Get Mobile Device Policy Change PowerShell
Hello,
Today we’ll how to measure the impact of a mobile policy change in your organization. For example, let’s say that your organization wants to harden the mobile device requirements for mailbox access and you want to see a few days later how many mobile devices stop syncing.If you have Exchange or Office 365 with Exchange Online, we can use PowerShell to retrieve this kind of information. First, you’ll need a PowerShell session connected to your Exchange server or to Exchange Online.
Then, once connected, you can use that kind of code, you’ll need to adapt the dates to fit your needs:
$StartTime = (Get-Date).AddDays(-14)
$ChangePolicyTime = (Get-Date -Day 15 -Month 11 -Year 2018 -Hour 21)
$LostMobileDeviceSincePolicyChange = Get-MobileDevice | % {Get-MobileDeviceStatistics -Identity $_.Distinguishedname} | Where-Object -FilterScript {($_.LastSuccessSync -ge $StartTime) -and ($_.LastSuccessSync -le $ChangePolicyTime)}
Note: This code may generate some errors if you have devices connected to non existing mailboxes.
This will list all the mobile devices that stop syncing since $ChangePolicyTime. You can then expose the result to a nice formatted PowerShell table:
$LostMobileDeviceSincePolicyChange | Select-Object -Property FirstSyncTime,LastSuccessSync,DeviceUserAgent,DeviceFriendlyName,DeviceOS,ClientType | Out-GridView
Or export to a CSV:
$LostMobileDeviceSincePolicyChange | Select-Object -Property FirstSyncTime,LastSuccessSync,DeviceUserAgent,DeviceFriendlyName,DeviceOS,ClientType | Export-Csv -NoTypeInformation -Delimiter ';' 'LostMobileDeviceSincePolicyChange.csv'
And then you will be able to analyze the result with Excel and Pivot Table and see how much devices stop synced since your mobile device policy change.
You can also have some statistics with:
$StartTime = (Get-Date).AddDays(-21)
$ChangePolicyTime = (Get-Date -Day 15 -Month 11 -Year 2018 -Hour 21)
$AllMobileDevices = Get-MobileDevice | % {Get-MobileDeviceStatistics -Identity $_.Distinguishedname}
$LostMobileDeviceSincePolicyChange = $AllMobileDevices | Where-Object -FilterScript {($_.LastSuccessSync -ge $StartTime) -and ($_.LastSuccessSync -le $ChangePolicyTime)}
New-Object -TypeName PSObject -Property @{
TotalDevices = $AllMobileDevices.Count
LostDevices = $LostMobileDeviceSincePolicyChange.Count
Percent = '{0:P2}' -f ($LostMobileDeviceSincePolicyChange.Count/$AllMobileDevices.Count)
}
The policy change can be various things:
- Force device encryption
- Force complex passcode
- Force device enrollment (MDM)
- Force application enrollment (MAM)
- etc…
Each of those policy change will result in a device that will stop sync if it’s not compliant, and you will be able to identify the affected devices with the previous PowerShell lines.