Pre-Approve ActiveSync devices
Hi
Recently we have enabled ActiveSync quaratine rules in our organisation. This was to stop a member of staff using their own device to access corporate data.
We have only enabled AS for users with corporate devices, but some people have worked out that this allows you to use AS on your own device. This is far from ideal, especially considering that our IT department now have full wipe access on their personal device! Enabling this quaratine rule will stop people from taking advantage of this setting, unless someone from IT approves their device.
On the whole this works pretty well. The difficulty is that it slows down the process of provisioning multiple devices, especially when you are attempting to complete workshops with users during a handover period.
I found a way to pre-approve devices using powershell. First of all you need to find the deviceID. On an Apple device you go to Settings > About > Serial Number. The deviceID is applserialnumber
The difficulty is that using the following powershell command will replace the multivalued property "ActiveSyncAllowedDeviceIDs"
set-casmailbox username -ActiveSyncAllowedDeviceIDs "deviceID"
How do you append?
I looked around the internet and found this page.
http://www.windowsinfo.eu/?p=105
So changing the command to the following would append the value
$update=Get-Casmailbox username
$update.ActiveSyncAllowedDeviceIDs += "deviceID"
$update | Set-casmailbox -ActiveSyncAllowedDeviceIDs $update.ActiveSyncAllowedDeviceIDs
This is great, but it is not very scalable. How do you use this to enter 50-100 deviceIDs?
Create a CSV file as following and save as devices.csv
name,deviceID
user1,111111111111
user2,222222222222
user3,333333333333
Then run the following script
Good Luck
Google +
Recently we have enabled ActiveSync quaratine rules in our organisation. This was to stop a member of staff using their own device to access corporate data.
We have only enabled AS for users with corporate devices, but some people have worked out that this allows you to use AS on your own device. This is far from ideal, especially considering that our IT department now have full wipe access on their personal device! Enabling this quaratine rule will stop people from taking advantage of this setting, unless someone from IT approves their device.
On the whole this works pretty well. The difficulty is that it slows down the process of provisioning multiple devices, especially when you are attempting to complete workshops with users during a handover period.
I found a way to pre-approve devices using powershell. First of all you need to find the deviceID. On an Apple device you go to Settings > About > Serial Number. The deviceID is applserialnumber
The difficulty is that using the following powershell command will replace the multivalued property "ActiveSyncAllowedDeviceIDs"
set-casmailbox username -ActiveSyncAllowedDeviceIDs "deviceID"
How do you append?
I looked around the internet and found this page.
http://www.windowsinfo.eu/?p=105
So changing the command to the following would append the value
$update=Get-Casmailbox username
$update.ActiveSyncAllowedDeviceIDs += "deviceID"
$update | Set-casmailbox -ActiveSyncAllowedDeviceIDs $update.ActiveSyncAllowedDeviceIDs
This is great, but it is not very scalable. How do you use this to enter 50-100 deviceIDs?
Create a CSV file as following and save as devices.csv
name,deviceID
user1,111111111111
user2,222222222222
user3,333333333333
Then run the following script
$users = import-csv c:\devices.csv<
foreach ($item in $users)
{
$update=Get-Casmailbox $item.user
$update.ActiveSyncAllowedDeviceIDs += "$item.deviceID"
$update | Set-casmailbox -ActiveSyncAllowedDeviceIDs $update.ActiveSyncAllowedDeviceIDs
write-host $item.user has been updated.
}
That's it. Good Luck
Google +
Comments
Post a Comment