PowerShell Tip: Easily Manage all of Your BYOD Devices

The “Bring Your Own Device” Trend (BYOD) has been making significant contributions to the enterprise for quite a few years now. About 44% of developed markets have already adopted their own devices at work!

The biggest headache with BYOD is how to easily manage and organize all of those devices. Policies help, but the final goal is to collect information on these devices to better understand how everything is working. In this article, Arnaud will show you some useful PowerShell functions to monitor devices, and some dedicated specifically to Apple devices!

Step 1: List all of the devices including owners and the OS

Get-ActiveSyncDevice | select-object DeviceModel,FriendlyName,DeviceOS,UserDisplayName | sort-object devicemodel | Ft -autosize –wrap

Step 2: Control which devices are used on Exchange

I will not go into too much detail here because there are some great articles already available online. But, here are some really important steps to follow:

  • Choose a restrictive organization policy (Are you not allowed? Get out dude!)
  • Create Device Rules Access if you already know some accepted models (Windows Phone or others)
  • Create a rule for unknown devices (To go in quarantine)
  • Setup a quarantine notification email
  • Check the quarantine devices to see all blocked devices (in the ECP)
  • Allow devices that you have accepted and create rules for similar devices to prevent repetitive operations

If you prefer PowerShell, you can set this up by using a command like this:

Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Quarantine -AdminMailRecipients adminmotan@letsexchange.com, messaging.team@letsexchange.com –UserMailInsert “Your mobile device is temporarily blocked from synchronizing with the server while permissions are verified.”

In order to set rules, you will need to get model devices. The best way to do this is by looking in the IIS logs. As EAS uses HTTP, every request is recorded via the IIS web logs.

By default, it’s saved in C:\inetpub\logs\logfiles\W3SVC1\. There, we can search for ActiveSync entries where we will have entries to see the username, DeviceID and DeviceType among other types of information.

A good command to easily receive your logs is by using the PowerShell command: Export-ActiveSyncLog

Export-ActiveSyncLog –Filename c:\intepub\logs\logfiles\W3SVC\xxxxxxxx.log –OutputPath c:\Temp\Logs

This command will give you six logs in CSV format:

  • Users.csv
  • Servers.csv
  • Hourly.csv
  • StatusCode.csv
  • PolicyCompliance.csv
  • UserAgents.csv

Devices Models can be found in the UserAgents.csv file.

Step 3: Evaluate the population by device to get a good overview of the park. The best option is to use PowerShell for a list of devices to get the amount and deploy it for each one. This command will help you:

(Get-CASMailbox –ResultSize Unlimited -Filter {HasActiveSyncDevicePartnership -eq $True} | Get-Mailbox) | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox $_} | group  DeviceModel | sort count -descending  | Select count, name

Ok now you have a good overview of your devices currently connected to ActiveSync. We should check for some resources to monitor our Apple devices.

A good script from Jan Ring, that lists them and lets you see registered devices, can be found here.

This script is very flexible and permits you to export results in the CSV format.

If you have old devices in your Organization and need to clean them, use this script:

Get-ActiveSyncDevice -ResultSize unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)}

Then remove it. To do this you can pipe the previous command with this one:

foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}

That’s it! Now you have the tools you need to easily manage all your devices at once. Let me know if you followed my directions and how it worked out for you. Have any questions for me? Just leave your comment below!

email

Written by , Posted .