Managing mobile devices in an enterprise environment is crucial for maintaining security and ensuring efficient performance. Devices that no longer sync or are out of use pose risks and add unnecessary complexity. To streamline this, I developed a PowerShell script—MDMCleanup.ps1—that identifies unused mobile devices connected to Microsoft 365 mailboxes and removes those that haven’t synced in over 90 days. I took the example script from this blog, and modified it to include they ability to remove devices and email a report after the script has completed.
Key Features of the Script:
- Automated Reporting: The script generates HTML and CSV reports showing mobile device sync statuses for all user mailboxes.
- Cleanup of Unused Devices: Devices that haven’t synced in the last 90 days are automatically removed.
- Customizable Threshold: The default threshold is set to 90 days, but this can easily be adjusted to fit your organization’s needs.
- Email Notifications: Once the script runs, it sends a report to the designated recipients with details about removed and active devices.
Script Overview
The PowerShell script follows a structured approach:
- Environment Setup: It begins by setting up necessary variables, including email settings, SMTP configurations, and the current date and time.
- Exchange Online Connection: The script connects to Exchange Online using a certificate and retrieves a list of user mailboxes.
- Mobile Device Collection: It scans each mailbox for registered mobile devices and gathers device statistics, including last sync time, device model, and sync status.
- Device Evaluation: Devices that haven’t synced in more than 90 days are flagged for removal.
- Report Generation: Both HTML and CSV reports are created to summarize findings, including the number of active and removed devices.
- Device Removal: Devices that haven’t synced within the threshold are automatically removed from the system.
- Email Notification: The script sends an email containing the report to predefined recipients.
- You can download the script here.
Step-by-Step Breakdown
- Connect to Exchange Online: The script uses the
Connect-ExchangeOnline
cmdlet to connect to your Microsoft 365 environment securely using a certificate and AppID.powershellCopy codeConnect-ExchangeOnline -CertificateThumbPrint "Your Cert Thumb Print" -AppID "Your AppID" -Organization "yourorg.onmicrosoft.com" - Gather Mobile Device Data: The script retrieves all user mailboxes and their associated mobile devices:powershellCopy code$Mbx = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Sort-Object DisplayName
- Device Evaluation: For each mobile device, the script checks the last sync time. Devices that haven’t synced in over 90 days are flagged for removal:powershellCopy codeIf ($DaysSinceLastSync -gt 30) { $SyncStatus = ("Warning: {0} days since last sync" -f $DaysSinceLastSync) }
- Automated Cleanup: Devices that meet the "no sync for 90 days" condition are removed from the system automatically:powershellCopy coderemove-MobileDevice -Identity $OldDevice[0].Id -Confirm:$False
- Reporting: Detailed reports are generated in both HTML and CSV formats. These reports include critical data points such as the number of active devices, devices removed, and users who have synchronized devices:powershellCopy code$HtmlReport = $Report | ConvertTo-Html -Fragment
- Email Notifications: The script sends a summary of the mobile device cleanup operation to specified recipients:powershellCopy codeSend-MailMessage -To $To -From $From -Subject $MessageSubject -SmtpServer $SMTPServer -Body $HtmlReport -BodyAsHtml
Why Use MDMCleanup.ps1?
This PowerShell script automates what could otherwise be a time-consuming and error-prone manual process of removing stale devices from Exchange Online. By running the script on a regular basis, your organization can ensure that old and unused mobile devices are cleaned up efficiently, reducing security risks and optimizing mobile device management. My suggestion is to schedule the script to run weekly.
Customization
While the default threshold for unused devices is set to 90 days, you can easily modify this value to suit your organization's policy:
powershellCopy code$SyncDevices90 = $Report | Where-Object {$_.DaysSinceLastSync -gt 90}
Final Thoughts
Mobile device management is a critical aspect of any enterprise security strategy. By automating the process of cleaning up unused devices, you can not only enhance security but keep the devices registered to users in Exchange Online clean
Feel free to download and customize the script to fit your organization's needs. Let me know if you have any questions or suggestions for further improvements!
Stay Secure, Stay Automated!