Key Points
- Unmanaged clients connecting to an organization’s ActiveSync environment may pose risks and create security blind spots.
- Mitigate potential risks by creating a framework that manages and maintains device data to assess compliance, and which should be updated, quarantined, or decommissioned.
- Steps for Getting ActiveSync Device Details and Maintaining This Documentation:
- Inventory of all ActiveSync devices
- Enrichment with usage and sync data
- Identification of legacy or noncompliant devices
- Normalization, logging, and exporting data
- Automation and safe operation of ActiveSync device management
- Driving follow-up actions
- NinjaOne Support for Building ActiveSync Device Data: Job deployment and scheduling, credential management, export & log attachment, ticket automation, and dashboard cards
- Maintain accurate ActiveSync device data to ensure devices connecting to ActiveSync environments meet defined access and policy requirements within your security framework.
Microsoft ActiveSync is an essential tool in bridging the gap between Microsoft Exchange and mobile devices. But with sophisticated threats looming in the background, maintaining a secure connection between Microsoft Exchange and mobile devices is crucial. One way to build protection is to ensure all clients are trustworthy by creating a framework that continuously audits ActiveSync partnerships.
In this guide, we will walk you through utilizing Microsoft’s Get-ActiveSyncDevice and related cmdlets in doing regular audits by providing accurate, granular device data, combining it with modern reporting practices. This workflow supports access hygiene, policy enforcement, and client deprecation.
At a glance
| Task | Purpose and value |
| Task 1: Enumerate all ActiveSync devices | This task produces a dataset that is the foundation for enforcement actions, staleness checks, and client deprecation reviews. |
| Task 2: Enrich with usage and sync data | This task transforms raw device entries into actionable items for lifecycle and compliance decisions. |
| Task 3: Identify legacy or noncompliant devices | This prioritizes remediation actions such as user re-enrollment, device removal, or client upgrades. |
| Task 4: Normalize, log, and export | This allows auditors, security teams, and MSP clients to compare runs across time and validate reductions in risky devices. |
| Task 5: Automate and operate safely | This task ensures you always have access to fresh device data without operational overhead. |
| Task 6: Drive follow-up actions | This closes the loop between reporting, compliance, and risk reduction. |
Prerequisites:
Before proceeding with the tasks, you need to consider the following factors first:
- Exchange Online PowerShell module and roles to query mobile devices
- Secure credential or app-only authentication for unattended runs
- Central path for CSV, JSON, and run logs
- Defined policy matrix for allowed, quarantined, and blocked device states
Task 1: Enumerate all ActiveSync devices
To begin, you need to inventory all devices using ActiveSync by running the Get-ActiveSyncDevice cmdlet. Get-ActiveSyncDevice shows direct relationships between devices and mailboxes. Here’s what you should do to get an authoritative dataset for all downstream analysis:
- Connect to Exchange Online using PowerShell.
- Retrieve the complete device list by running the complete inventory command:
Get-ActiveSyncDevice -ResultSize Unlimited |
Select-Object Identity, UserDisplayName, DeviceType, DeviceModel, DeviceOS, DeviceAccessState, DeviceAccessStateReason, ClientVersion, WhenChanged
- Record totals and add TenantId, AsOf timestamp, and script version to all records.
- This cmdlet provides a direct association between devices and mailboxes, serving as the baseline for subsequent analysis.
Task 2: Enrich with usage and sync data
For this task, you will use the Get-MobileDeviceStatistics cmdlet to retrieve synchronization and policy status details for mobile devices associated with a specific mailbox, enriching each record with deeper context, capturing more detailed activity, staleness, or policy freshness.
Here are the steps:
- Connect to Exchange Online PowerShell.
- Loop through each mailbox or device by running this command:
Get-MobileDeviceStatistics -Mailbox <user> |
Select-Object DeviceFriendlyName, LastSuccessSync, LastPolicyUpdateTime, ClientInformation
- Join results with your baseline inventory (Task 1) using DeviceId and UserPrincipalName.
