Tweak

If IT doesn’t challenge you, IT doesn’t change you.

Exchange

Generating Mobile Access Reports for Shared Mailboxes in Exchange Server 2019

#Exchange, #Powershell, #Reporting
Microsoft Exchange Logo

In many organizations, shared mailboxes are a critical component for collaborative work. They allow multiple users to access and manage a common mailbox, enabling seamless communication within teams. However, monitoring mobile access to these shared mailboxes can be a challenge, especially when it comes to ensuring security and compliance.

ActiveSync, Microsoft’s synchronization protocol, allows mobile devices to access Exchange mailboxes. While this is convenient, unauthorized or unmanaged mobile access to shared mailboxes can pose security risks. Therefore, it’s essential to have visibility into which shared mailboxes have ActiveSync enabled and which mobile devices are accessing them.

To address this need, I developed a PowerShell script that generates detailed reports on shared mailboxes and their associated mobile devices in an Exchange Server 2019 environment.

The Solution

The script performs the following actions:

  • Retrieves all shared mailboxes in the Exchange environment.
  • Checks if ActiveSync is enabled for each mailbox.
  • Identifies any mobile devices accessing these mailboxes.
  • Gathers detailed statistics for each device.
  • Exports the information into two separate CSV files:
    • SharedMailboxesReport.csv: Contains mailbox-level information.
    • MobileDevicesReport.csv: Contains device-level information with references to their associated mailboxes.

By using this script, administrators can easily monitor mobile access to shared mailboxes and take appropriate action if necessary.

Script Overview

Get-SharedMailboxesMobileAccessReport.ps1

<#
.SYNOPSIS
    Exchange Server 2019 Shared Mailboxes Mobile Access Report

.DESCRIPTION
    This PowerShell script retrieves all shared mailboxes in an Exchange Server 2019 environment, checks if ActiveSync is enabled for each mailbox, identifies any mobile devices accessing them, gathers detailed statistics for each device, and exports the information into two separate CSV files:
    1. SharedMailboxesReport.csv - Contains mailbox-level information.
    2. MobileDevicesReport.csv - Contains device-level information with references to their associated mailboxes.

.PREREQUISITES
    - Exchange Server 2019
    - Administrative permissions to execute Exchange cmdlets
    - Exchange Management Shell or imported Exchange module in PowerShell
    - PowerShell 5.1 or later

.USAGE
    1. Open the Exchange Management Shell with administrative privileges.
    2. Copy and paste the script into the shell or save it as `Get-SharedMailboxesMobileAccessReport.ps1` and execute it by navigating to its directory and running:
        .\Get-SharedMailboxesMobileAccessReport.ps1
    3. The reports will be generated at the specified export paths:
        - SharedMailboxesReport.csv
        - MobileDevicesReport.csv

.OUTPUTS
    - CSV files containing detailed reports on shared mailboxes and their associated mobile devices.

.EXAMPLE
    .\Get-SharedMailboxesMobileAccessReport.ps1

.NOTES
    - Ensure that the executing account has the necessary permissions for both `Get-MobileDevice` and `Get-MobileDeviceStatistics` cmdlets.
    - Modify the `$mailboxesExportPath` and `$devicesExportPath` variables as needed to specify different export locations.

#>

# Exchange Server 2019 PowerShell Script
# Description: Retrieves shared mailboxes, checks if ActiveSync is enabled,
# identifies mobile devices accessing them, retrieves detailed statistics,
# and exports the information to separate CSV files for mailboxes and devices.

# Define the output CSV file paths
$mailboxesExportPath = "C:\Reports\SharedMailboxesReport.csv"
$devicesExportPath    = "C:\Reports\MobileDevicesReport.csv"

# Ensure the export directory exists; create it if it doesn't
$exportDirectory = Split-Path -Path $mailboxesExportPath
if (!(Test-Path -Path $exportDirectory)) {
    New-Item -Path $exportDirectory -ItemType Directory -Force | Out-Null
}

# Retrieve all shared mailboxes
$sharedMailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize Unlimited

# Initialize arrays to store the report data
$mailboxesReport = @()
$devicesReport    = @()

# Iterate through each shared mailbox
foreach ($mailbox in $sharedMailboxes) {
    try {
        # Get Client Access settings for the mailbox
        $casMailbox = Get-CASMailbox -Identity $mailbox.Identity

        # Check if ActiveSync is enabled
        $activeSyncEnabled = $casMailbox.ActiveSyncEnabled

        # Initialize variables for mobile device information
        $mobileDeviceCount = 0

        if ($activeSyncEnabled) {
            try {
                # Retrieve mobile devices associated with the mailbox
                $mobileDevices = Get-MobileDevice -Mailbox $mailbox.Identity -ErrorAction Stop

                if ($mobileDevices) {
                    $mobileDeviceCount = $mobileDevices.Count

                    foreach ($device in $mobileDevices) {
                        try {
                            # Retrieve statistics for each mobile device
                            $deviceStats = Get-MobileDeviceStatistics -Identity $device.Identity -ErrorAction Stop

                            # Create a custom object with desired properties
                            $deviceDetail = [PSCustomObject]@{
                                MailboxName             = $mailbox.DisplayName
                                MailboxIdentity         = $mailbox.Identity
                                DeviceName              = $device.DeviceName
                                DeviceType              = $device.DeviceType
                                DeviceOS                = $device.DeviceOS
                                LastSuccessSync         = $deviceStats.LastSuccessSync
                                LastSyncAttemptTime     = $deviceStats.LastSyncAttemptTime
                                LastPolicyUpdate        = $deviceStats.LastPolicyUpdate
                                LastAccessTime          = $deviceStats.LastAccessTime
                                DeviceUserAgent         = $deviceStats.UserAgent
                                DeviceAccessState       = $deviceStats.DeviceAccessState
                                DeviceAccessStateReason = $deviceStats.DeviceAccessStateReason
                            }

