Anil asks if there is a way to purge ActiveSync devices that have been in a quarantine state for longer than a given period of time.
Yes there is a way to do this quite easily with PowerShell. Let’s take a look at exactly how it can be done.
First of all, the scenario that Anil is referring to is when devices are quarantined due to the default organization policy for ActiveSync.
If we use the Get-ActiveSyncDevice cmdlet in the Exchange Management Shell to list all ActiveSync devices in the organization you can see those that are in a quarantined state.
[PS] C:\>Get-ActiveSyncDevice | select devicemodel,firstsynctime,deviceaccessstate,deviceaccessstatereason | ft -auto DeviceModel FirstSyncTime DeviceAccessState DeviceAccessStateReason ----------- ------------- ----------------- ----------------------- HTC 9/30/2012 2:55:57 PM Allowed Individual iPhone2C1 10/1/2012 11:33:28 AM Blocked Policy TestActiveSyncConnectivity 10/4/2012 10:23:10 AM Blocked Policy iPhone 10/4/2012 11:45:05 AM Quarantined Global iPhone 10/4/2012 11:45:05 AM Blocked Policy HTC 10/4/2012 11:57:45 AM Quarantined Global sdk 10/10/2012 12:14:00 AM Quarantined Global Android 10/10/2012 12:25:47 AM Quarantined Global sdk 11/6/2012 12:00:46 PM Allowed Individual iPad 11/7/2012 12:02:45 PM Allowed Individual iPhone2C1 11/11/2012 1:00:23 PM Blocked Individual iPad3C3 2/10/2013 11:40:39 PM Quarantined DeviceRule iPad3C3 2/27/2013 11:56:13 AM Quarantined Global iPhone4C1 2/27/2013 12:17:36 PM Quarantined Global TestActiveSyncConnectivity 4/11/2013 5:37:19 AM Allowed Individual
So let’s filter the list down to just those devices in a quarantined state.
[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined"} | Select DeviceModel,FirstSyncTime,DeviceAccessState,DeviceAccessStateReason | ft -auto
DeviceModel FirstSyncTime DeviceAccessState DeviceAccessStateReason
----------- ------------- ----------------- -----------------------
iPhone 10/4/2012 11:45:05 AM Quarantined Global
HTC 10/4/2012 11:57:45 AM Quarantined Global
sdk 10/10/2012 12:14:00 AM Quarantined Global
Android 10/10/2012 12:25:47 AM Quarantined Global
iPad3C3 2/10/2013 11:40:39 PM Quarantined DeviceRule
iPad3C3 2/27/2013 11:56:13 AM Quarantined Global
iPhone4C1 2/27/2013 12:17:36 PM Quarantined Global
I will just point out at this stage that most of the quarantined devices in this example are due to the default organization policy. If you had a separate ActiveSync device access rule that quarantined specific device types then the “DeviceAccessStateReason” would be “DeviceRule”.
If we’re only interested in purging devices that have been sitting quarantined for a month then we can do some date math based on the “FirstSyncTime” to filter the list even further.
[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Select DeviceModel,FirstSyncTime,DeviceAccessState,DeviceAccessStateReason | ft -auto
DeviceModel FirstSyncTime DeviceAccessState DeviceAccessStateReason
----------- ------------- ----------------- -----------------------
iPhone 10/4/2012 11:45:05 AM Quarantined Global
HTC 10/4/2012 11:57:45 AM Quarantined Global
sdk 10/10/2012 12:14:00 AM Quarantined Global
Android 10/10/2012 12:25:47 AM Quarantined Global
iPad3C3 2/10/2013 11:40:39 PM Quarantined DeviceRule
iPad3C3 2/27/2013 11:56:13 AM Quarantined Global
iPhone4C1 2/27/2013 12:17:36 PM Quarantined Global
Note, all of my quarantined devices have been like that for more than a month, but I think you get the idea.
So now that we’ve got a list of quarantined devices that have been sitting in that state for a month or longer, it is time to remove them. To do so we simply pipe the output into the Remove-ActiveSyncDevice cmdlet.
[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-ActiveSyncDevice
Confirm
Are you sure you want to perform this action?
Removing mobile phone "exchangeserverpro.net/Company/Head
Office/Users/Rebecca.Vintin/ExchangeActiveSyncDevices/WP§F04016EDD8F2DD3BD6A9DA5137583C5A". All data about the phone
will be removed. The phone must be re-synchronized.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"):
If you don’t want to be bothered with the confirmation prompt just add -Confirm:$false to the end of the command.
[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-ActiveSyncDevice -Confirm:$false
Simple as that. Of course, if the device still has an Exchange account configured on it and continues to try and reconnect you may find it ends up in the quarantine list again anyway, but this process should still help you keep the list reasonably clean.
WARNING: The Get-ActiveSyncDevice cmdlet will be removed in a future version of Exchange. Use the
Get-MobileDevice cmdlet instead. If you have any scripts that use the Get-ActiveSyncDevice cmdlet,
update them to use the Get-MobileDevice cmdlet. For more information, see
http://go.microsoft.com/fwlink/p/?LinkId=254711.
How to remove the quarantined devices where mailboxes no longer exist actually?
If the answer is ‘raise support call’ – how do I phrase it correctly, so that support understands it?
Thanks, Paul.
All of your articles are brilliant. I’d just finished implementing a default rule of quarantine but needed to allow devices already connected (and that we approve of). So a script I ran first simply added these allowed devices to the ActiveSyncAllowedDeviceIDs attribute for each CASMailbox. My filter for this script was a particular device model and the device must have synced in the last 3 day. If the device did not meet this filter it was not added.
This article (well, the powershell within it) allowed me to remove stale device partnerships based on if the device had been quarantined.
Once again, many thanks.
Can you please help with telling me how to tell who either allowed or blocked a mobile device from quarantine?
This may sound weird…but for auditing purposes, is it possible to show *WHEN* a mobile device was released from Quarantine?
Paul
Could you help with the command for Exchange 2007 to remove old devices which are sync before 90 days.
-Confirm:$false doesn’t seem to work with remove-mobiledevice with WMF 4.0. Anybody else seeing this?
The Real Person!
The Real Person!
I didn’t think PowerShell 4.0 was even supported for use with any version of Exchange at the moment.
Hi Paul,
I have used the identity {$_.userdisplayname -match ” Domain.com/OU” which fetched the required information.
Thanks
Hi Paul,
Need a small favour
Can you please let me know if we can the list of activesync users which are in Quarantine state for more than a month for a particular OU.
Thanks in Advance 🙂
Thanks
always interesting
Thanks Paul for the wonderful article which explains all the required steps to accomplish the task.