Removing Old Quarantined ActiveSync Devices from Exchange Server

Anil asks if there is a way to purge ActiveSync devices that have been in a quarantine state for longer than a given period of time.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

Yes there is a way to do this quite easily with PowerShell. Let’s take a look at exactly how it can be done.

First of all, the scenario that Anil is referring to is when devices are quarantined due to the default organization policy for ActiveSync.

If we use the Get-ActiveSyncDevice cmdlet in the Exchange Management Shell to list all ActiveSync devices in the organization you can see those that are in a quarantined state.

[PS] C:\>Get-ActiveSyncDevice | select devicemodel,firstsynctime,deviceaccessstate,deviceaccessstatereason | ft -auto

DeviceModel                FirstSyncTime          DeviceAccessState DeviceAccessStateReason
-----------                -------------          ----------------- -----------------------
HTC                        9/30/2012 2:55:57 PM             Allowed              Individual
iPhone2C1                  10/1/2012 11:33:28 AM            Blocked                  Policy
TestActiveSyncConnectivity 10/4/2012 10:23:10 AM            Blocked                  Policy
iPhone                     10/4/2012 11:45:05 AM        Quarantined                  Global
iPhone                     10/4/2012 11:45:05 AM            Blocked                  Policy
HTC                        10/4/2012 11:57:45 AM        Quarantined                  Global
sdk                        10/10/2012 12:14:00 AM       Quarantined                  Global
Android                    10/10/2012 12:25:47 AM       Quarantined                  Global
sdk                        11/6/2012 12:00:46 PM            Allowed              Individual
iPad                       11/7/2012 12:02:45 PM            Allowed              Individual
iPhone2C1                  11/11/2012 1:00:23 PM            Blocked              Individual
iPad3C3                    2/10/2013 11:40:39 PM        Quarantined              DeviceRule
iPad3C3                    2/27/2013 11:56:13 AM        Quarantined                  Global
iPhone4C1                  2/27/2013 12:17:36 PM        Quarantined                  Global
TestActiveSyncConnectivity 4/11/2013 5:37:19 AM             Allowed              Individual

So let’s filter the list down to just those devices in a quarantined state.

[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined"} | Select DeviceModel,FirstSyncTime,DeviceAccessState,DeviceAccessStateReason | ft -auto

DeviceModel FirstSyncTime          DeviceAccessState DeviceAccessStateReason
----------- -------------          ----------------- -----------------------
iPhone      10/4/2012 11:45:05 AM        Quarantined                  Global
HTC         10/4/2012 11:57:45 AM        Quarantined                  Global
sdk         10/10/2012 12:14:00 AM       Quarantined                  Global
Android     10/10/2012 12:25:47 AM       Quarantined                  Global
iPad3C3     2/10/2013 11:40:39 PM        Quarantined              DeviceRule
iPad3C3     2/27/2013 11:56:13 AM        Quarantined                  Global
iPhone4C1   2/27/2013 12:17:36 PM        Quarantined                  Global

I will just point out at this stage that most of the quarantined devices in this example are due to the default organization policy. If you had a separate ActiveSync device access rule that quarantined specific device types then the “DeviceAccessStateReason” would be “DeviceRule”.

If we’re only interested in purging devices that have been sitting quarantined for a month then we can do some date math based on the “FirstSyncTime” to filter the list even further.

[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Select DeviceModel,FirstSyncTime,DeviceAccessState,DeviceAccessStateReason | ft -auto

DeviceModel FirstSyncTime          DeviceAccessState DeviceAccessStateReason
----------- -------------          ----------------- -----------------------
iPhone      10/4/2012 11:45:05 AM        Quarantined                  Global
HTC         10/4/2012 11:57:45 AM        Quarantined                  Global
sdk         10/10/2012 12:14:00 AM       Quarantined                  Global
Android     10/10/2012 12:25:47 AM       Quarantined                  Global
iPad3C3     2/10/2013 11:40:39 PM        Quarantined              DeviceRule
iPad3C3     2/27/2013 11:56:13 AM        Quarantined                  Global
iPhone4C1   2/27/2013 12:17:36 PM        Quarantined                  Global

Note, all of my quarantined devices have been like that for more than a month, but I think you get the idea.

So now that we’ve got a list of quarantined devices that have been sitting in that state for a month or longer, it is time to remove them. To do so we simply pipe the output into the Remove-ActiveSyncDevice cmdlet.

[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-ActiveSyncDevice

Confirm
Are you sure you want to perform this action?
Removing mobile phone "exchangeserverpro.net/Company/Head
Office/Users/Rebecca.Vintin/ExchangeActiveSyncDevices/WP§F04016EDD8F2DD3BD6A9DA5137583C5A". All data about the phone
will be removed. The phone must be re-synchronized.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):

If you don’t want to be bothered with the confirmation prompt just add -Confirm:$false to the end of the command.

[PS] C:\>Get-ActiveSyncDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-ActiveSyncDevice -Confirm:$false

Simple as that. Of course, if the device still has an Exchange account configured on it and continues to try and reconnect you may find it ends up in the quarantine list again anyway, but this process should still help you keep the list reasonably clean.

Comments

  1. Anil says

    Thanks Paul for the wonderful article which explains all the required steps to accomplish the task.

  2. Anil says

    Hi Paul,

    Need a small favour

    Can you please let me know if we can the list of activesync users which are in Quarantine state for more than a month for a particular OU.

    Thanks in Advance :)

  3. Anil says

    Hi Paul,

    I have used the identity {$_.userdisplayname -match ” Domain.com/OU” which fetched the required information.

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *