protect company data and emails on mobile devices with ...· protect company data and emails on...

Download Protect Company Data and Emails on Mobile Devices with ...· Protect Company Data and Emails on Mobile

Post on 23-Feb-2019




1 download

Embed Size (px)


Protect Company Data and Emails on Mobile Devices with Intune More and more, companies are allowing employees to increase their productivity by accessing email,

documents, and company resources through their mobile devices. However, the amount of confidential

data that is stored within corporate emails and documents presents a significant security risk for


You can use conditional access in Intune to help secure email and email data depending on the

conditions you specify. Conditional access lets you manage access to Microsoft Exchange on-premises

and Exchange Online.

Introduction Protecting your company's data is vitally important, and is an increasingly challenging task as more

employees are using their mobile devices to access company resources, including email and email

attachments. As an IT administrator, you want to make sure that company data is protected even when

those mobile devices are not within the companys physical location.

The Microsoft Enterprise Mobility Suite (EMS) solves this challenge by delivering comprehensive

protection of corporate email and documents across four layers Identity, Device, Application, and

Data. Among other capabilities, EMS ensures that employees can access corporate email only from

devices that are managed by Microsoft Intune and compliant with IT policies.

You can implement conditional access by configuring two policy types in Intune:

Compliance policies are optional policies you can deploy to users and devices and evaluate

settings like passcode and encryption. The conditional access policies set in Intune ensure that

the devices can only access email if they are compliant with the compliance policies you set.

If no compliance policy is deployed to a device, then any applicable conditional access policies

will treat the device as compliant.

Conditional access policies are configured for a particular service, and define rules such as

which Azure Active Directory security user groups or Intune user groups will be targeted and

how devices that cannot enroll with Intune will be managed.


Intune groups are not security groups. Rather, they are a collection of users that you can create

by using the Intune admin console.

Unlike other Intune policies, you do not deploy conditional access policies. Instead, you configure these

once, and they apply to all targeted users.

When devices do not meet the conditions you configure, the user is guided through the process of

enrolling the device and/or fixing the issue that prevents the device from being compliant.

Evaluating your desired implementation With all of the different design and configuration options for managing mobile devices, its difficult to

determine which combination will best meet the needs of your company. The Mobile Device

Management Design Considerations Guide helps you understand mobile device management design

requirements and details a series of steps and tasks that you can follow to design a solution that best fits

the business and technology needs for your company.

High level end-user experience After the solution is implemented, end-users will be able to access the company email only on managed

and compliant devices. Access can be revoked at any time if the device becomes noncompliant.

Specifically, the conditional access policies set in Intune ensure that the devices can only access email if

they are compliant with the compliance policies you set. Actions such as copy and paste or saving to

personal cloud storage services can be restricted using mobile application management policies. Azure

Rights Managements service can be used to ensure that the sensitive email data, and forwarded

attachments, can only be read by intended recipients. The end-user experience is described in more

detail in the End-user Experience section, later in this article.

Using conditional access with Intune Use conditional access in Microsoft Intune to help secure email and other services depending on

conditions you specify.

Prerequisites You can control access to Exchange Online and Exchange on-premises from the following mail apps:

The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later

The built-in app for iOS 7.1 and later

The built-in app for Windows Phone 8.1 and later

The mail application on Windows 8.1 and later

The Microsoft Outlook app for Android and iOS (for Exchange Online only)

Before you start using conditional access, ensure that you have the correct requirements in place:

For Exchange Online

Conditional access to Exchange Online supports devices that run:

Windows 8.1 and later (when enrolled with Intune)

Windows 7.0 or later (when domain joined)

Windows Phone 8.1 and later

iOS 7.1 and later

Android 4.0 and later, Samsung Knox Standard 4.0 and later

Additionally, devices must be registered with the Azure Active Directory Device Registration Service


AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have

already deployed the ADFS Device Registration Service will not see registered devices in their on-

premises Active Directory.

You must use an Office 365 subscription that includes Exchange Online (such as E3) and users

must be licensed for Exchange Online.

The optional Microsoft Intune Service to Service Connector connects Intune to Microsoft

Exchange Online and helps you manage device information through the Intune console (see

Mobile device management with Exchange ActiveSync and Microsoft Intune). You do not need

to use the connector to use compliance policies or conditional access policies, but is required to

run reports that help evaluate the impact of conditional access.

If you configure the connector, some Exchange ActiveSync policies from Intune might be visible in the

Office console but are not set as default policies and do not affect devices.

Do not configure the Service to Service Connector if you intend to use conditional access for

both Exchange Online and Exchange on-premises.

For Exchange Server on-premises

Conditional access to Exchange on-premises supports:

Windows 8.1 and later (when enrolled with Intune)

Windows Phone 8 and later

Any iOS device that uses an Exchange ActiveSync (EAS) email client

Android 4 and later.



Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server

(CAS) configuration is supported.

If your Exchange environment is in a CAS server configuration, then you must configure the on-

premises Exchange connector to point to any one of the CAS servers.

Exchange ActiveSync can be configured with certificate based authentication, or user credential


You must use the on-premises Exchange connector which connects Intune to Microsoft

Exchange Server on-premises. This lets you manage devices through the Intune console (see

Mobile device management with Exchange ActiveSync and Microsoft Intune).

Make sure that you are using the latest version of the on-premises Exchange connector. The on-

premise Exchange connector available to you in the Intune console is specific to your Intune

tenant and cannot be used with any other tenant.

You should also ensure that the exchange connector for your tenant is installed on exactly one

machine and not on multiple machines. If you have a CAS server environment that includes a

mix of machines running both Exchange Server 2010 and 2013, you must configure the

exchange connector to point to the 2013 CAS server.

Deployment Steps for using Exchange on-premises with Intune

Step 1: Install and configure the Microsoft Intune on-premises Exchange Server connector. This step will help you configure your on-premises infrastructure with Exchange on-premises.

You can only set up one Exchange connection per Intune account. If you try to configure an

additional connection, it will replace the original connection with the new one.


To prepare to connect Intune to your Exchange Server, you must first fulfill the following requirements.

You may have already fulfilled these requirements when you set up Intune.

Requirement More information

Set the Mobile Device Management Authority to Intune Set mobile device management authority

as Microsoft Intune

Verify you have hardware requirements for the on-

premises connector

Requirements for the On-Premises


Configure a user account with permission to run the

designated list of Windows PowerShell cmdlets

Powershell Cmdlets for On-Premises

Exchange Connector (see below)





View more >