ActiveSync Power Administrator
The latest trend in IT is bring you own device (BYOD), where employees are allowed to either chose which device(s) the company provides, or allow employees to use their personal devices to connect to the corporate network and work off. The company I work for is anti-BYOD. We standardized on iPhones, which are purchased by the company and assigned to employees. I was tasked with ensuring only those company assigned iPhones could sync with Exchange. This is fairly easy to do in Exchange 2007/2010 as there is a CASMailbox property called “ActiveSyncAllowedDeviceIDs”. This property has a null value by default and when the value is null any device can form a partnership with that account. All the user needs to do is run the setup Wizard on the phone, enter their credentials, then the phone starts syncing with Exchange. You can limit which devices are allowed to sync with a mailbox by setting a list of device serial numbers in the ActiveSyncAllowedDeviceIDs property. When the property is not null, only the devices listed can form a partnership with that mailbox.
Microsoft has assumed that setting the value of ActiveSyncAllowedDeviceIDs isn’t something the majority of organization would want to do, so they have left it out of the EMC. If you want to set this value, you need to do it through powershell. I wanted my help desk staff to be able to modify this property but I didn’t want them to have to use powershell, so I decided to create a Windows form GUI for this function. I decided if I was going to create a GUI for this function, I might as well create a full blown ActiveSync administrator to take care of all admin task in one GUI. I also decided to add some reporting functionality to the GUI.
Overview
The script uses a Windows form to look up and set ActiveSync properties on an Exchange 2007/2010 mailbox. The first tab of the form is the user administrator. After an email address is entered, the form will retrieve the current ActiveSync settings on the mailbox. The administrator can then modify those settings. The second tab is a reporting function. There are four reports defined. I can add more on request if you have a specific report in mind. The results of the report are displayed on the form and can also be exported to a csv file.
Prerequisites
To run this script, you need to have the Exchange 2007 or Exchange 2010 management tools installed. You also need the free Quest cmdlets for Active Directory, which can be found here.
User Admin Tab
Email Address
Enter the primary email address on the mailbox you want to manage. As you type, the script will do a look up in AD and present suggestions. Once you have entered the email address, click the Lookup button.
ActiveSync Status
This will tell whether ActiveSync is enabled for this mailbox. You can enable/disable ActiveSync with the corresponding buttons.
ActiveSync Policy
This shows which ActiveSync policy is currently assigned to the mailbox. If you have defined ActiveSync policies, you can select which policy to apply from the drop-down. If you have not defined any policies, the “Default” policy will be assigned.
Allowed Devices
The Allowed Devices list shows any device serial numbers that have been allowed for this mailbox. If the list is empty, all devices are allowed to connect. You can remove devices by clicking the checkbox next to the device serial number and clicking the “Remove Selected” button.
Serial Number
You can add serial numbers to the Allowed Devices list by entering the serial number and clicking “Add”.
Sync History
This shows the device partnerships for devices that have synced with this mailbox, as well as the last time the device has synced.
Identity
You can issue a wipe command to a device, cancel a pending wipe, or remove the device partnership by selecting the device identity and clicking the corresponding button.
Reporting Tab
From the reporting tab, you can run various predefined reports on your ActiveSync users. There are currently four reports defined but I can add additional reports on request. The current reports are:
Users with ActiveSync enabled
Users with ActiveSync enabled and a null list of allowed devices
Users with ActiveSync disabled
Devices that haven’t synced in 30 days
Once the report has finished running, it will be displayed on the Reporting tab. You will then be presented with a button, which allows you to take action on all the users returned in the report. For example, you will be able to enable ActiveSync on all users returned after you run the “Users will Activesync disabled” report. You can also export the report to a csv file by clicking the “Export to File” button.
To run this script, download it from the link below and save it to your hard drive. Change the extension from txt to ps1. Open a powershell window and navigate to the directory where you saved the script. Type .\ActiveSyncAdmin.ps1 and hit enter.
DOWNLOAD SCRIPT (Change extension from doc to ps1)
JAMIE MCKILLOP 
This is fantastic!
I’m trying to write a script which has to be used with Quest ActiveRoles system and I need to do this in powershell. I can’t figure out how to get one working that will run where it gets a list of devices assigned/allowed for the user and then does a block and then a delete.
I am thinking of doing the block as part of this disabling process and then deleting nightly as part of a separate process for all users in the disabled ou so there are no replication issues.
Any suggestions?
When you say block, do you mean remove the ID from the allowed list? In Exchange, you don’t actually block devices, you allow devices and anything that isn’t on the allowed list is blocked. If the allowed list is empty, all devices are allowed. When you say delete, do you mean remove the partnership? That isn’t strictly necessary if you remove the device from the allowed list and you don’t have a null allowed list. I like to remove old partnerships for reporting purposes but it isn’t necessary to prevent the device from connecting.
