protect company data and emails on mobile devices with ... · protect company data and emails on...

Protect Company Data and Emails on Mobile Devices with Intune More and more, companies are allowing employees to increase their productivity by accessing email,

documents, and company resources through their mobile devices. However, the amount of confidential

data that is stored within corporate emails and documents presents a significant security risk for

companies.

You can use conditional access in Intune to help secure email and email data depending on the

conditions you specify. Conditional access lets you manage access to Microsoft Exchange on-premises

and Exchange Online.

Introduction Protecting your company's data is vitally important, and is an increasingly challenging task as more

employees are using their mobile devices to access company resources, including email and email

attachments. As an IT administrator, you want to make sure that company data is protected even when

those mobile devices are not within the company’s physical location.

The Microsoft Enterprise Mobility Suite (EMS) solves this challenge by delivering comprehensive

protection of corporate email and documents across four layers – Identity, Device, Application, and

Data. Among other capabilities, EMS ensures that employees can access corporate email only from

devices that are managed by Microsoft Intune and compliant with IT policies.

You can implement conditional access by configuring two policy types in Intune:

Compliance policies are optional policies you can deploy to users and devices and evaluate

settings like passcode and encryption. The conditional access policies set in Intune ensure that

the devices can only access email if they are compliant with the compliance policies you set.

If no compliance policy is deployed to a device, then any applicable conditional access policies

will treat the device as compliant.

Conditional access policies are configured for a particular service, and define rules such as

which Azure Active Directory security user groups or Intune user groups will be targeted and

how devices that cannot enroll with Intune will be managed.

Note

Intune groups are not security groups. Rather, they are a collection of users that you can create

by using the Intune admin console.

Unlike other Intune policies, you do not deploy conditional access policies. Instead, you configure these

once, and they apply to all targeted users.

When devices do not meet the conditions you configure, the user is guided through the process of

enrolling the device and/or fixing the issue that prevents the device from being compliant.

Evaluating your desired implementation With all of the different design and configuration options for managing mobile devices, it’s difficult to

determine which combination will best meet the needs of your company. The Mobile Device

Management Design Considerations Guide helps you understand mobile device management design

https://technet.microsoft.com/library/mt143180.aspx

https://technet.microsoft.com/library/mt143180.aspx

requirements and details a series of steps and tasks that you can follow to design a solution that best fits

the business and technology needs for your company.

High level end-user experience After the solution is implemented, end-users will be able to access the company email only on managed

and compliant devices. Access can be revoked at any time if the device becomes noncompliant.

Specifically, the conditional access policies set in Intune ensure that the devices can only access email if

they are compliant with the compliance policies you set. Actions such as copy and paste or saving to

personal cloud storage services can be restricted using mobile application management policies. Azure

Rights Managements service can be used to ensure that the sensitive email data, and forwarded

attachments, can only be read by intended recipients. The end-user experience is described in more

detail in the End-user Experience section, later in this article.

Using conditional access with Intune Use conditional access in Microsoft Intune to help secure email and other services depending on

conditions you specify.

Prerequisites You can control access to Exchange Online and Exchange on-premises from the following mail apps:

The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later

The built-in app for iOS 7.1 and later

The built-in app for Windows Phone 8.1 and later

The mail application on Windows 8.1 and later

The Microsoft Outlook app for Android and iOS (for Exchange Online only)

Before you start using conditional access, ensure that you have the correct requirements in place:

For Exchange Online

Conditional access to Exchange Online supports devices that run:

Windows 8.1 and later (when enrolled with Intune)

Windows 7.0 or later (when domain joined)

Windows Phone 8.1 and later

iOS 7.1 and later

Android 4.0 and later, Samsung Knox Standard 4.0 and later

Additionally, devices must be registered with the Azure Active Directory Device Registration Service

(AAD DRS).

AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have

already deployed the ADFS Device Registration Service will not see registered devices in their on-

premises Active Directory.

You must use an Office 365 subscription that includes Exchange Online (such as E3) and users

must be licensed for Exchange Online.

The optional Microsoft Intune Service to Service Connector connects Intune to Microsoft

Exchange Online and helps you manage device information through the Intune console (see

Mobile device management with Exchange ActiveSync and Microsoft Intune). You do not need

to use the connector to use compliance policies or conditional access policies, but is required to

run reports that help evaluate the impact of conditional access.

If you configure the connector, some Exchange ActiveSync policies from Intune might be visible in the

Office console but are not set as default policies and do not affect devices.

Do not configure the Service to Service Connector if you intend to use conditional access for

both Exchange Online and Exchange on-premises.

