Disabling OWA in powershell not working - user still gets email on mobile

Thanks Mahesh. Is there a way to just block the phone outright through powershell like I see in exchange admin center? When I go to a user account and select mobile devices I can block the mobile device by clicking that option.
If I can do that in powershell, would it prevent them from getting email?
And if possible, would you share the powershell command to do so?
Thanks!

I don't think you can do so with powershell because you need to find out each user device and disable only specific once

https://docs.microsoft.com/en-us/powershell/module/exchange/devices/remove-mobiledevice?view=exchange-ps

Ok I do have that info in excel. Maybe I could import it in. Thanks.

the best thing to do is turn off active sync on the user mailbox. that way emails wont get delivered to the device. in regards to the outlook app the REST API is for exchange online and not Exchange on-prem unless on-prem is exchange 2016 and in a Hybrid Config with O365. if you are not on exchange 2016 in a hybrid config you can just disable active sync on that mailbox and be good.

Hey Tim thanks again for your help on this. Test user shows active sync disabled but still gets emails. I was thinking of just outright blocking mobiles for users not allowed but cant find or figure out a powershell script to do that.

You can to quarantine via the Exchange Admin Center. also if you are using the iphone native app and if active sync is disabled they user should not be getting mail to the device. I would suggest you confirm all of that, but that will be the first I have ever seen with that. double check that, make sure its active sync and not OWA.

Thanks Tim. I need to do this through powershell as it's about 200 or so users that have personal devices. We are blocking all personal devices until employees sign a doc with HR stating we have the right to wipe the device (account only unless that is not supported).

One test user has a personal device and is using the iPhone native app. She initially replied to one of my emails from the phone but a subsequent test email I sent to her did not get delivered to the phone as she replied and told me this from Outlook. She also reported that the iPhone email app displayed a connection error to the server. The other test user is using Outlook for iOS and is still getting emails. He has a company iPhone though that shouldn't make a difference. I ran the powershell commands (activesync disable and OWA disable (or enable=$false) against an imported text file with just those two.

I have been reading about this. I ran across blocking EWS, per Mahesh's link, as well as some info about activesyncblockeddevices.

This is going down tomorrow night whether I can do it with powershell or if I have to sit up all of tomorrow night and block them manually through EAC.

Thanks

oh ok, see the below link. it will assist in qaurantinig all devices until you allow them to access:

http://itprocentral.com/how-to-enable-quarantine-for-mobile-devices-in-ex2013/

the policy will be set on exchange an any device will he quarantined until you allow it.

Thanks. I also read about quarantine but was concerned that it would either only affect new users / phones or affect the company as a whole since it appears to be an organization-wide setting. However, I will do some more research into this.

it will be new devices. so all users will need to remove email from their phones and start fresh, and if they dont remove it you can threaten to wipe device to remove it via Exchange. exchange wipe the device to remove the email profile but it will perform a factory reset on their device , so that is also an option if they choose not to remove it.

OK thanks again for the help. What a pain :-)

yes it can be a pain. good luck man.

That policy only works for new devices
We used that policy to block all active sync connectivity except outlook for ios and Android, you can set exceptions there in policy

Set above policy without exception and then don't allow access unless its company approved /owned device
Intune can be used to block non company devices

For now you need to manually block existing android and ios outlook

anyone know if you can manipulate the DeviceAccessState setting? If so, I can set it to 'blocked' for those users on iOS or Android Outlook app which would prevent them from getting email.

So I have a CSV with all Get-CASMailbox info, including device ID. I am thinking I can import a text file with Device IDs or set a variable to pull in the device IDs and add them to the ActiveSyncBlockedDeviceIDs list. Though, I am thinking I would also somehow need to match the DeviceID to a user mailbox and I am not sure how to do that.

I tried this and waiting to see if it works. If so, I will just need to figure out how to script in for 200 users.

$MobileDevice = Get-MobileDevice -Mailbox user@company.com
Set-CASMailbox -Identity user@company.com -ActiveSyncBlockedDeviceIDs $MobileDevice.DeviceId

It worked. So https://www.experts-exchange.com/members/alexgreen312.html suggested here

https://www.experts-exchange.com/questions/29139140/Help-blocking-and-disabling-mobile-access-to-office-365-email.html?anchor=a42820886¬ificationFollowed=225659862&anchorAnswerId=42820886#a42820886

a better way and should allow me to import the information of several users. Just need to figure out how to import PrimarySmtpAddress as well as DeviceID and have it match each user.

OK so after not being able to figure out nor wanting to deal with device IDs, based on Mahesh's direction I ended up blocking EWS / Outlook for iOS and Android (in addition to already having blocked EAS / OWA). Below are the commands I used.

Based on timgreen7077 input, I am looking to set up a quarantine policy for new users / devices.

Thanks all.

Disable EAS / OWA for multiple users
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAEnabled $false}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAforDevicesEnabled $false}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -ActiveSyncEnabled $false}

Reenable EAS / OWA for multiple users
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAEnabled $true}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -OWAforDevicesEnabled $true}
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -ActiveSyncEnabled $true}

Disable / reenable EAS / OWA for individual user
DISABLE
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAforDevicesEnabled $false
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAEnabled $false
Set-CASMailbox -Identity "User PrimarySmtpAddress" -ActiveSyncEnabled $false

REENABLE
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAforDevicesEnabled $true
Set-CASMailbox -Identity "User PrimarySmtpAddress" -OWAEnabled $true
Set-CASMailbox -Identity "User PrimarySmtpAddress" -ActiveSyncEnabled $true


CONFIRM EAS/OWA STATUS INDIVIDUAL USER
Get-CASMailbox -identity "User PrimarySmtpAddress"



DISABLE EWS MULTIPLE USERS
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}}

DISABLE EWS SINGLE USER
Set-CASMailbox -Identity "User PrimarySmtpAddress" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}

REENABLE EWS MULTIPLE USERS
$Users = gc "PATH TO TEXT (.txt) FILE WITH USER’S PrimarySmtpAddress"
Foreach ($User in $Users){Set-CASMailbox -Identity "$User" -EwsBlockList @{Remove="Outlook-iOS/*","Outlook-Android/*"}}


REENABLE EWS SINGLE USER
Set-CASMailbox -Identity "User PrimarySmtpAddress" -EwsBlockList @{Remove="Outlook-iOS/*","Outlook-Android/*"}


CONFIRM EWS
Get-CASMailbox "User PrimarySmtpAddress" | Select *EWS*