protect company data and emails on mobile devices with ... company data and emails on mobile devices...

Download Protect Company Data and Emails on Mobile Devices with ... Company Data and Emails on Mobile Devices with Intune More and more, companies are allowing employees to increase their productivity

Post on 14-Mar-2018

233 views

Category:

Documents

6 download

Embed Size (px)

TRANSCRIPT

  • Protect Company Data and Emails on Mobile Devices with Intune More and more, companies are allowing employees to increase their productivity by accessing email,

    documents, and company resources through their mobile devices. However, the amount of confidential

    data that is stored within corporate emails and documents presents a significant security risk for

    companies.

    You can use conditional access in Intune to help secure email and email data depending on the

    conditions you specify. Conditional access lets you manage access to Microsoft Exchange on-premises

    and Exchange Online.

    Introduction Protecting your company's data is vitally important, and is an increasingly challenging task as more

    employees are using their mobile devices to access company resources, including email and email

    attachments. As an IT administrator, you want to make sure that company data is protected even when

    those mobile devices are not within the companys physical location.

    The Microsoft Enterprise Mobility Suite (EMS) solves this challenge by delivering comprehensive

    protection of corporate email and documents across four layers Identity, Device, Application, and

    Data. Among other capabilities, EMS ensures that employees can access corporate email only from

    devices that are managed by Microsoft Intune and compliant with IT policies.

    You can implement conditional access by configuring two policy types in Intune:

    Compliance policies are optional policies you can deploy to users and devices and evaluate

    settings like passcode and encryption. The conditional access policies set in Intune ensure that

    the devices can only access email if they are compliant with the compliance policies you set.

    If no compliance policy is deployed to a device, then any applicable conditional access policies

    will treat the device as compliant.

    Conditional access policies are configured for a particular service, and define rules such as

    which Azure Active Directory security user groups or Intune user groups will be targeted and

    how devices that cannot enroll with Intune will be managed.

    Note

    Intune groups are not security groups. Rather, they are a collection of users that you can create

    by using the Intune admin console.

    Unlike other Intune policies, you do not deploy conditional access policies. Instead, you configure these

    once, and they apply to all targeted users.

    When devices do not meet the conditions you configure, the user is guided through the process of

    enrolling the device and/or fixing the issue that prevents the device from being compliant.

    Evaluating your desired implementation With all of the different design and configuration options for managing mobile devices, its difficult to

    determine which combination will best meet the needs of your company. The Mobile Device

    Management Design Considerations Guide helps you understand mobile device management design

    https://technet.microsoft.com/library/mt143180.aspxhttps://technet.microsoft.com/library/mt143180.aspx

  • requirements and details a series of steps and tasks that you can follow to design a solution that best fits

    the business and technology needs for your company.

    High level end-user experience After the solution is implemented, end-users will be able to access the company email only on managed

    and compliant devices. Access can be revoked at any time if the device becomes noncompliant.

    Specifically, the conditional access policies set in Intune ensure that the devices can only access email if

    they are compliant with the compliance policies you set. Actions such as copy and paste or saving to

    personal cloud storage services can be restricted using mobile application management policies. Azure

    Rights Managements service can be used to ensure that the sensitive email data, and forwarded

    attachments, can only be read by intended recipients. The end-user experience is described in more

    detail in the End-user Experience section, later in this article.

    Using conditional access with Intune Use conditional access in Microsoft Intune to help secure email and other services depending on

    conditions you specify.

    Prerequisites You can control access to Exchange Online and Exchange on-premises from the following mail apps:

    The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later

    The built-in app for iOS 7.1 and later

    The built-in app for Windows Phone 8.1 and later

    The mail application on Windows 8.1 and later

    The Microsoft Outlook app for Android and iOS (for Exchange Online only)

    Before you start using conditional access, ensure that you have the correct requirements in place:

    For Exchange Server on-premises

    Conditional access to Exchange on-premises supports:

    Windows 8 and later (when enrolled with Intune)

    Windows Phone 8 and later

    Any iOS device that uses an Exchange ActiveSync (EAS) email client

    Android 4 and later.

  • Additionally:

    Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server

    (CAS) configuration is supported.

    If your Exchange environment is in a CAS server configuration, then you must configure the on-

    premises Exchange connector to point to any one of the CAS servers.

    Exchange ActiveSync can be configured with certificate based authentication, or user credential

    entry.

    You must use the on-premises Exchange connector which connects Intune to Microsoft

    Exchange Server on-premises. This lets you manage devices through the Intune console (see

    Mobile device management with Exchange ActiveSync and Microsoft Intune).

    Make sure that you are using the latest version of the on-premises Exchange connector. The on-

    premise Exchange connector available to you in the Intune console is specific to your Intune

    tenant and cannot be used with any other tenant.

    You should also ensure that the exchange connector for your tenant is installed on exactly one

    machine and not on multiple machines. If you have a CAS server environment that includes a

    mix of machines running both Exchange Server 2010 and 2013, you must configure the

    exchange connector to point to the 2013 CAS server.

    For Exchange Online

    Conditional access to Exchange Online supports devices that run:

    Windows 8.1 and later (when enrolled with Intune)

    Windows 7.0 or later (when domain joined)

    Windows Phone 8.1 and later

    iOS 7.1 and later

    Android 4.0 and later, Samsung Knox Standard 4.0 and later

    Additionally, devices must be registered with the Azure Active Directory Device Registration Service

    (AAD DRS).

    AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have

    already deployed the ADFS Device Registration Service will not see registered devices in their on-

    premises Active Directory.

    You must use an Office 365 subscription that includes Exchange Online (such as E3) and users

    must be licensed for Exchange Online.

    The optional Microsoft Intune Service to Service Connector connects Intune to Microsoft

    Exchange Online and helps you manage device information through the Intune console (see

    Mobile device management with Exchange ActiveSync and Microsoft Intune). You do not need

    Tip

    Important

    https://technet.microsoft.com/en-us/library/dn646988.aspxhttps://technet.microsoft.com/en-us/library/dn646988.aspx

  • to use the connector to use compliance policies or conditional access policies, but is required to

    run reports that help evaluate the impact of conditional access.

    If you configure the connector, some Exchange ActiveSync policies from Intune might be visible in the

    Office console but are not set as default policies and do not affect devices.

    Do not configure the Service to Service Connector if you intend to use conditional access for

    both Exchange Online and Exchange on-premises.

    Deployment Steps for using Exchange on-premises with Intune

    Step 1: Install and configure the Microsoft Intune on-premises Exchange Server connector. This step will help you configure your on-premises infrastructure with Exchange on-premises.

    You can only set up one Exchange connection per Intune account. If you try to configure an

    additional connection, it will replace the original connection with the new one.

    Requirements

    To prepare to connect Intune to your Exchange Server, you must first fulfill the following requirements.

    You may have already fulfilled these requirements when you set up Intune.

    Requirement More information

    Set the Mobile Device Management Authority to Intune Set mobile device management authority

    as Microsoft Intune

    Verify you have hardware requirements for the on-

    premises connector

    Requirements for the On-Premises

    Connector

    Configure a user account with permission to run the

    designated list of Windows PowerShell cmdlets

    Powershell Cmdlets for On-Premises

    Exchange Connector (see below)

    Powershell Cmdlets for On-Premises Exchange Connector: You must create an Active Directory user

    account that is used by the Intune Exchange Connector. The account must have permission to run the

    following Exchange Server cmdlets:

    Clear-ActiveSyncDevice

    Get-ActiveSyncDevice

    Get-ActiveSyncDeviceAccessRule

    Get-ActiveSyncDeviceStatistics

    Get-ActiveSyncM