For Exchange Server on-premises

Conditional access to Exchange on-premises supports:

Windows 8.1 and later (when enrolled with Intune)

Windows Phone 8 and later

Any iOS device that uses an Exchange ActiveSync (EAS) email client

Android 4 and later.

Note

https://technet.microsoft.com/en-us/library/dn646988.aspx

Additionally:

Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server

(CAS) configuration is supported.

If your Exchange environment is in a CAS server configuration, then you must configure the on-

premises Exchange connector to point to any one of the CAS servers.

Exchange ActiveSync can be configured with certificate based authentication, or user credential

entry.

You must use the on-premises Exchange connector which connects Intune to Microsoft

Exchange Server on-premises. This lets you manage devices through the Intune console (see

Mobile device management with Exchange ActiveSync and Microsoft Intune).

Make sure that you are using the latest version of the on-premises Exchange connector. The on-

premise Exchange connector available to you in the Intune console is specific to your Intune

tenant and cannot be used with any other tenant.

You should also ensure that the exchange connector for your tenant is installed on exactly one

machine and not on multiple machines. If you have a CAS server environment that includes a

mix of machines running both Exchange Server 2010 and 2013, you must configure the

exchange connector to point to the 2013 CAS server.

Deployment Steps for using Exchange on-premises with Intune

Step 1: Install and configure the Microsoft Intune on-premises Exchange Server connector. This step will help you configure your on-premises infrastructure with Exchange on-premises.

You can only set up one Exchange connection per Intune account. If you try to configure an

additional connection, it will replace the original connection with the new one.

Requirements

To prepare to connect Intune to your Exchange Server, you must first fulfill the following requirements.

You may have already fulfilled these requirements when you set up Intune.

Requirement More information

Set the Mobile Device Management Authority to Intune Set mobile device management authority

as Microsoft Intune

Verify you have hardware requirements for the on-

premises connector

Requirements for the On-Premises

Connector

Configure a user account with permission to run the

designated list of Windows PowerShell cmdlets

Powershell Cmdlets for On-Premises

Exchange Connector (see below)

Tip

Important

Note


https://technet.microsoft.com/en-us/library/mt346013.aspx

https://technet.microsoft.com/en-us/library/mt346013.aspx

https://technet.microsoft.com/en-us/library/dn646950.aspx#BKMK_ExchanceConnectorReqs

https://technet.microsoft.com/en-us/library/dn646950.aspx#BKMK_ExchanceConnectorReqs

Powershell Cmdlets for On-Premises Exchange Connector: You must create an Active Directory user

account that is used by the Intune Exchange Connector. See Configure Exchange cmdlet permissions for

Windows Intune Exchange Connector for help in configuring the account.

The account must have permission to run the following Exchange Server cmdlets:

Clear-ActiveSyncDevice

Get-ActiveSyncDevice

Get-ActiveSyncDeviceAccessRule

Get-ActiveSyncDeviceStatistics

Get-ActiveSyncMailboxPolicy

Get-ActiveSyncOrganizationSettings

Get-ExchangeServer

Get-Recipient

Set-ADServerSettings

Set-ActiveSyncDeviceAccessRule

Set-ActiveSyncMailboxPolicy

Set-CASMailbox

New-ActiveSyncDeviceAccessRule

New-ActiveSyncMailboxPolicy

Remove-ActiveSyncDevice

1. In the Intune administrator console, choose ADMIN.

https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-cmdlet-f2847de5

https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-cmdlet-f2847de5

2. In the navigation pane, under Mobile Device Management, expand Microsoft Exchange and

then choose Setup Exchange Connection.

3. Choose Download On-Premises Connector.

4. The On-Premises Connector software is contained in a compressed (.zip) folder that can be

opened or saved. In the File Download dialog box, choose Save to store the compressed folder

to a secure location.

Important

Do not rename or move the extracted files or the On-Premises Connector software installation

will not succeed.

5. Extract the files in Exchange_Connector_Setup.zip into a secure location.

6. After the files are extracted, double-click Exchange_Connector_Setup.exe to install the On-

premises Connector.

Important

If the destination folder is not a secure location, you should delete the certificate file

WindowsIntune.accountcert after you install the On-Premises Connector.

7. In the Exchange server field of the Microsoft Intune Exchange Connector window, select On-

premises Exchange Server.

Provide either the server name or fully qualified domain name of the Exchange server

that hosts the Client Access server role.

Provide the credentials of the account that you configured to run the Exchange Server

PowerShell cmdlets.

Provide administrative credentials necessary to send notifications to a user’s Exchange

mailbox. These notifications are configurable via Conditional Access policies using

Intune. For more information on these policies see Enable access to company resources

with Microsoft Intune.

Ensure that the Autodiscover service and Exchange Web Services are configured on the

Exchange Client Access Server. For more information, see Client Access server.



https://technet.microsoft.com/library/dd298114.aspx

In the Password field, provide the password for this account to enable Intune to access

the Exchange Server.

8. Choose Connect.

It may take a few minutes while the connection is set up. During configuration, the Exchange

Connector stores your proxy settings to enable access to the Internet. If your proxy settings

change, you will have to reconfigure the Exchange Connector in order to apply the updated

proxy settings to the Exchange Connector.

After the Exchange Connector sets up the connection, mobile devices associated with users that are

managed in Intune are automatically synchronized and added to the Microsoft Intune administrator

console. This synchronization may take some time to complete.

To view the status of the connection and the last successful synchronization attempt, in the

Microsoft Intune administrator console choose ADMIN, expand Mobile Device Management, and then

choose Microsoft Exchange.

Step 2: Create compliance policies and deploy to users. Ensure that you have created and deployed a compliance policy to all devices that the Exchange

conditional access policy will be targeted to.

In the Microsoft Intune administration console, choose Policy > Compliance Policies > Add.

On the Create Policy page, configure the settings you require:

Setting iOS Android Windows

Require a password to

unlock mobile devices

iOS 7 and later Android 4.0 and

later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Allow simple passwords iOS 7 and later Not supported Windows Phone 8

and later

Minimum password

length


later

Windows Phone 8

and later

https://manage.microsoft.com/


Samsung KNOX

Standard 4.0 and

later

Windows 8.1

Required password type iOS 7 and later Not available Windows Phone 8

and later

Windows RT

Windows RT 8.1

Windows 8.1

Minimum number of

character sets

iOS 7 and later Not available Windows Phone 8

and later

Windows RT

Windows RT 8.1

Windows 8.1

Password quality Not available Android 4.0 and

later

Samsung KNOX

Standard 4.0 and

later

Not available

Minutes of inactivity

before password is

required


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows RT and

Windows RT 8.1

Windows 8.1

Password expiration

(days)


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows RT and

Windows RT 8.1

Windows 8.1

Remember password

history


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows RT and

Windows RT 8.1

Windows 8.1

Prevent reuse of previous

passwords


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows RT and

Windows RT 8.1

Windows 8.1

Require a password when

the device returns from

Not available Not available Windows 10 Mobile


an idle state

Require encryption on

mobile device

Not applicable Android 4.0 and

later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows 8.1

Require devices to be

reported as healthy


Device must Not be

jailbroken or rooted


later

Samsung KNOX

Standard 4.0 and

later

Not available

Email account must be

managed by Intune

iOS 7 and later Not available Not available

Select the email profile

that must be managed by

Intune


Minimum OS required iOS 7 and later Android 4.0 and

later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows 8.1

Maximum OS version

allowed


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows 8.1

1 For devices that run Windows and are secured with a Microsoft Account, the compliance policy will fail

to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number

of character sets is more than 2.

3. When you are finished, choose Save Policy.

You will be given the option to deploy the policy now, or you can choose to deploy it later. The

new policy displays in the Compliance Policies node of the Policy workspace.

4. Set the compliance status validity period

To specify the time the device has to check-in before a device is considered not compliant, go to

compliance policy settings and update the time. The default is set to 30 days.

To deploy the compliance policy

1. In the Policy workspace, select the policy you want to deploy, then choose Manage

Deployment.

2. In the Manage Deployment dialog box, select one or more groups to which you want to deploy

the policy, then choose Add > OK.

You can deploy to users and/or devices. Use Active Directory groups that you have already

created and synced to Intune, or create these groups manually in the Intune console. For more

information, see Use groups to manage users and devices with Microsoft Intune.

Important


Ensure that you have created and deployed a compliance policy to all devices that the Exchange

conditional access policy will be targeted.

Use the status summary and alerts on the Overview page of the Policy workspace to identify issues with

the policy that require your attention. Additionally, a status summary appears in the Dashboard

workspace.

If you have not deployed a compliance policy and then enable an Exchange conditional access

policy, all targeted devices will be allowed access.