- Compute the following data points:
- Device age
- Last sync window
- Staleness category (30/60/90+ days)
Task 3: Identify legacy or noncompliant devices
For this step, you will evaluate each device to determine if it still meets compliance requirements. Here are the actions to take:
- Flag devices if:
- They are using outdated OS versions
- They are using old ClientVersion strings
- Mark devices still using Basic or legacy authentication (cross-reference your “disable legacy authentication” baseline).
- Identify inactive devices or those in a permanent quarantine or blocked state.
- Prioritize cleanup or user re-enrollment based on policy.
Task 4: Normalize, log, and export
Your next actions focus on maintaining a consistent audit by normalizing every output field, applying consistent naming conventions, and exporting in multiple formats.
Here’s how:
- Standardize all fields:
- DeviceOSVersion
- LastSuccessSync
- State
- ActionRequired
- Export results:
- CSV for operational reviews
- JSON for dashboards or log ingestion tools
- Write a run log summarizing the following:
- Parameters
- Record counts
- Duration
- Retain at least 12 months of results for pattern analysis.
Task 5: Automate and operate safely
This task applies to enterprise-grade, multi-tenant MSP operations, as manual audits are not advised for large-scale environments. Here’s how to create an automation framework for ActiveSync device management:
- Authenticate app-only and page large result sets to avoid throttling.
- Add retry logic for transient errors and maintain idempotent outputs.
- Schedule weekly inventory runs and monthly deltas for growth tracking.
- Integrate with compliance or alert workflows for legacy and stale devices.
Task 6: Drive follow-up actions
To complete the framework, you need to enforce governance by strengthening both security and operational workflows. Here are the actions you need to take:
- User communication: Send notice and setup information to users whose devices require an upgrade or re-enrollment.
- Remediation: Remove stale partnerships or apply an automated quarantine policy with approvals.
- Security validation: Align findings with Conditional Access and Exchange Online backup verifications.
- Governance: Link metrics to password spray prevention and shared mailbox restrictions.
Best practices summary table
| Practice | Purpose | Value delivered |
| Combine Get-ActiveSyncDevice and Get-MobileDeviceStatistics | Full context | Device, OS, and activity coverage |
| Flag inactive and legacy clients | Risk reduction | Fewer attack paths and sync issues |
| Normalize and export | Auditability | Easy diffs and compliance reporting |
| App-based auth | Security | Safe automation at scale |
| Trend analysis | Continuous improvement | Verifiable reduction in risky devices |
Automation touchpoint example
You can use automation to streamline the creation, management, and maintenance of ActiveSync device data. Here are examples:
- A scheduled job loops through mailboxes
- The collection of device data via Get-ActiveSyncDevice and Get-MobileDeviceStatistics
- Consolidating and normalizing results
- Computing risk categories and writing CSV, JSON, and a log file
- Emailing a digest listing legacy clients, stale devices, and quarantine candidates
NinjaOne integration
NinjaOne showcases tools and functionalities that can streamline employee data theft prevention.
| NinjaOne service | What it is | How it helps with employee data theft prevention |
| Job deployment and scheduling | Schedule and run PowerShell jobs | Automates the collection of device data across mailboxes |
| Credential management | Securely store credentials | Ensures safe access to mailboxes for device data retrieval |
| Ticket creation | Enable ticket creation workflows for flagged devices | Supports scripted or report-driven ticket creation for stale, legacy, or quarantined devices |
| Dashboard cards | Visual cards in the NinjaOne dashboard | Shows device counts, sync freshness derived from scripted ActiveSync audits, and reductions in risky endpoints per tenant |
Managing and maintaining ActiveSync device data
Having a well-kept ActiveSync device data documentation helps MSPs and IT teams to determine which devices need to be retired for an accurate device inventory. This also aids in maintaining Exchange Online hygiene for a safer and dependable security posture.
Key Takeaways
- Use Get-ActiveSyncDevice and Get-MobileDeviceStatistics for a complete device view.
- Identify legacy clients, outdated OS builds, and stale partnerships for remediation.
- Normalize and export with timestamps and tenant IDs for repeatable audits.
- Automate with app-based authentication and error handling.
- Tie results into security posture improvements and compliance dashboards.
Utilize Microsoft’s Get-ActiveSyncDevice cmdlet and follow other best practices to ensure a compliant ActiveSync device inventory.
Related topics:
