjectClass                        : {top, person, organizationalPerson, user}

The problem is that if I remove a pairing for a device (or wipe a device for that matter) in the console, it doesn't remove it from the ActiveSyncAllowedDeviceIDs and a user can re-add that device without it ever going into quarantine.

Just wrote a quick and dirty powershell to do this. Could use some suggestions on how to speed this up:

This is a quck and dirty way that I just came up with. It takes forever (because it iterates over every device), but it does the job.

$casmbxs = Get-CASMailbox -ResultSize unlimited
foreach ($casmbx in $casmbxs){
    foreach ($asdevid in $casmbx.ActiveSyncAllowedDeviceIDs){
        $asdev = get-activesyncdevice | where {$_.DeviceID -eq $asdevid}
        if (!$asdev) {
            write-host "Removing " $asdevid " from " $casmbx.Identity
            Set-CASMailbox -Identity $casmbx.Identity -ActiveSyncAllowedDeviceIDs @{REMOVE=$asdevid}
        }
    }
}

Are you asking why this is? You can set a $null on the allowedDeviceIDs to reset this parameter and allow them to be quarantined again if that's what you are asking. Why it doesn't remove them from the list when you wipe it, I don't know. — TheCleaner, May 30 '13 at 17:21
I'm trying to find a way to delete all ActiveSyncAllowedDeviceIDs that don't have a device partnership. — Tradiuz, May 30 '13 at 18:56
hmmm...so the $null won't work as that would force them all back into quarantine. In your example, you want testdevicepleaseignore removed from this user's AllowedDeviceIDs, so that it can't be auto-added later without going through quarantine again, correct? If that's right, I can work on a Powershell script to do this if you want. You want this for just this user or to cycle through all users? — TheCleaner, May 30 '13 at 20:28
I've updated the question with a powershell script that I came up with. It seems to work, but it's slow (since it has to search all the devices, every time). — Tradiuz, May 30 '13 at 21:04
Yeah, you could run it only on the mailbox you removed the pairing (or wipe), or you could potentially write a PS script that asked which mailbox and device to remove/wipe and then proceed to remove the deviceID from just that mailbox. Have you checked with MS on whether a wipe is supposed to remove the Allowed Device ID or not? — TheCleaner, May 30 '13 at 21:13

score 1 · Accepted Answer · edited Jun 03 '13 at 20:25

Suggestion on how to speed up your PS:

$casmbxs = Get-CASMailbox -ResultSize unlimited
foreach ($casmbx in $casmbxs){
    $username = [String]$casmbx.SamAccountName
    foreach ($asdevid in $casmbx.ActiveSyncAllowedDeviceIDs){
        $asdev = get-activesyncdevice -Mailbox $username | where {$_.DeviceID -eq $asdevid}
        if (!$asdev) {
            write-host "Removing " $asdevid " from " $casmbx.Identity
            Set-CASMailbox -Identity $casmbx.Identity -ActiveSyncAllowedDeviceIDs @{REMOVE=$asdevid}
        }
    }  
}

No need to iterate over ALL ActiveSync Devices, only the ones pertaining to the user mailbox you're currently processing.

Brilliant. Sometimes you just need a second set of eyes. – Tradiuz Jun 03 '13 at 19:49 — Tradiuz, Jun 03 '13 at 19:49

Exch2010 - Remove ActiveSyncAllowedDeviceIDs for devices with no activesyncdevice

1 Answers1