View devices that do not conform to a compliance policy

1. In the Intune administration console, choose Groups > All Devices.

2. Double-click the name of a device in the list of devices.

3. Choose the Policy tab to see a list of the policies for that device.

4. From the Filters drop-down list, select Does not conform to compliance policy.

When conflicts occur due to multiple Intune settings being applied to a device, the following rules apply:

If the conflicting settings are from an Intune configuration policy and a compliance policy, the

settings in the compliance policy take precedence over the settings in the configuration policy,

even if the settings in the configuration policy are more secure.

If you have deployed multiple compliance policies, the most secure of these policies will be

used.

Step 3: Identify users who will be impacted by conditional access policy. After the Exchange Server connector is successfully configured, it begins to inventory devices that are

not yet enrolled to Intune, but are connecting to your organization’s Exchange resources using Exchange

Active Sync. To view the mobile device inventory report:

Important

1. Navigate to Reports -> Mobile Device Inventory Reports.

2. In the report parameters, select the Intune group you want to evaluate and, if required, the

device platforms to which the policy will apply.

3. Once you’ve selected the criteria that meets your organization’s needs, choose View Report.

The Report Viewer opens in a new window.

For more information about how to run reports, see Understand Microsoft Intune operations by using

reports.

After you run the report, examine these four columns to determine whether a user will be blocked:

Management Channel – Indicates whether the device is managed by Intune, Exchange

ActiveSync, or both.

AAD Registered – Indicates whether the device is registered with Azure Active Directory (known

as Workplace Join).



Compliant – Indicates whether the device is compliant with any compliance policies you

deployed.

Exchange ActiveSync ID – iOS and Android devices are required to have their Exchange

ActiveSync ID associated with the device registration record in Azure Active Directory. This

happens when the user selects the Activate Email link in the quarantine email.

Devices that are part of a targeted group will be blocked from accessing Exchange unless the column

values match those listed in the following table:

Management channel AAD

registered

Compliant Exchange

ActiveSync ID

Resulting

action

Managed by Microsoft Intune and

Exchange ActiveSync

Yes Yes A value is

displayed

Email access

allowed

Any other value No No No value is

displayed

Email access

blocked

You can export the contents of the report and use the Email Address column to help you inform users

that they will be blocked.

Step 4: Configure user groups for the conditional access policy. You target conditional access policies to different groups of users depending on the policy types. These

groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a

policy, each device they use must be compliant in order to access email.

For the Exchange on-premises policy – You specify Intune user groups. You can configure Intune user

groups in the Groups workspace of the Intune console.

You can specify two group types in each policy:

Targeted groups – User groups to which the policy is applied

Exempted groups – User groups that are exempt from the policy (optional)

If a user is in both groups, they will be exempt from the policy.

Only the groups which are targeted by the conditional access policy are evaluated for Exchange access.

Step 5: Configure the conditional access policy for Exchange on-premises. The following flow is used by conditional access policies for Exchange on-premises environment to

evaluate whether to allow or block devices.

1. In the Microsoft Intune administration console, choose Policy > Conditional Access > Exchange

On-premises Policy.


2. Configure the policy with the settings you require:

Setting More information

Block email apps from accessing Exchange On-premises if the device is noncompliant or not enrolled to Microsoft Intune

When you select this option, devices that are not managed by Intune or are not compliant with a compliance policy that was deployed to them are blocked from accessing Exchange services unless they have been defined as exempt.

Default rule override - Always allow enrolled and compliant devices to access Exchange

When you check this option, devices that are enrolled in Intune and compliant with the compliant policies are allowed to access Exchange. This rule overrides the Default Rule, which means that even if you set the Default Rule to quarantine or block access, enrolled and compliant devices will still be able to access Exchange.

Targeted Groups Select the Intune user groups that must enroll their device with Intune before they can access Exchange. These are the groups you configured in Step 4.

Exempt Groups Select the Intune user groups that are exempt from the conditional access policy. These are the groups you configured in Step 4.

Settings in this list override those in the Targeted Groups list.

Platform Exceptions Choose Add Rule to configure a rule that defines access levels for specified mobile device families and models.

Because these devices can be of any type, you can also configure device types that are unsupported by Intune.

Default Rule For a device that is not covered by any of the other rules, you can choose to allow it to access Exchange, block it, or quarantine it.

When you set the rule to allow access, for devices that are enrolled and compliant, email access is granted automatically for iOS, Windows, and Samsung Knox devices. The end-user does not have to go through any process to get their email. On

Setting More information

Android devices that are not Knox based, end-users will get a quarantine email which includes a guided walkthrough to verify enrollment and compliance before they can access email.

If you set the rule to block access or quarantine it, all devices are blocked from getting access to exchange regardless of whether they are already enrolled in Intune or not. To prevent enrolled and compliant devices from being affected by this rule, check the Default Rule Override.

