Once you’ve integrated your Configuration Manager environment with Intune and you’ve started enrolling users it’s useful to be able to find who is still connecting directly to EAS. You will want to track these users down and get them enrolled before enabling conditional access. The info contained in this blog assumes that you’ve configured the Exchange Server Connector and allowed it to discover devices from Exchange.
One might thing this task was as simple as finding all the mobile devices where System_Disc MDStatus is not 1, at least that’s what I first assumed. When I ran this:
select * FROM System_Disc
INNER JOIN MDMDeviceProperty on CAST(DeviceID as nvarchar(255)) = SMS_Unique_Identifier0
where PRopertyName = ‘MdmStatus’ and EAS_DeviceID is not NULL
I thought I was golden! 100% of my devices have MdmStatus = 1 so they must all be enrolled right?? Of course I know that is not true so I dug around some. As it turns out there’s a bug causing MdmStatus to always be 1 so we can’t use that.
Here’s a query that actually works. This shows all the devices connected to EAS in the past 7 days and where or not they are enrolled in MDM. It also tells you the user of the device so it’s easy to track them down and get them enrolled. This should help you tame BYOD!
(you will probably have to fix the smart quotes if you copy and paste this query from a browser)
CASE WHEN IsCompliant = ‘1’ THEN ‘Device is enrolled’
ELSE ‘Device is not enrolled’
END as ‘Enrollment Status’,
deviceid as ‘Device ID’,
FriendlyName ‘Device Name’,
DeviceOS ‘Operating System’,
DeviceType ‘Device Type’,
DeviceModel ‘Device Model’,
ExchangeServer ‘Exchange Server Connected’,
max ((left (FirstSyncTimeUTC, 11))) as ‘First Sync Time’,
max ((left (LastSuccessSyncTimeUTC, 11))) as ‘Last Sync Time’
where DATEDIFF(d,LastSuccessSyncTimeUTC,GetDate()) < 7