                            # Add the device detail to the devices report array
                            $devicesReport += $deviceDetail
                        }
                        catch {
                            # Handle errors when retrieving device statistics
                            $deviceDetail = [PSCustomObject]@{
                                MailboxName             = $mailbox.DisplayName
                                MailboxIdentity         = $mailbox.Identity
                                DeviceName              = $device.DeviceName
                                DeviceType              = $device.DeviceType
                                DeviceOS                = $device.DeviceOS
                                LastSuccessSync         = "Error: $_"
                                LastSyncAttemptTime     = "Error: $_"
                                LastPolicyUpdate        = "Error: $_"
                                LastAccessTime          = "Error: $_"
                                DeviceUserAgent         = "Error: $_"
                                DeviceAccessState       = "Error: $_"
                                DeviceAccessStateReason = "Error: $_"
                            }

                            $devicesReport += $deviceDetail
                        }
                    }
                }
            }
            catch {
                # Handle cases where Get-MobileDevice might fail
                Write-Warning "Error retrieving mobile devices for mailbox '$($mailbox.Identity)': $_"
            }
        }

        # Create a custom object with the desired mailbox properties
        $mailboxReportObject = [PSCustomObject]@{
            MailboxName       = $mailbox.DisplayName
            MailboxIdentity   = $mailbox.Identity
            ActiveSyncEnabled = $activeSyncEnabled
            MobileDeviceCount = $mobileDeviceCount
        }

        # Add the mailbox object to the mailboxes report array
        $mailboxesReport += $mailboxReportObject
    }
    catch {
        # Handle any errors encountered while processing the mailbox
        Write-Warning "Failed to process mailbox '$($mailbox.Identity)': $_"
    }
}

# Export the mailboxes report to a CSV file
try {
    $mailboxesReport | Export-Csv -Path $mailboxesExportPath -NoTypeInformation -Encoding UTF8
    Write-Output "Mailboxes report successfully exported to '$mailboxesExportPath'."
}
catch {
    Write-Error "Failed to export mailboxes report to CSV: $_"
}

# Export the devices report to a CSV file
try {
    $devicesReport | Export-Csv -Path $devicesExportPath -NoTypeInformation -Encoding UTF8
    Write-Output "Mobile devices report successfully exported to '$devicesExportPath'."
}
catch {
    Write-Error "Failed to export mobile devices report to CSV: $_"
}

Script Breakdown

  • Retrieving Shared Mailboxes: The script uses Get-Mailbox with the -RecipientTypeDetails SharedMailbox parameter to retrieve all shared mailboxes in the environment.
  • Checking ActiveSync Status: For each mailbox, it retrieves the Client Access settings using Get-CASMailbox and checks if ActiveSync is enabled.
  • Identifying Mobile Devices: If ActiveSync is enabled, the script uses Get-MobileDevice to retrieve all mobile devices associated with the mailbox.
  • Gathering Device Statistics: It then gathers detailed statistics for each device using Get-MobileDeviceStatistics.
  • Error Handling: The script includes comprehensive error handling to manage any issues that arise during execution, such as permissions errors or devices that cannot be queried.
  • Exporting Reports: Finally, it exports the gathered data into two CSV files for further analysis.

How to Use the Script

Prerequisites

  • Exchange Server 2019: The script is designed for Exchange Server 2019 environments.
  • Administrative Permissions: You need permissions to execute Exchange cmdlets, particularly Get-MobileDevice and Get-MobileDeviceStatistics.
  • Exchange Management Shell: Run the script in the Exchange Management Shell or ensure the Exchange module is imported into PowerShell.
  • PowerShell 5.1 or Later: The script requires PowerShell 5.1 or later.

Steps

  1. Download the Script: Download the script from the GitHub repository or copy the code provided above.
  2. Modify Export Paths (Optional): By default, the script exports the reports to C:\Reports\SharedMailboxesReport.csv and C:\Reports\MobileDevicesReport.csv. You can modify the $mailboxesExportPath and $devicesExportPath variables in the script to change the export locations.
  3. Run the Script:
    • Open the Exchange Management Shell with administrative privileges.
    • Navigate to the directory containing the script.
    • Execute the script:
      .\Get-SharedMailboxesMobileAccessReport.ps1
  4. Review the Reports:
    • SharedMailboxesReport.csv: Contains information about each shared mailbox, including whether ActiveSync is enabled and the number of mobile devices associated.
    • MobileDevicesReport.csv: Provides detailed information about each mobile device accessing the shared mailboxes.

Security Considerations

  • Permissions: Ensure the account running the script has the necessary permissions to execute all required cmdlets.
  • Data Handling: The generated CSV files contain sensitive information. Store them securely and restrict access as needed.
  • Compliance: Verify that collecting and storing this data complies with your organization’s policies and any applicable regulations.

Conclusion

Monitoring mobile access to shared mailboxes is vital for maintaining the security and integrity of your organization’s communication systems. This script provides a straightforward way to generate detailed reports, enabling administrators to:

  • Identify shared mailboxes with ActiveSync enabled.
  • Discover all mobile devices accessing these mailboxes.
  • Review device-specific information, such as last sync times and device types.

By regularly running this script and reviewing the reports, you can ensure that mobile access to shared mailboxes is appropriately managed and secure.

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *


Also Interesting

Exchange

Generating Mobile Access Reports for Shared Mailboxes in Exchange Server 2019

VMware

Balancing VMs Across Hosts in VMware Clusters: A Custom Solution

Windows

How to Update DNS Server Root Hints

Networking

How to Configure a RoutIT ISP IPv6 Static IP Block on a Ubiquiti UniFi Network