Tip

If your intention is to first block all devices before

granting access to email, checking the Block access, or

Quarantine rule can be useful.

The default rule will apply to all device types, so device types you configure as platform exceptions and that are unsupported by Intune are also affected.

User Notification In addition to the notification email sent from Exchange, Intune sends an email that you can configure which contains steps to unblock the device.

You can edit the default message and use HTML tags to format how the text appears.

Note

Because the Intune notification email containing remediation instructions is delivered to the user’s Exchange mailbox, in the event that the user’s device gets blocked before they receive the email message, they can use an unblocked device or other method to access Exchange and view the message.

This is especially true when the Default Rule is set to block or quarantine. In this case, the end-user will have to go to their app store, download the Microsoft Company Portal app and enroll their device. This is applicable to iOS, Windows, and Samsung Knox devices. For Android devices that are not Knox-based, the IT admin will need to send the quarantine email to an alternate email account, which then the end-user has to copy to their blocked device to complete the enrollment and compliance process.

3. When you are done, choose Save.

You do not have to deploy the conditional access policy, it takes effect immediately.

After a user sets up an Exchange ActiveSync profile, it might take from 1-3 hours for the

device to be blocked (if it is not managed by Intune).

If a blocked user then enrolls the device with Intune (or remediates noncompliance), email

access will be unblocked within 2 minutes.

If the user un-enrolls from Intune it might take from 1-3 hours for the device to be blocked.

Deployment Steps for using Exchange Online with Intune

Step 1: Create compliance policies and deploy to users. Ensure that you have created and deployed a compliance policy to all devices that the Exchange


1. In the Microsoft Intune administration console, choose Policy > Compliance Policies > Add.

2. On the Create Policy page, configure the settings you require:


Require a password to

unlock mobile devices


later

Samsung KNOX

Standard 4.0 and

Windows Phone 8

and later



later

Allow simple passwords iOS 7 and later Not supported Windows Phone 8

and later

Minimum password

length


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows 8.1

Required password type iOS 7 and later Not available Windows Phone 8

and later

Windows RT

Windows RT 8.1

Windows 8.1

Minimum number of

character sets

iOS 7 and later Not available Windows Phone 8

and later

Windows RT

Windows RT 8.1

Windows 8.1

Password quality Not available Android 4.0 and

later

Samsung KNOX

Standard 4.0 and

later

Not available

Minutes of inactivity

before password is

required


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows RT and

Windows RT 8.1

Windows 8.1

Password expiration

(days)


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows RT and

Windows RT 8.1

Windows 8.1

Remember password

history


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows RT and

Windows RT 8.1

Windows 8.1

Prevent reuse of previous

passwords


later

Windows Phone 8

and later


Samsung KNOX

Standard 4.0 and

later

Windows RT and

Windows RT 8.1

Windows 8.1

Require a password when

the device returns from

an idle state


Require encryption on

mobile device

Not applicable Android 4.0 and

later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows 8.1

Require devices to be

reported as healthy


Device must Not be

jailbroken or rooted


later

Samsung KNOX

Standard 4.0 and

later

Not available

Email account must be

managed by Intune


Select the email profile

that must be managed by

Intune


Minimum OS required iOS 7 and later Android 4.0 and

later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows 8.1

Maximum OS version

allowed


later

Samsung KNOX

Standard 4.0 and

later

Windows Phone 8

and later

Windows 8.1

1 For devices that run Windows and are secured with a Microsoft Account, the compliance policy will fail

to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number

of character sets is more than 2.

3. When you are finished, choose Save Policy.

You will be given the option to deploy the policy now, or you can choose to deploy it later. The

new policy displays in the Compliance Policies node of the Policy workspace.

4. Set the compliance status validity period

To specify the time the device has to check-in before a device is considered not compliant, go to

compliance policy settings and update the time. The default is set to 30 days.

To deploy the compliance policy

1. In the Policy workspace, select the policy you want to deploy, then choose Manage

Deployment.

2. In the Manage Deployment dialog box, select one or more groups to which you want to deploy

the policy, then choose Add > OK.

You can deploy to users and/or devices. Use Active Directory groups that you have already

created and synced to Intune, or create these groups manually in the Intune console. For more

information, see Use groups to manage users and devices with Microsoft Intune.

Ensure that you have created and deployed a compliance policy to all devices that the Exchange


Use the status summary and alerts on the Overview page of the Policy workspace to identify issues with

the policy that require your attention. Additionally, a status summary appears in the Dashboard

workspace.


If you have not deployed a compliance policy and then enable an Exchange conditional access

policy, all targeted devices will be allowed access.

View devices that do not conform to a compliance policy

1. In the Intune administration console, choose Groups.

2. Double-click the name of a device in the list of devices.

3. Choose the Policy tab to see a list of the policies for that device.

4. From the Filters drop-down list, select Does not conform to compliance policy.

When conflicts occur due to multiple Intune settings being applied to a device, the following rules apply:

If the conflicting settings are from an Intune configuration policy and a compliance policy, the

settings in the compliance policy take precedence over the settings in the configuration policy,

even if the settings in the configuration policy are more secure.

If you have deployed multiple compliance policies, the most secure of these policies will be

used.

Step 2: Evaluate the effect of the conditional access policy. If you have configured a connection between Intune and Exchange by using the Service to Service

Connector, you can use the Mobile Device Inventory Reports to identify EAS mail clients that will be

blocked from accessing Exchange after you configure the conditional access policy.

To view the status of the connection and the last successful synchronization attempt, in the

Microsoft Intune administrator console:

Important

1. In the Microsoft Intune administration console, choose ADMIN, expand Mobile Device

Management, and then choose Microsoft Exchange.

2. If there is no Service to Service Connector installed, expand Microsoft Exchange, choose Set Up

Exchange Connection > Set Up Service to Service Connector.

The Service to Service Connector will automatically configure and synchronize with your Hosted

Exchange environment.


To view the mobile device inventory report:

1. Choose Reports > Mobile Device Inventory Reports.

2. Select the device groups for which you plan to roll out the conditional access policy, as well as

filter by OS status.

3. After you’ve selected the criteria that meets your organization’s needs, choose View Report.

The Report Viewer opens in a new window

For more information about how to run reports, see Understand Microsoft Intune operations by using

reports.

After you run the report, examine these four columns to determine whether a user will be blocked:

Management Channel – Indicates whether the device is managed by Intune, Exchange

ActiveSync, or both.

AAD Registered – Indicates whether the device is registered with Azure Active Directory (known

as Workplace Join).



Compliant – Indicates whether the device is compliant with any compliance policies you

deployed.

Exchange ActiveSync ID – iOS and Android devices are required to have their Exchange

ActiveSync ID associated with the device registration record in Azure Active Directory. This

happens when the user selects the Activate Email link in the quarantine email.

Devices that are part of a targeted group will be blocked from accessing Exchange unless the column

values match those listed in the following table:

Management channel AAD

registered

Compliant Exchange

ActiveSync ID

Resulting

action

Managed by Microsoft Intune and

Exchange ActiveSync

Yes Yes A value is

displayed

Email access

allowed

Any other value No No No value is

displayed

Email access

blocked

You can export the contents of the report and use the Email Address column to help you inform users

that they will be blocked.

Step 3: Configure user groups for the conditional access policy. You target conditional access policies to different groups of users depending on the policy types. These

groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a

policy, each device they use must be compliant in order to access email.

For the Exchange Online policy – You specify Azure Active Directory security user groups. You can

configure these groups in the Office 365 admin center, or the Intune console.

You can specify two group types in each policy:

Targeted groups – User groups to which the policy is applied

Exempted groups – User groups that are exempt from the policy (optional)

If a user is in both groups, they will be exempt from the policy.

Only the groups which are targeted by the conditional access policy are evaluated for Exchange access.

Step 4: Configure the conditional access policy for Exchange Online The following flow is used by conditional access policies for Exchange Online to evaluate whether to

allow or block devices.

To access email, the device must:

Enroll with Intune

Register the device in Azure Active Directory (this happens automatically when the device is

enrolled with Intune.

The device state is stored in Azure Active Directory which grants or blocks access to email, based on the

evaluated conditions.

If a condition is not met, the user will be presented with one of the following messages when they log in:

If the device is not enrolled, or registered in Azure Active Directory, a message is displayed with

instructions about how to install the company portal app and enroll.

If the device is not compliant, a message is displayed that directs the user to the Intune web

portal where they can find information about the problem and how to remediate it.

The message is displayed on the device for Exchange Online users.

Intune conditional access rules override, allow, block and quarantine rules that are defined in the

Exchange Online admin console.

1. In the Intune administration console, choose Policy > Conditional Access > Exchange Online

Policy.

2. On the Exchange Online Policy page, select Enable conditional access policy for Exchange

Online. If you check this, a device must be compliant. If this is not checked then conditional

access is not applied.

Note

If you have not deployed a compliance policy and then enable the Exchange Online policy, all

targeted devices are reported as compliant.

Regardless of the compliance state, all users who are targeted by the policy will be required to

enroll their devices with Intune.

3. Under Application access, for apps that use modern authentication, you have two ways of

choosing which platforms the policy should apply. Supported platforms include Android, iOS,

Windows, and Windows Phone.

All platforms

This will require that any device used to access Exchange Online, to be enrolled in

Intune and compliant with the policies. Any client application using modern

authentication is subject to the conditional access policy, and if the platform is currently

not supported by Intune, access to Exchange Online is blocked

Selecting the All platforms option means that Azure Active Directory will apply this

policy to all authentication requests, regardless of the platform reported by the client

application. All platforms will be required to enrolled and become compliant, except for:

o Windows devices will be required to be enrolled and compliant, domain joined

with on-premises Active Directory, or both.

o Unsupported platforms like Mac OS. However, apps using modern

authentication coming from these platforms will be still be blocked.

Note

Tip

You may not see this option if you are not already using conditional access for PCs. Use

the Specific platforms instead. Conditional access for PCs is not currently available to all

Intune customers. You can find out more information about known issues as well as

how to get access to this feature at the Microsoft Connect site.

Specific platforms

Conditional access policy will apply to any client app that is using modern

authentication on the device platforms you specify.

4. Under Outlook web access (OWA), you can choose to allow access to Exchange Online only

through the supported browsers: Safari (iOS), and Chrome (Android). Access from other

browsers will be blocked. The same platform restrictions you selected for Application access for

Outlook also apply here.

On Android devices, users must enable the browser access. To do this the end-user must enable

the “Enable Browser Access” option on the enrolled device as follows:

a. Launch the Company Portal app.

b. Go to the Settings page from the triple dots (…) or the hardware menu button.

c. Press the Enable Browser Access button.

d. In the Chrome browser, sign out of Office 365 and restart Chrome.

5. On iOS and Android platforms, To identify the device that is used to access the service, Azure

Active Directory will issue a Transport layer security ( TLS) certificate to the device. The device

displays the certificate with a prompt to the end-user to select the certificate as seen in the

screenshots below. The end-user must select this certificate before they can continue to use the

browser.

Under Exchange ActiveSync apps, you can choose to block noncompliant devices from accessing

Exchange Online. You can also select whether to allow or block access to email when the device

is not running a supported platform. Supported platforms include Android, iOS, Windows, and

Windows Phone.

6. Under Targeted Groups, select the Active Directory security groups of users to which the policy

will apply. You can either choose to target all users or a selected list of user groups.

Note

For users that are in the Targeted groups, the Intune polices will replace Exchange rules and

policies.

Exchange will only enforce the Exchange allow, block and quarantine rules, and Exchange

policies if:

The user is not licensed for Intune.

https://connect.microsoft.com/ConfigurationManagervnext/content/content.aspx?ContentID=32250

The user is licensed for Intune, but the user does not belong to any security groups targeted

in the conditional access policy.

7. Under Exempted Groups, select the Active Directory security groups of users that are exempt

from this policy. If a user is in both the targeted and exempted groups, they will be exempt from

the policy and will have access to their email.

8. When you are finished, choose Save.

You do not have to deploy the conditional access policy, it takes effect immediately.

After a user creates an email account, the device is blocked immediately.

If a blocked user enrolls the device with Intune and fixes any noncompliance issues, email

access is unblocked within 2 minutes.

If the user un-enrolls their device, email is blocked after around 6 hours.

To see some example scenarios of how you would configure conditional access policy to restrict

device access, see restrict email access example scenarios.

Reporting

Monitor the compliance and conditional access policies To view devices that are blocked from Exchange:

https://docs.microsoft.com/en-us/intune/deploy-use/restrict-email-access-example-scenarios

1. On the Intune dashboard, choose the Blocked Devices from Exchange tile to show the number

of blocked devices and links to more information.

End-user Experience Following is an overview of the end-user experience after conditional access is enabled and an end user

tries to access email on their mobile device.

Windows Phone

1. If a user is already enrolled in Intune and is compliant, they will see no difference on Windows

devices; they will continue to get access to email. Users who have not yet enrolled in Intune will

receive a quarantine email similar to this sample:

The user chooses Get started now to begin enrolling their device.

Note

The enrollment process and the screens the user sees will be slightly different depending on the

version of OS running on the end-user device.

2. On the Company Access Setup screen, the user chooses Begin to start setting up their device

and checking whether it is compliant.

