Jun 11 2018 06:42 AM
Hey Everyone --
I am trying to put together a Powershell script to approve a device that has been quarantined. By default, we quarantine everything and allow only what we want.
$MobileDevice = Get-MobileDevice -Mailbox jdoe -Filter {DeviceAccessState -eq 'Quarantined'}
# allow the device
Set-CASMailbox -Identity jdoe -ActiveSyncAlloweDeviceIDs $MobileDevice.DeviceId
By doing this - mail is now working on that mobile device, however, it still shows up in the list of quarantined devices. Furthermore - It is still returned as a quarntined device in the Get-MobileDevice cmdlet.
Using powershell - how do you get it so it is no longer in the quarantined list?
Jun 11 2018 10:44 AM
The cmdlet you are using overrides the list of allowed devices, instead you should be adding to it:
Set-CASMailbox -Identity jdoe -ActiveSyncAlloweDeviceIDs @{add=$MobileDevice.DeviceId}
Jun 11 2018 10:58 AM
Jun 16 2018 06:36 AM
Have you checked the ActiveSyncOrganizationSettings for your tenant using Get-ActiveSyncOrganizationSettings?
What's the DefaultAccessLevel?
Are there any Intune policies in use?
Jun 17 2018 11:14 AM
Default Access Level = Quarantine.
We moved to Exchange Online in 2016. From day 1, we have had this policy - all mobile devices get Quarantined until approved by administrator. All of the mobile devices that we have allowed have been allowed manually. When we approve a device manaually (from the Mobile page) - the device is approved and removed from that list.
I am just looking to do the same thing - but with Powershell. Should involve less clicks, pages, and waiting for things to load.
We don't currently have any intune policies in place.
Jun 18 2018 09:20 AM
The device state is stored in an Active Directory attribute which needs to be replicated across all domain controllers until the state is properly returned when queried by a Get-MobileDevice cmdlet.
Is the device shown in the list of quarantined devices still? Even after some hours after the device has been allowed?
Jun 18 2018 09:34 AM
Thanks for getting back. Yes - it still is showing in the list of Quarantined devices.
I am running Exchange Hybrid - 100% online. I have 1 server on prem for management. Given that, mobile device information would not be stored in my on-prem AD, correct?
Jun 18 2018 10:40 AM
That's correct. Registered mobile devices for cloud mailbox users are not stored in an on-premises AD. The device information is stored in the Office 365.
It seems to be a glitch in the UI, when mailbox access works for allowed device and the device still shows up as quarantined in the Admin Center.
- Thomas
Jun 21 2018 07:55 AM
So here is what I just found out -- here is what I was running, and the device was still in the quarantined list.
$MobileDevice = Get-MobileDevice -Mailbox jdoe -Filter {DeviceAccessState -eq 'Quarantined'}
# allow the device
Set-CASMailbox -Identity jdoe -ActiveSyncAlloweDeviceIDs $MobileDevice.DeviceId
If I then run:
$MobileDevice.DeviceAccessState = 'Allowed'
$MobileDevice.DeviceAccessStateReason = 'Individual'
The device is no longer shown in the mobile device list as quarantined.
Mar 26 2019 09:00 AM
Nearly perfect. A small typo on this line:
Set-CASMailbox -Identity jdoe -ActiveSyncAlloweDeviceIDs $MobileDevice.DeviceId
Throws an error. This should work:
Set-CASMailbox -Identity jdoe -ActiveSyncAllowedDeviceIDs $MobileDevice.DeviceId
Apr 10 2019 04:23 AM
We were rolling out Android devices and wanted a way to allow all these whilst the roll out was happening. With help from this thread I wrote this;
$BlockedDevices = @(Get-MobileDevice -Filter 'DeviceAccessState -eq "Blocked"')
Get-CASMailbox -Filter "ActiveSyncBlockedDeviceIDs -eq `'$($_.DeviceId)`'" | Set-CASMailbox -ActiveSyncAllowedDeviceIDs @{add=$($_.DeviceId)}
You would probably want to narrow down the Get-MobileDevice filter so BlockedDevices only contains the Devices you want allowing (DeviceModel for example if you are rolling out same hardware)
We ran it on a schedule during the rollout.
Hope this helps someone
Mar 09 2020 05:51 AM
Thank you very much for the script. That saved us a lot of work.
Oct 26 2022 08:48 PM