Exchange Protection Allow managed devices

Last updated
Save as PDF

Exchange Protection

When enabling the Quarantine Mode in your Exchange, all current connected devices will be automatically moved into the Quarantine Mode. As Silverback is moving managed devices with their Exchange ActiveSync identifiers to the ActiveSyncAllowedDeviceIDs list for specific users when an Exchange ActiveSync Profile will be installed on the device, this guide will help you to allow your current managed devices without removing and reassigning the Exchange ActiveSync Profile to your devices fleet after enabling the Quarantine Mode. This is typically a challenge for Administrators, when Silverback and Exchange is already in use (before activating the Exchange Protection) and users are already connected to ActiveSync. As a reassigning of the Exchange ActiveSync profile would cause that users would be prompted for re-entering their password (if no certificate based authentication used), this guide will ensure to make the transition without that need. During this guide, we will export all known Exchange ActiveSync identifiers either from the Hardware Summary Export or from your Silverback database and exporting them into an *.csv File. Afterwards we will connect from your Silverback or Cloud Connector Server (or local machine if Modern Authentication is used) to Exchange Online and review a user's mailbox, before we will execute the PowerShill script, which is attached to this guide. The exported *.csv will provide us the source for the target EAS identifiers, that we want to move into the ActiveSyncAllowedDeviceIDs list. The Powershell script will identify based on the identifiers, the corresponding mailbox names and will allow all devices for specific users in a bulk action. After executing the script we will review if a contained EAS identifier from the *.csv will be added to the ActiveSyncAllowedDeviceIDs list. As a result, all of your managed devices in Silverback will be allowed and all not managed devices will require a manual administrative task to grant the access separately.

Export ActiveSync Identifiers

Exporting ActiveSync Identifiers can be achieved in two different ways. On-Premises customers can use an SQL Query Export and Software as a Service customers can use the Hardware Summary export.

SQL Export

Connect to your SQL Server
Execute the following query on your SQL

SELECT [Mdm_EASDeviceIdentifier]
FROM [Silverback].[dbo].[DeviceLatestInfos]
WHERE Mdm_EASDeviceIdentifier is not NULL and DeviceId in (select DeviceId from Devices where DeviceStatusId=2 and Active=1)

In case you have currently blocked devices, these are not part of the result. When they will be moved from blocked to managed, the Exchange ActvieSync Profile will anyway be re-applied to the device and then the device will be automatically moved to the ActiveSyncAllowedDeviceIDs list through Silverback.

Perform a right click in the result section
Export the results into a *.csv file into a temporary location, e.g. as EASIdentifiers.csv

Hardware Summary Export

Added in Silverback 21.0 Update 2

Open your Silverback Management Console and login as an Administrator
Navigate to Dashboard
Click Export below Hardware Summary and open the downloaded Hardware Summary.xlsx
Enable Filtering and set the Filter for column Device Status to Managed
Scroll to the right and locate column EAS Device ID and set the filter to exlude -
Now select all remaining Exchange ActiveSync identifiers and copy them into your clipboard
Open Notepad or any TextEditor and paste all identifiers
Save the results into a *.csv file into a temporary location, e.g. as EASIdentifiers.csv
Your outcome should look like this

Prepare Script Execution

Connect to your Silverback or to your Cloud Connector server
Create a new folder, e.g. C:\Temp
Copy the exported EASIdentifiers.csv file into this folder
Add the following PS_AddDevicesToUsersAllowedList.ps1 into this folder

This script is not supported for Exchange 2010. In newer versions, the commands has been changed and Exchange 2010 is out of support by Microsoft.

Connect to Exchange Online

Depending on your authentication setup for Exchange Online, the connection methods are slightly different.

Connect with Modern Authentication

On Premise Customers: Open PowerShell on your Silverback Server
Cloud Customers: Open PowerShell on your workstation, where you performed the Exchange Protection Integration with Modern Authentication
Run the following adjusted command:

Connect-ExchangeOnline -CertificateThumbPrint "502ca2f6f74bc5ea7b21b6a18182da8209a4f266" -AppID "e9e621e9-cc90-4b48-a9d4-43ee7e6c4e4b" -Organization "imagoverum.onmicrosoft.com"

For Cloud Customers, the EXO V2 Powershell Module must be installed and the certificate must be present on the local machine.

Proceed with Review an existing mailbox

Connect with Basic Authentication

As this guide is intended for Exchange Online, adjust the session string for connecting to Exchange Server 2016 and 2013

Now Open PowerShell on your Silverback or Cloud Connector Server
Run the following command

$UserCredential = Get-Credential

Enter your Service Account, e.g. silverback_exchange@imagoverum.com
Enter your updated password, e.g. Pa$$w0rd
Click OK
Create a new Session:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import now the session with

Import-PSSession $Session -DisableNameChecking

Review an existing mailbox

Execute the following command, to check the ActiveSyncAllowedDeviceIDs values for a specific user

Get-CASMailbox -Identity tim.tober@imagoverum.com | fl *ActiveSync*

Review currently quarantine devices for a specific user

Get-MobileDevice -Mailbox tim.tober@imagoverum.com -Filter {DeviceAccessState -eq 'Quarantined'}

Execute PowerShell Script

Navigate now to your folder location, where the PowerShell script and the EAS Identifiers are located

cd C:\Temp

Now execute the PowerShell command as following:

 .\PS_AddDevicesToUsersAllowedList.ps1 -PathToCsv C:\Temp\EASIdentifiers.csv

Review existing mailbox changes

Execute the following command, to check the ActiveSyncAllowedDeviceIDs values for a specific user

Get-CASMailbox -Identity tim.tober@imagoverum.com | fl *ActiveSync*

ActiveSyncAllowedDeviceIDs values should be now increased with an Exchange ActiveSync Identifier from the EASIdentifier.csv file