Forum Discussion
Mobile Device Access Rules
Hello - I have been trying to figure out how to permit all current Active Sync mobile devices before switching the Exchange Online Active Sync to Quarantine. I found an old script that supposedly allows the current devices to be grandfathered in, but I have not had any success with it. Could someone assist me with this issue?
You have to add them to the list of -ActiveSyncAllowedDeviceIDs for the respective user. Nothing has changed in the process in maybe a decade... perhaps share the script you are using?
Well, after trouble shooting using CoPilot, I have been trying to use the following scripts. However, the import never finishes.
Retrieve mobile list first
$mailboxes = Get-Mailbox -ResultSize Unlimited
$devices = @()
foreach ($mailbox in $mailboxes) {
$devices += Get-MobileDeviceStatistics -Mailbox $mailbox.Alias | Select-Object DeviceID, DeviceModel, DeviceOS, LastSuccessSync
}$devices | Export-Csv -Path "C:\AllowedDevices.csv" -NoTypeInformation
Import Allowed devices
$mailboxes = Get-Mailbox -ResultSize Unlimited
$allowedDevices = Import-Csv -Path "C:\AllowedDevices.csv"
foreach ($mailbox in $mailboxes) {
foreach ($device in $allowedDevices) {
try {
Set-CASMailbox -Identity $mailbox.Alias -ActiveSyncAllowedDeviceIDs $device.DeviceID
} catch {
Write-Error "Failed to set allowed device for mailbox $($mailbox.Alias): $_"
}
}
}
Write-Output "Allowed devices import is complete."Verify Devices are now marked allowed
Get-CASMailbox | Select-Object DisplayName, ActiveSyncAllowedDeviceIDs | Export-Csv -Path "C:\AllowedDevicesList.csv" -NoTypeInformation
Then set to Quarantine all devices after the import of allowed devices
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine
That script basically tries to add all deviceIDs across the company as allowed for each and every mailbox you have. Pretty sure it's not the experience you want, and it's likely striking out by reaching the limit of ActiveSyncAllowedDeviceIDs per mailbox.
You should export the mobile device details along with the corresponding mailbox ID, and then in the import part, process each mailbox and deviceID combo only once.
1. Check Exchange ActiveSync settings: Open the Exchange Administration Console (EAC).
Navigate to Mobile Devices > Mobile Device Access Rules.
Check that Exchange ActiveSync is enabled.
2. To configure mobile device access rules: Open the Exchange Administration Console (EAC).
Navigate to Mobile Devices > Mobile Device Access Rules.
Create a new access rule and set the device types, operating systems, etc. to allow or block.
3. Configure the rule using PowerShell: Open the Exchange Management Shell (EMS).
Run the following command to create a new access rule:
powershell
New-ActiveSyncDeviceAccessRule -QueryString “DeviceModel” -Characteristic “Model” -AccessLevel “Allow”
Run the following command to view the existing rule:
powershell
Get-ActiveSyncDeviceAccessRule
4. To check the device access log: Open the Exchange Administration Console (EAC).
Navigate to Mobile Devices > Mobile Device Access Log.
Check the logs to verify that the device is properly allowed or blocked.
5. Contact Microsoft Support: If none of the above methods work, it is recommended that you contact the Microsoft Support team with detailed error messages and screenshots for further assistance.
