protect company data and emails on mobile devices with ... company data and emails on mobile devices...
Post on 14-Mar-2018
Embed Size (px)
Protect Company Data and Emails on Mobile Devices with Intune More and more, companies are allowing employees to increase their productivity by accessing email,
documents, and company resources through their mobile devices. However, the amount of confidential
data that is stored within corporate emails and documents presents a significant security risk for
You can use conditional access in Intune to help secure email and email data depending on the
conditions you specify. Conditional access lets you manage access to Microsoft Exchange on-premises
and Exchange Online.
Introduction Protecting your company's data is vitally important, and is an increasingly challenging task as more
employees are using their mobile devices to access company resources, including email and email
attachments. As an IT administrator, you want to make sure that company data is protected even when
those mobile devices are not within the companys physical location.
The Microsoft Enterprise Mobility Suite (EMS) solves this challenge by delivering comprehensive
protection of corporate email and documents across four layers Identity, Device, Application, and
Data. Among other capabilities, EMS ensures that employees can access corporate email only from
devices that are managed by Microsoft Intune and compliant with IT policies.
You can implement conditional access by configuring two policy types in Intune:
Compliance policies are optional policies you can deploy to users and devices and evaluate
settings like passcode and encryption. The conditional access policies set in Intune ensure that
the devices can only access email if they are compliant with the compliance policies you set.
If no compliance policy is deployed to a device, then any applicable conditional access policies
will treat the device as compliant.
Conditional access policies are configured for a particular service, and define rules such as
which Azure Active Directory security user groups or Intune user groups will be targeted and
how devices that cannot enroll with Intune will be managed.
Intune groups are not security groups. Rather, they are a collection of users that you can create
by using the Intune admin console.
Unlike other Intune policies, you do not deploy conditional access policies. Instead, you configure these
once, and they apply to all targeted users.
When devices do not meet the conditions you configure, the user is guided through the process of
enrolling the device and/or fixing the issue that prevents the device from being compliant.
Evaluating your desired implementation With all of the different design and configuration options for managing mobile devices, its difficult to
determine which combination will best meet the needs of your company. The Mobile Device
Management Design Considerations Guide helps you understand mobile device management design
requirements and details a series of steps and tasks that you can follow to design a solution that best fits
the business and technology needs for your company.
High level end-user experience After the solution is implemented, end-users will be able to access the company email only on managed
and compliant devices. Access can be revoked at any time if the device becomes noncompliant.
Specifically, the conditional access policies set in Intune ensure that the devices can only access email if
they are compliant with the compliance policies you set. Actions such as copy and paste or saving to
personal cloud storage services can be restricted using mobile application management policies. Azure
Rights Managements service can be used to ensure that the sensitive email data, and forwarded
attachments, can only be read by intended recipients. The end-user experience is described in more
detail in the End-user Experience section, later in this article.
Using conditional access with Intune Use conditional access in Microsoft Intune to help secure email and other services depending on
conditions you specify.
Prerequisites You can control access to Exchange Online and Exchange on-premises from the following mail apps:
The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later
The built-in app for iOS 7.1 and later
The built-in app for Windows Phone 8.1 and later
The mail application on Windows 8.1 and later
The Microsoft Outlook app for Android and iOS (for Exchange Online only)
Before you start using conditional access, ensure that you have the correct requirements in place:
For Exchange Server on-premises
Conditional access to Exchange on-premises supports:
Windows 8 and later (when enrolled with Intune)
Windows Phone 8 and later
Any iOS device that uses an Exchange ActiveSync (EAS) email client
Android 4 and later.
Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server
(CAS) configuration is supported.
If your Exchange environment is in a CAS server configuration, then you must configure the on-
premises Exchange connector to point to any one of the CAS servers.
Exchange ActiveSync can be configured with certificate based authentication, or user credential
You must use the on-premises Exchange connector which connects Intune to Microsoft
Exchange Server on-premises. This lets you manage devices through the Intune console (see
Mobile device management with Exchange ActiveSync and Microsoft Intune).
Make sure that you are using the latest version of the on-premises Exchange connector. The on-
premise Exchange connector available to you in the Intune console is specific to your Intune
tenant and cannot be used with any other tenant.
You should also ensure that the exchange connector for your tenant is installed on exactly one
machine and not on multiple machines. If you have a CAS server environment that includes a
mix of machines running both Exchange Server 2010 and 2013, you must configure the
exchange connector to point to the 2013 CAS server.
For Exchange Online
Conditional access to Exchange Online supports devices that run:
Windows 8.1 and later (when enrolled with Intune)
Windows 7.0 or later (when domain joined)
Windows Phone 8.1 and later
iOS 7.1 and later
Android 4.0 and later, Samsung Knox Standard 4.0 and later
Additionally, devices must be registered with the Azure Active Directory Device Registration Service
AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have
already deployed the ADFS Device Registration Service will not see registered devices in their on-
premises Active Directory.
You must use an Office 365 subscription that includes Exchange Online (such as E3) and users
must be licensed for Exchange Online.
The optional Microsoft Intune Service to Service Connector connects Intune to Microsoft
Exchange Online and helps you manage device information through the Intune console (see
Mobile device management with Exchange ActiveSync and Microsoft Intune). You do not need
to use the connector to use compliance policies or conditional access policies, but is required to
run reports that help evaluate the impact of conditional access.
If you configure the connector, some Exchange ActiveSync policies from Intune might be visible in the
Office console but are not set as default policies and do not affect devices.
Do not configure the Service to Service Connector if you intend to use conditional access for
both Exchange Online and Exchange on-premises.
Deployment Steps for using Exchange on-premises with Intune
Step 1: Install and configure the Microsoft Intune on-premises Exchange Server connector. This step will help you configure your on-premises infrastructure with Exchange on-premises.
You can only set up one Exchange connection per Intune account. If you try to configure an
additional connection, it will replace the original connection with the new one.
To prepare to connect Intune to your Exchange Server, you must first fulfill the following requirements.
You may have already fulfilled these requirements when you set up Intune.
Requirement More information
Set the Mobile Device Management Authority to Intune Set mobile device management authority
as Microsoft Intune
Verify you have hardware requirements for the on-
Requirements for the On-Premises
Configure a user account with permission to run the
designated list of Windows PowerShell cmdlets
Powershell Cmdlets for On-Premises
Exchange Connector (see below)
Powershell Cmdlets for On-Premises Exchange Connector: You must create an Active Directory user
account that is used by the Intune Exchange Connector. The account must have permission to run the
following Exchange Server cmdlets: