Wednesday, May 21, 2014

Pre-Approve ActiveSync devices


Recently we have enabled ActiveSync quaratine rules in our organisation.  This was to stop a member of staff using their own device to access corporate data.

We have only enabled AS for users with corporate devices, but some people have worked out that this allows you to use AS on your own device.  This is far from ideal, especially considering that our IT department now have full wipe access on their personal device!  Enabling this quaratine rule will stop people from taking advantage of this setting, unless someone from IT approves their device.

On the whole this works pretty well.  The difficulty is that it slows down the process of provisioning multiple devices, especially when you are attempting to complete workshops with users during a handover period.

I found a way to pre-approve devices using powershell.  First of all you need to find the deviceID.  On an Apple device you go to Settings > About > Serial Number.  The deviceID is applserialnumber

The difficulty is that using the following powershell command will replace the multivalued property "ActiveSyncAllowedDeviceIDs"

set-casmailbox username -ActiveSyncAllowedDeviceIDs "deviceID"

How do you append?

I looked around the internet and found this page.

So changing the command to the following would append the value

$update=Get-Casmailbox username
$update.ActiveSyncAllowedDeviceIDs += "deviceID"
$update | Set-casmailbox -ActiveSyncAllowedDeviceIDs $update.ActiveSyncAllowedDeviceIDs

This is great, but it is not very scalable.  How do you use this to enter 50-100 deviceIDs?

Create a CSV file as following and save as devices.csv


Then run the following script

$users = import-csv c:\devices.csv<
foreach ($item in $users)
$update=Get-Casmailbox $item.user
$update.ActiveSyncAllowedDeviceIDs += "$item.deviceID"
$update | Set-casmailbox -ActiveSyncAllowedDeviceIDs $update.ActiveSyncAllowedDeviceIDs
write-host $item.user has been updated.
That's it. 

Good Luck


Post a Comment