In 2012, I wrote about ActiveSync device partnerships some time ago to describe how partnerships are created and how they accumulate over time, which leads to the need to clean up partnerships belonging to old and obsolete devices, such as that HP iPAQ hw6515 that has long since been disconnected from your life. Bizarrely, you can still buy the device through Amazon.
The reason why you might be concerned about device partnerships is that old ones can clog up user accounts and prevent users adding new devices, which is not a great experience when they’ve just bought a new iPhone and now want to synchronize Outlook for iOS with their mailbox.
My previous discussion focused on Exchange 2010. Microsoft subsequently introduced the New-ThrottlingPolicy and Set-ThrottlingPolicy cmdlets in Exchange 2013 and these cmdlets include the EasMaxInactivityForDeviceCleanup parameter to help address the problem of decaying partnerships. This development quite passed me by, which isn’t an unusual state of affairs because the code base for Exchange is so large.
In any case, the EasMaxInactivityForDeviceCleanup parameter is defined in TechNet as follows:
“The EasMaxInactivityForDeviceCleanup parameter specifies the length of time that a user’s device partnerships will remain active. By default, there is no limit to the number of days that a user’s device partnerships will remain active. Use this value if you want to minimize the amount of inactive device partnerships in your organization. To use this setting, specify a value in days since the user’s last sync time to cause the device partnership to be removed.”
Exchange 2013, Exchange 2016, and Exchange Online all include code that can clean up obsolete partnerships when a new mobile device is added to an account. The following processing occurs:
- User attempts to add a new mobile device with ActiveSync.
- If no throttling policy is assigned to the mailbox or the policy that is assigned has a $Null or “unlimited” value for EasMaxInactivityForDeviceCleanup no further checking occurs as these values indicate that the administrator doesn’t want device partnerships to be cleaned up.
- Existing device partnerships with the account are checked. Those that exceed the value of EasMaxInactivityForDeviceCleanup are regarded as being inactive. Within Exchange Online, an inactive device is one that has not connected to the mailbox for 180 days or more.
- Any inactive device partnerships are removed from the account.
- A check is performed to ensure that the number of remaining partnerships remains under the limit for devices (100). In an on-premises environment, you can change the maximum number of EAS devices to whatever value you choose by updating a throttling policy and assigning it to mailboxes.
- If the cap is not exceeded, the new device is added.
Obsolete device partnerships are checked during the device addition process to minimize the demand on system resources. Clearly, there’s no point in looking for obsolete device partnerships if they’re not causing a problem and the only problem that old partnerships cause is when they might block the addition of a new device.
The cmdlets to control throttling policies are only available for on-premises servers. There’s no need for them to be available for Exchange Online because Microsoft takes care of system resource management and anyway, a very different throttling regime exists in a multi-tenant environment.
The nature of cloud services is that they are much more automated and controlled than on-premises systems. Adding a method to clean-up obsolete device partnerships makes a lot of sense for Exchange Online. Exchange Online allows up to 20 device partnerships to be removed for an account to be removed per month.
The code to remove obsolete device partnerships is also present in on-premises mailbox servers but it won’t be used unless the throttling policies that are assigned to mailboxes include a value for EasMaxInactivityForDeviceCleanup, which might not be the case. If the policies are updated to include a limit for inactive partnerships, then the code will swing into action. If activated, no limit is placed on the number of device partnerships that an Exchange on-premises server can remove per month.
Exchange 2010 supports 10 device partnerships per account; Exchange Online and Exchange 2016 both support 100, an increase that surely reflects the increasing use of mobile devices by everyone. It’s interesting to speculate quite how long it would take a normal human being to accumulate 100 mobile devices!
It’s good that Microsoft has implemented the functionality to detect and remove old device partnerships when new devices are being added. It would be good if this was developed further so that device partnerships were managed on an automatic basis according to a policy. For instance, you might be able to say that the partnerships for devices that hadn’t connected to an account in over a year should be removed. Even better, it would be good if administrators received a heads-up message every week or so to inform them that some device partnerships are approaching the point at which they will be removed, just in case one of the partnerships belongs the backup device for the CEO.
There’s nothing to stop you removing old device partnerships using PowerShell if you want to. Here’s an example of how to do the job using an updated version of the code published in the original post. The code checks for partnerships belonging to devices that haven’t synchronized in the last seven days and removes them.
Get-CASMailbox -ResultSize Unlimited -Filter {(HasActiveSyncDevicePartnership -eq $True) -and (Name -Notlike “Cas_*”) -and (name -Notlike “DiscoverySearchMailbox*”)} | ForEach {Get-MobileDeviceStatistics -Mailbox $_.Identity | Where-Object {$_.LastSuccessSync -le ((Get-Date).AddDays(“-7”))} | Remove-MobileDevice}
It’s easy to amend the code to make the check work for 15, 30, 45, or however number of days you see fit, but please test the code before you run it for real. It’s just too easy to run some PowerShell and clean data up really fast. So fast that all your data goes, including whatever you want to keep. Practice safe scripting…
Follow Tony @12Knocksinna
Thoughtsofanidlemind's Blog 
Pingback: The automatic cleanup of old Exchange ActiveSync device partnerships | Thoughtsofanidlemind’s Blog | JC's Blog-O-Gibberish
Pingback: Automatic Cleanup of Exchange ActiveSync Device Partnerships | SME IT guy
is there a way to get this is a list to view before you remove them?
Yes. Run the same script but replace the command to remove the devices with something like Format-Table and output the fields you want to see.
Is there a way to prompt deletion or not per user found?
Great blog. Very informative. Does this work with Intune?
This command no longer works. When run I get the following error: “Cannot bind parameter ‘Filter’ to the target. Exception setting “Filter”: “Invalid filter syntax…..”
The command definitely works. I just typed it into PowerShell and it ran as I expected. Did you type it in or cut and paste it in? If you pasted it in, you might find that it doesn’t work. I have run into that problem before.
i also get the same error as mrdecepticon w/the filter; invalid filter syntax on at position 65. the problem is that you are using ” vs ‘ around the filter parameters!! i am running this in exchnage 2013 via the powershell console vs a ps1 script.
I think the problem is the formatting of the command. This absolutely works because the quote marks are straight rather than curved. So I will update the text.
Get-CASMailbox -ResultSize Unlimited -Filter {(HasActiveSyncDevicePartnership -eq $True) -and (Name -Notlike “Cas_*”) -and (name -Notlike “DiscoverySearchMailbox*”)} | ForEach {Get-MobileDeviceStatistics -Mailbox $_.Identity | Where-Object {$_.LastSuccessSync -le ((Get-Date).AddDays(“-7”))} | Remove-MobileDevice}
Hello Tony,
I had exported the list of Stale Activesync Device and now I want to remove all stale Active Sync device from 2014 to December 2017.
Please help
For those having issues running Tony’s remove script, just retype the speech marks ” … copying and pasting from the website is the culprit!
Nice code. Think some of the issues people are having is the quotes on the site (when copy and pasted) are invalid. Just paste it into Notepad and replace the “fancy” quotes with standard double quotes and it will work fine.
Only issue with the script is we have about 200 users and only 140 have sync devices so it gets a bunch of errors on those with no sync device (“Couldn’t find ‘Domain/OU/Department/Random User’ as a recipient.”) or those that it didn’t find that matched the filter. But otherwise it works well and saved me a ton of time manually cleaning stuff up.
Is there a way to answer Yes to all?
Did you get a solution to Yest to all?
Excellent helped me a treat, just need an aswer to being able answer Yes to all
You should be able to skip confirmation by adding -Confirm:$false to the Remove-MobileDevice cmdlet.