I'm going to talk about a recent experience I had at one of our clients. Allow me to build a picture to provide a bit of background of where we were and what we were trying to achieve. This particular client had allowed over 3000 mobile devices to connect to their Office 365 ActiveSync environment with no controls in place. What this meant was that anyone with a company email address and password could connect to Office 365 on any device, including personal devices. Now, the concern was that users could connect to Exchange Online via ActiveSync with their personal devices and download sensitive company data and there was nothing in place that could stop them.
The challenge for me was; how do I now enforce some control with minimal impact to the userbase?
Here are the steps I followed:
Connect PowerShell to your Office 365 tenant and run the following command to get a list of all mobile devices that have ever connected to your Office 365 ActiveSync environment
Get a list of company owned mobile devices from your Asset Register (hopefully someone will be able to provide this to you in Excel csv format).
Get an Excel wizard (like I did) to perform a comparison of the 2 spreadsheets to create a 3rd spreadsheet that has 2 columns, Identity and DeviceID.
Identity is the users' Display Name in Office 365 Exchange Onlineand the DeviceID is generated when a device connects to Office 365. It will be unlikely that the DeviceID will be present in your Asset Register. This is why you will need an Excel expert to perform a vLookup between the AssetRegister.csv and the ActiveSyncDevicesOnCloud.csv using a common identifier such as the IMEI number that will be listed in both spreadsheets. It is this part of the process that is most painful.
I named this (3rd) spreadsheet Mobile.csv and it is this file that the script will call.
Save the following text in a file called AllowActiveSync.ps1
I performed this step in the early hours of the morning when a minimal number of users would be using their mobile devices
Log into your Office 365 tenant as a Global Admin, open the Exchange Admin Console and navigate to the Mobile section. Now click on Edit on the right hand side.
Click on Quarantine - Let me decide to block or allow later and hit Save
Warning: This will quarantine every single device currently connected to your Office 365 ActiveSync environment and send a system generated email to each and every device that was connected to Office 365. This is why it is essential you have a good communication plan and also why you should perform this piece of work out of hours.
Run the AllowActiveSync.ps1 PowerShell script you created earlier and you will be prompted to log into your Office 365 tenant
Once you have successfully logged in, a window will open prompting you to select your csv file containing a list of all mobile devices that you want to add to the ActiveSync Allowed Device list.
Once this part is done, it's just a case of sitting back and waiting for the script to finish running. You will see PowerShell scroll through each user and device and allow each one listed in the Mobile.csv file.
And that is it!!
You may know of a better way to do this than the method I had to adopt so please let me know if you know of a better and simpler method
A big shout out to Robert Horsley (http://www.horsleytech.com) who played a big part in creating this script.