Table of Contents
Not Much Changes in Exchange Mobile Device Management
It’s been a while since I wrote about how to extract details of mobile devices registered with Exchange Online mailboxes. Time marches on and it’s time to take another look at how to generate a report about mobile devices used with Exchange Online, not least because there are upgraded versions of some cmdlets to use, like Get-ExoMailbox and Get-ExoMobileDeviceStatistics that didn’t arrive until late 2019.
Device management in Exchange Online goes back to on-premises management for mobile devices connected to Exchange Server via Exchange ActiveSync. Apart from making sure that everything works, Microsoft hasn’t done much to device management in Exchange Online. Most of the development activity has focused on leveraging synchronization of Outlook mobile clients with Exchange Online using the Azure-based architecture introduced in 2018 to introduce new functionality, like support for sensitivity labels.
The way Exchange ActiveSync management works hasn’t change much. A glance at the device access rules (which control what devices a tenant allows to connect) in the Exchange admin center (Figure 1) reveals entries like Acompli (the company Microsoft acquired to get Outlook mobile), Windows Phone, iOS 6, and so on. The advantage of this poor man’s mobile device management system is its simplicity. Even as Microsoft advanced to the final deprecation of the old Exchange admin center, not an iota of new functionality appeared in mobile device management.
The subtle hint here is that mobile device management is better done in a purpose-built device management framework like Intune. And so you should, if you feel the need.
Reporting Mobile Device Status
Getting back to reporting the set of devices registered for Exchange mobile device management, the code to do the job is straightforward:
First, find the set of user mailboxes.
[array]$Mbx = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Sort-Object DisplayName
If (!($Mbx)) { Write-Host "Unable to find any user mailboxes..." ; break }
For each mailbox, check if it has any registered mobile devices with a command like this:
[array]$Devices = Get-MobileDevice -Mailbox $M.DistinguishedName
If some registered devices exist (the devices might be very old), use Get-ExoMobileDeviceStatistics to fetch information about the synchronization status of each device.
You see here that I use the distinguished name of a device to fetch its statistics. According to the cmdlet documentation, the identity parameter accepts the device Guid or identifier. I think this is a documentation error because:
- Guid works, but it’s slow.
- DeviceId returns a “cannot be found” error.
- DistinguishedName is fastest (up to ten times faster than Guid).
Which means that we do this:
$DeviceStats = Get-ExoMobileDeviceStatistics -Identity $Device.DistinguishedName
Parse the information returned by Exchange mobile device management to extract whatever seems interesting. For example:
- Operating system installed on the device.
- First date of synchronization.
- Last successful synchronization.
- Device policy applied to device.
- Last time Exchange applied a policy to the device.
An example script to generate the report about devices synchronizing with Exchange Online is available from GitHub. The script creates a HTML report (Figure 2) and a CSV file containing its output. Feel free to modify the script as you wish!
Removing Obsolete Devices
Mobile device statistics allow the identification of devices that are not synchronizing. Any device that doesn’t synchronize in 30 days is likely no longer in active use and becomes a candidate for removal (after someone checks its actual status). When their obsolete status is confirmed, you can remove devices by running the Remove-MobileDevice cmdlet. Running the cmdlet breaks the partnership (link) between the mailbox and device.
For instance, this code finds devices reported with more than 365 days since their last synchronization and deletes the first device from the returned set.
[array]$SyncDevices365 = $Report | Where-Object {$_.DaysSinceLastSync -gt 365}
Remove-MobileDevice -Identity $SyncDevices365[0].DeviceDN -Confirm:$False
No Prospect for Change
At this point, it’s hard to see that Microsoft will make any dramatic change to the Exchange device management framework. What exists now suffices for small to medium businesses, and anyone who needs something more sophisticated should head to Intune or check out third-party mobile device management solutions.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.
Hi Tony, was just reading your last article, and wanted to say thanks for all your hard work !
Your blog/e-book/github is a bible for IT admin like me. I’m reading every news that you are posting to stay updated about Office 365. I’m saving a lot of time.
Thanks again ! Your work is much appreciated.
No worries. The book is very much a team effort. If we didn’t have such talented contributors, the book wouldn’t be at its current level.
Please check line number 78, $$HtmlReport. The double dollar sign was preventing the script from running.
Fixed. I used to write code with Notepad and copy and paste errors could occur. Now I use Visual Studio Code. It’s more heavyweight but much better at picking up stuff like this.
Hi Tony,
Love the work you and your team do makes life for any admin so much easier.
Something I have noticed on the script. It is trying to get the Organization details (Line27) before connecting to ExchangeOnline causing an error to display and the Name to remain blank on the report.
Yep, that’s a bug. Now fixed.
This was exactly what i was looking for everywhere. thank you so much for taking the time to create and share!