Anil asks if there is a way to purge ActiveSync devices that have been in a quarantine state for longer than a given period of time.

Yes there is a way to do this quite easily with PowerShell. Let’s take a look at exactly how it can be done.

First of all, the scenario that Anil is referring to is when devices are quarantined due to the default organization policy for ActiveSync.

If we use the Get-ActiveSyncDevice cmdlet in the Exchange Management Shell to list all ActiveSync devices in the organization you can see those that are in a quarantined state.

[PS] C:\>Get-ActiveSyncDevice | select devicemodel,firstsynctime,deviceaccessstate,deviceaccessstatereason | ft -auto

DeviceModel                FirstSyncTime          DeviceAccessState DeviceAccessStateReason
-----------                -------------          ----------------- -----------------------
HTC                        9/30/2012 2:55:57 PM             Allowed              Individual
iPhone2C1                  10/1/2012 11:33:28 AM            Blocked                  Policy
TestActiveSyncConnectivity 10/4/2012 10:23:10 AM            Blocked                  Policy
iPhone                     10/4/2012 11:45:05 AM        Quarantined                  Global
iPhone                     10/4/2012 11:45:05 AM            Blocked                  Policy
HTC                        10/4/2012 11:57:45 AM        Quarantined                  Global
sdk                        10/10/2012 12:14:00 AM       Quarantined                  Global
Android                    10/10/2012 12:25:47 AM       Quarantined                  Global
sdk                        11/6/2012 12:00:46 PM            Allowed              Individual
iPad                       11/7/2012 12:02:45 PM            Allowed              Individual
iPhone2C1                  11/11/2012 1:00:23 PM            Blocked              Individual
iPad3C3                    2/10/2013 11:40:39 PM        Quarantined              DeviceRule
iPad3C3                    2/27/2013 11:56:13 AM        Quarantined                  Global
iPhone4C1                  2/27/2013 12:17:36 PM        Quarantined                  Global
TestActiveSyncConnectivity 4/11/2013 5:37:19 AM             Allowed              Individual

So let’s filter the list down to just those devices in a quarantined state.

[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined"} | Select DeviceModel,FirstSyncTime,DeviceAccessState,DeviceAccessStateReason | ft -auto

DeviceModel FirstSyncTime          DeviceAccessState DeviceAccessStateReason
----------- -------------          ----------------- -----------------------
iPhone      10/4/2012 11:45:05 AM        Quarantined                  Global
HTC         10/4/2012 11:57:45 AM        Quarantined                  Global
sdk         10/10/2012 12:14:00 AM       Quarantined                  Global
Android     10/10/2012 12:25:47 AM       Quarantined                  Global
iPad3C3     2/10/2013 11:40:39 PM        Quarantined              DeviceRule
iPad3C3     2/27/2013 11:56:13 AM        Quarantined                  Global
iPhone4C1   2/27/2013 12:17:36 PM        Quarantined                  Global

I will just point out at this stage that most of the quarantined devices in this example are due to the default organization policy. If you had a separate ActiveSync device access rule that quarantined specific device types then the “DeviceAccessStateReason” would be “DeviceRule”.

If we’re only interested in purging devices that have been sitting quarantined for a month then we can do some date math based on the “FirstSyncTime” to filter the list even further.

[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Select DeviceModel,FirstSyncTime,DeviceAccessState,DeviceAccessStateReason | ft -auto

DeviceModel FirstSyncTime          DeviceAccessState DeviceAccessStateReason
----------- -------------          ----------------- -----------------------
iPhone      10/4/2012 11:45:05 AM        Quarantined                  Global
HTC         10/4/2012 11:57:45 AM        Quarantined                  Global
sdk         10/10/2012 12:14:00 AM       Quarantined                  Global
Android     10/10/2012 12:25:47 AM       Quarantined                  Global
iPad3C3     2/10/2013 11:40:39 PM        Quarantined              DeviceRule
iPad3C3     2/27/2013 11:56:13 AM        Quarantined                  Global
iPhone4C1   2/27/2013 12:17:36 PM        Quarantined                  Global

Note, all of my quarantined devices have been like that for more than a month, but I think you get the idea.

So now that we’ve got a list of quarantined devices that have been sitting in that state for a month or longer, it is time to remove them. To do so we simply pipe the output into the Remove-ActiveSyncDevice cmdlet.

[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-ActiveSyncDevice

Confirm
Are you sure you want to perform this action?
Removing mobile phone "exchangeserverpro.net/Company/Head
Office/Users/Rebecca.Vintin/ExchangeActiveSyncDevices/WP§F04016EDD8F2DD3BD6A9DA5137583C5A". All data about the phone
will be removed. The phone must be re-synchronized.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):

If you don’t want to be bothered with the confirmation prompt just add -Confirm:$false to the end of the command.

[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-ActiveSyncDevice -Confirm:$false

Simple as that. Of course, if the device still has an Exchange account configured on it and continues to try and reconnect you may find it ends up in the quarantine list again anyway, but this process should still help you keep the list reasonably clean.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Dana White

    WARNING: The Get-ActiveSyncDevice cmdlet will be removed in a future version of Exchange. Use the
    Get-MobileDevice cmdlet instead. If you have any scripts that use the Get-ActiveSyncDevice cmdlet,
    update them to use the Get-MobileDevice cmdlet. For more information, see
    http://go.microsoft.com/fwlink/p/?LinkId=254711.

  2. Normunds

    How to remove the quarantined devices where mailboxes no longer exist actually?

    If the answer is ‘raise support call’ – how do I phrase it correctly, so that support understands it?

  3. David

    Thanks, Paul.

    All of your articles are brilliant. I’d just finished implementing a default rule of quarantine but needed to allow devices already connected (and that we approve of). So a script I ran first simply added these allowed devices to the ActiveSyncAllowedDeviceIDs attribute for each CASMailbox. My filter for this script was a particular device model and the device must have synced in the last 3 day. If the device did not meet this filter it was not added.

    This article (well, the powershell within it) allowed me to remove stale device partnerships based on if the device had been quarantined.

    Once again, many thanks.

  4. Toni

    Can you please help with telling me how to tell who either allowed or blocked a mobile device from quarantine?

  5. Ed Kummel

    This may sound weird…but for auditing purposes, is it possible to show *WHEN* a mobile device was released from Quarantine?

  6. Asharaf Ali

    Paul
    Could you help with the command for Exchange 2007 to remove old devices which are sync before 90 days.

  7. Steve

    -Confirm:$false doesn’t seem to work with remove-mobiledevice with WMF 4.0. Anybody else seeing this?

    1. Avatar photo
      Paul Cunningham

      I didn’t think PowerShell 4.0 was even supported for use with any version of Exchange at the moment.

  8. Anil

    Hi Paul,

    I have used the identity {$_.userdisplayname -match ” Domain.com/OU” which fetched the required information.

    Thanks

  9. Anil

    Hi Paul,

    Need a small favour

    Can you please let me know if we can the list of activesync users which are in Quarantine state for more than a month for a particular OU.

    Thanks in Advance 🙂

  10. itworkedinthelab

    Thanks
    always interesting

  11. Anil

    Thanks Paul for the wonderful article which explains all the required steps to accomplish the task.

Leave a Reply