Table of Contents
Enable Exchange Activesync Quarantine
Exchange Admin Console
1. Visit https://admin.exchange.microsoft.com/#/homepage > Select Mobile Device Access
2. Select the Edit button at the top for Global Device Rules
3. Select Quarantine > Add desired email users for notifications > Add end-user notification
message > Select Save
4. After quarantine enabling ALL mobile devices will have to be manually approved
Enable Active Sync Quarantine (Powershell) #
EnableActiveSyncDeviceQuarantine.ps1
#Variables
$ApprovedDeviceDays = 90
$contactInfo = "support@company.com"
$approvalSLA = "8"
# Install the Exchange Online module if not already installed
Install-Module -Name ExchangeOnlineManagement
# Connect to Exchange Online
Connect-ExchangeOnline
# Enable device quarantine organization-wide
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine
# Optional: Add administrator email addresses to receive notifications
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients email1, email2
Set-ActiveSyncOrganizationSettings -UserMailInsert "Your device has been quarantined for security review and approval. Please contact IT at $contactInfo for assistance if device is still blocked after $approvalSLA hours."
#Get devices connected in the last 90 days and approve
$cutoffDate = (Get-Date).AddDays($ApprovedDeviceDays)
Get-MobileDevice | Where-Object {
($_.LastSuccessSync -ge $cutoffDate -or $_.LastSyncAttemptTime -ge $cutoffDate) -and
$_.DeviceAccessState -eq "Quarantined"
} | ForEach-Object {
try {
Write-Host "Approving device: $($_.DeviceModel) for user: $($_.UserDisplayName)" -ForegroundColor Green
Set-MobileDevice -Identity $_.Guid -DeviceAccessState Allow -Confirm:$false
Write-Host "✓ Successfully approved" -ForegroundColor Green
}
catch {
Write-Host "✗ Failed to approve: $($_.Exception.Message)" -ForegroundColor Red
}
}
