Skip to main content
Matrix42 Self-Service Help Center

Exchange Protection Allow managed devices

Exchange Protection 

When enabling the Quarantine Mode in your Exchange, all current connected devices will be automatically moved into the Quarantine Mode. As Silverback is moving managed devices with their Exchange ActiveSync identifiers to the ActiveSyncAllowedDeviceIDs list for specific users when an Exchange ActiveSync Profile will be installed on the device, this guide will help you to allow your current managed devices without removing and reassigning the Exchange ActiveSync Profile to your devices fleet after enabling the Quarantine Mode.  This is typically a challenge for Administrators, when Silverback and Exchange is already in use (before activating the Exchange Protection) and users are already connected to ActiveSync. As a reassigning of the Exchange ActiveSync profile would cause that users would be prompted for re-entering their password (if no certificate based authentication used), this guide will ensure to make the transition without that need. During this guide, we will export all known Exchange ActiveSync identifiers either from the Hardware Summary Export or from your Silverback database and exporting them into an *.csv File. Afterwards we will connect from your Silverback or Cloud Connector Server (or local machine if Modern Authentication is used) to Exchange Online and review a user's mailbox, before we will execute the PowerShill script, which is attached to this guide. The exported *.csv will provide us the source for the target EAS identifiers, that we want to move into the ActiveSyncAllowedDeviceIDs list. The Powershell script will identify based on the identifiers, the corresponding mailbox names and will allow all devices for specific users in a bulk action. After executing the script we will review if a contained EAS identifier from the *.csv will be added to the ActiveSyncAllowedDeviceIDs list. As a result, all of your managed devices in Silverback will be allowed and all not managed devices will require a manual administrative task to grant the access separately. 

Export ActiveSync Identifiers

Exporting ActiveSync Identifiers can be achieved in two different ways. On-Premises customers can use an SQL Query Export and Software as a Service customers can use the Hardware Summary export. 

SQL Export

  • Connect to your SQL Server
  • Execute the following query on your SQL
SELECT [Mdm_EASDeviceIdentifier]
FROM [Silverback].[dbo].[DeviceLatestInfos]
WHERE Mdm_EASDeviceIdentifier is not NULL and DeviceId in (select DeviceId from Devices where DeviceStatusId=2 and Active=1)

In case you have currently blocked devices, these are not part of the result. When they will be moved from blocked to managed, the Exchange ActvieSync Profile will anyway be re-applied to the device and then the device will be automatically moved to the ActiveSyncAllowedDeviceIDs list through Silverback. 

  • Perform a right click in the result section
  • Export the results into a *.csv file into a temporary location, e.g. as EASIdentifiers.csv

Hardware Summary Export

Added in Silverback 21.0 Update 2 

  • Open your Silverback Management Console and login as an Administrator
  • Navigate to Dashboard
  • Click Export below Hardware Summary and open the downloaded Hardware Summary.xlsx
  • Enable Filtering and set the Filter for column Device Status to Managed
  • Scroll to the right and locate column EAS Device ID and set the filter to exlude -
  • Now select all remaining Exchange ActiveSync identifiers and copy them into your clipboard
  • Open Notepad or any TextEditor and paste all identifiers 
  • Save the results into a *.csv file into a temporary location, e.g. as EASIdentifiers.csv
  • Your outcome should look like this


Prepare Script Execution 

  • Connect to your Silverback or to your Cloud Connector server
  • Create a new folder, e.g. C:\Temp 
  • Copy the exported  EASIdentifiers.csv file into this folder
  • Add the following PS_AddDevicesToUsersAllowedList.ps1 into this folder

This script is not supported for Exchange 2010. In newer versions, the commands has been changed and Exchange 2010 is out of support by Microsoft. 

Connect to Exchange Online

Depending on your authentication setup for Exchange Online, the connection methods are slightly different. 

Connect with Modern Authentication

Connect-ExchangeOnline -CertificateThumbPrint "502ca2f6f74bc5ea7b21b6a18182da8209a4f266" -AppID "e9e621e9-cc90-4b48-a9d4-43ee7e6c4e4b" -Organization ""

For Cloud Customers, the EXO V2 Powershell Module must be installed and the certificate must be present on the local machine.

Connect with Basic Authentication

As this guide is intended for Exchange Online, adjust the session string for connecting to Exchange Server 2016 and 2013

  • Now Open PowerShell on your Silverback or Cloud Connector Server
  • Run the following command
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
  • Import now the session with
Import-PSSession $Session -DisableNameChecking

Review an existing mailbox

  • Execute the following command, to check the ActiveSyncAllowedDeviceIDs values for a specific user
Get-CASMailbox -Identity | fl *ActiveSync* 
  • Review currently quarantine devices for a specific user
Get-MobileDevice -Mailbox -Filter {DeviceAccessState -eq 'Quarantined'} 

Execute PowerShell Script

  • Navigate now to your folder location, where the PowerShell script and the EAS Identifiers are located
cd C:\Temp
  • Now execute the PowerShell command as following:  
 .\PS_AddDevicesToUsersAllowedList.ps1 -PathToCsv C:\Temp\EASIdentifiers.csv

Review existing mailbox changes

  • Execute the following command, to check the ActiveSyncAllowedDeviceIDs values for a specific user
Get-CASMailbox -Identity | fl *ActiveSync* 
  • ActiveSyncAllowedDeviceIDs values should be now increased with an Exchange ActiveSync Identifier from the EASIdentifier.csv file 
  • Was this article helpful?