Jamie, this is great however sync history and Identity drop down is not populating, any ideas?
Hello,
If you are using 64bit Windows, try running the script in 32bit powershell, which can be found here – C:\Windows\SysWOW64\WindowsPowerShell\v1.0
Jamie
I found this today but the download link doesn’t work anymore. This looks very interesting.
Thanks Mike. I’ve updated the link and it should work now.
Jamie
Jamie thanks I was able to download it. Have you tested this against Exchange 2010? I can’t seem to get it to work with 2010. I do not have an Exchange 2007 environment to test against.
One thing I noticed right away is that you are adding the Microsoft.Exchange.Management.PowerShell.Admin snap-in which isn’t supported in 2010. It has been replaced with Microsoft.Exchange.Management.Powershell.Support and Microsoft.Exchange.Management.PowerShell.E2010. I tried adding each of those to the script (individually and together) but it would not run. Similiar to what TL Man was seeing I could look up a user but sync history and the Identity fields were never populated.
Hi Mike,
At the moment, this only works with Exchange 2007. I will be updating it for Exchange 2010 soon.
Jamie
Hi,
This looks great, but I also run Exchange 2010 with Sp1 and it doesn’t work.
One note though, I’m not sure of the alloweddevice ids being null means that “any” device can connect? If your default policy does a quarantine for every device then that would stop any device that wasn’t allowed specifically. I have been reading up on this and it seems like the best solution is what is recommended here: http://blogs.technet.com/b/messaging_with_communications/archive/2012/06/26/activesync-disabled-accounts-and-devices-continuing-to-sync.aspx
So I wonder if the alloweddevices isn’t as important as setting blocked devices when disabling accounts.
Hello Eva,
Yes, if the alloweddeviceIds field is null, any device can form a partnership under the default settings. In Exchange 2010 SP1, Allow/Block/Quarantine lists were introduced. If you choose to, you can now have Exchange 2010 SP1 or above quarantine any new device that attempts to connect.This new function allows an administrator to authorize the device to connect, which essentially does the same thing as using the alloweddeviceid field to control access.
The method you use to control access depends on your organization’s policies. For example, if you have an environment where all devices are company provided, you may want to use the alloweddeviceid field instead of quarantine as all the device IDs are known and can be setup before the device is deployed. In this situation, using the quarantine could create a lot of noise as people will attempt to sync their personal devices and generate quarantine notices to admins. If you work in a BYOD environment, it may be be easier to use the quarantine function.
With respect to disabling accounts, the methods listed in the article you linked are good options but I recommend you follow the guidance in my article when disabling accounts – https://jamiemckillop.wordpress.com/2012/10/06/properly-terminating-user-access/
Following my recommendation of setting the logon hours to never will not only terminate any ActiveSync connections, but will also terminate any live sessions from any other sources, such as Outlook Anywhere and OWA.
Jamie
I do not see the link to download this app. can you post it?
The link is at the very bottom where is says DOWNLOAD SCRIPT
http://www.fileswap.com/dl/hVorELRwYr/
looks very interesting and would be great help.However the download link doesn’t work anymore.
That’s for pointing that out. I’ve fixed the link.
Jamie
The link no lonfer work. Can you post an updated link>
The link has now been updated
-Jamie
Hi,
We used to allow only single activesync configuration per device for Exchange 2007 sp3 mailbox by using Set-Casmailbox field “ActiveSyncAllowedDeviceIDs”. But in Exchange 2013 somehow it is not working. Even when Exchange 2013 User account is bind with one device ID, he is able to configure multiple handsets.
We have not created any Access or block rule yet and ActiveSyncOrganizationSettings is Allow.
Let me know how we can achieve single device configuartion per mailbox in Exchange 2013.
Thanks in advance,
Manish
Hello,
In Exchange 2010 and 2013, you need to set your ActiveSyncOrganizationSettings to Quarantine in order for the ActiveSyncAllowedDeviceIDs property to be enforced.
Jamie
Hi Jamie,
Thanks for the response. We tried same in our test lab and its working.
Regards, Manish R. Patel
anyway to assign policies to the device instead of the user, if a user has a personal iPhone and a company iPad it would be nice to assign two different policies to them for example
Hello,
Unfortunately, that isn’t possible. ActiveSync policies are assigned on a per user, not per device, basis.
-Jamie
Hello Jamie.
Great work
I tried (sorry for my bad english) to execute on ex 2010 sp3 but i receve this message :
File C:\service\scripts\activesyncadmin8.ps1 cannot be loaded. The file C:\service\scripts\activ
digitally signed. The script will not execute on the system. Please see “get-help about_signing”
At line:1 char:23
+ .\activesyncadmin8.ps1 <<<<
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException
could you help me ?
regards
Tiziano
Hello,
You need to run the following command: “set-executionpolicy unrestricted”
-Jamie