0

Thought maybe I could turn here for some help! Does anyone know of a Powershell script I could run on our Exchange server to do the following:

  1. We would initially want to clear all or current mobile devices from all the users
  2. Then re-add their specific mobile device ID that we received from them to the ALLOW list

Is there some sort of .csv and script I can create to make this process fast? We found the following scripts to remove all from ALLOW and to add to ALLOW

Clear all Allow Set-CASMailbox -Identity username -ActiveSyncAllowedDeviceIDs $null

Add to Allow Set-CASMailbox -Identity username -ActiveSyncAllowedDeviceIDs @{add='DeviceId'}

And maybe after running this script if there's also a bulk .csv quick way to show the results were made to the accounts? Using this command? Get-CASMailbox -Identity username | fl activesync*

t0ky0banana
  • 9
  • 1

1 Answers1

1

So to be thorough, If you are going to do that, there are multiple places to clear out the Mobile Devices. Partnerships get established in Active Directory.

Get-MobileDevice -Mailbox UserID | ft FriendlyName,DeviceAccessState,DeviceAccessStateReason,DeviceId

You can Pipe that to FL for much more detail but this is a good start. Note the Device State and DeviceStateReason:

  • Blocked - Individual = the device ID has been placed on the user's ActiveSyncBlockedDeviceIDs (either by PowerShell or MDM using PowerShell)
  • Allowed - Individual = the device ID has been placed on the user's ActiveSyncAllowedDeviceIDs

There are other combinations but these two are pretty common.

You should also review your global configuration.

Get-ActiveSyncOrganizationSettings

Some settings that have a bearing on this conversation are DefaultAccessLevel and DeviceFiltering.

Now, if you are going to clear the ActiveSyncAllowedDeviceIDs, it may also be useful to clear the ActiveSyncBlockedDeviceIDs. If you have device IDs in both attributes after you do the import, it will cause a conflict and could generate calls.

To clear all device IDs in your environment – and this means all – you do not need to specify the mailbox:

get-casmailbox | set-casmailbox -ActiveSyncAllowedDeviceIDs $null -ActiveSyncBlockedDeviceIDs $null

However, you may have requirements to keep some IDs on the individuals block list like stolen phone or something like that. Your call.

The next part of your question requires a source file.

Get your list of users and put their PrimarySMTPAddress and Device ID in the file. I did not test this but I assume that, if a user has multiple Devices, you need a separate line for each pairing in this logic. There may be other ways to do it.

  • File Name = Users.CSV
  • Header line = Email,Device
  • Data Format = user@domain.com,deviceID

Save that to a known location (say, C:\temp\Users.CSV) and import that into a variable in your script.

$users = Import-Csv -Path .\Users.csv

Validate the date in the variable (I do this to avoid Syntax errors all the time); you want to do 3 quick checks: one for all objects, one for just the email address and one for just the device.

$users
$users.email
$users.Device

Next, we cycle through the list to add Device IDs to the AllowedDeviceIDs attribute.

Foreach ($User in $Users) {Set-CASMailbox -Identity $User.Email -activeSyncAllowedDeviceIDs @{add=$user.Device}}

One final word of advice, test this with a small sample of pilot users first.

Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
Jamie Tsottles
  • 11
  • 1