3. On the Enroll Your Device screen, the user chooses Confirm Enrollment to start enrolling their

device.

During enrollment, the Mobile Device Management profile is installed to allow you, the IT

administrator, to remotely manage the device. The user might be prompted to accept a

certificate authorizing Workplace Join.

The user signs in using their email address they use with Office. After they are signed in, they

might need to choose Confirm Enrollment once more to continue enrolling their device.

4. The device is checked to verify that it is enrolled.

The user then completes the enrollment process by selecting their device and choosing Select. If

their device is not displayed, they can select I don’t see my device listed to try again.

5. The device is checked to verify that it is complaint with company policies.

If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid

password) and then choose Check Compliance to continue.

6. After compliance is verified, the user sees that enrollment is being activated.

7. Enrollment is activated and the user chooses Continue to complete the process…

8. …and the process completes! The user chooses Done to exit setup.

After the user is enrolled and compliance is verified, email access should become available

within a few minutes.

If the user follows those steps to enroll and become compliant and still cannot access their email on

their mobile device, they can follow these additional steps to try and fix the issue:

First, verify that their device is enrolled. If not, the user follows the steps above.

Verify that the device is compliant by choosing Check Compliance. If a compliance error is

identified, the user can follow the instructions specific to their mobile device about how to

resolve it, such as resetting their password.

Call the help desk.

If a device becomes noncompliant

Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was

previously compliant is later deemed to be noncompliant (for example, a compliance policy was added

or changed), the user can follow these steps to get their device back in compliance:

1. The user receives notification in email or on their device that the device is noncompliant. At this

time, the device is quarantined in Exchange.

2. If the user tries to access email, they are redirected back to the Company Access Setup screen

from the Intune Company portal where it shows that they are out of compliance.

3. The user chooses Continue and is shown the compliance issue that is preventing them from

accessing email.

4. After they have fixed the issue, they choose Check Compliance to verify that the problem is

resolved.

5. If the issue is fixed, the user chooses Continue to complete the process. Email access should

become available again within a few minutes.

iOS

1. If a user is already enrolled in Intune and is compliant, they will see no difference on iOS devices;

they will continue to get access to email. If the user is not yet enrolled, they will see a

quarantine message similar to this when they launch their mail app:

Note




2. The user is prompted to install the Intune Company Portal app from the respective app store.

After it installs, the user opens the app and signs in using their company credentials.



4. On the Device Enrollment screen, the user chooses Enroll to start enrolling their device.

During enrollment, the Mobile Device Management profile is installed to allow you, the IT

administrator, to remotely manage the device. The user enters their password if prompted.

5. On the Company Access Setup screen, the user chooses Continue to start checking compliance

on the device.

If there is a compliance issue, the user is prompted to resolve the issue (such as by creating a

valid password) and then choose Check Compliance to continue.

After the device is fully compliant, the user chooses Continue to proceed.









Call the help desk.







2. If the user tries to access email, they are redirected back to the Company Access Setup screen

from the Intune Company portal where it shows that they are out of compliance.


accessing email.


resolved.

5. If the issue is fixed, the user chooses Continue to complete the process.

Email access should become available again within a few minutes.

Android

Note



1. When they try to access email, the user first receives a quarantine email similar to this sample:


2. The user is prompted to install the Intune Company Portal app from the respective app store.

After it installs, the user opens the app and signs in using their company credentials.

Note

If a user has not set a default browser for their device, they will be prompted during device

enrollment and during enrollment activation to allow a link to open a browser window. When

prompted, they must select the same browser each time or the enrollment process will fail.

4. On the Device Enrollment screen, the user chooses Enroll to start enrolling their device.

5. Users must activate the device administrator by choosing Activate when prompted or the device

enrollment procedure will cancel.

Device enrollment begins. Depending on the device, a certificate installation prompt or a

Samsung KNOX Privacy Policy prompt might appear during enrollment. These are necessary to

allow you, the IT administrator, to remotely manage the device. The device is enrolled to Intune

and establishes a device identity with Azure Active Directory.

After enrollment is completed successfully, the user chooses Continue to start checking

compliance on the device.

If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid

password) and then choose Check Compliance to continue.

7. After the device is fully compliant, the user chooses Continue to initiate enrollment activation.

This will connect the AAD device identity with the EAS ID provided by Exchange.

Note

On Android, the default browser will appear for a few seconds during enrollment activation. If

the user has not already selected a default browser, they are prompted to choose a browser.

While completing Company Access Setup, the same browser must be selected by the user

whenever prompted.

8. Enrollment activation will complete and the user chooses Done to exit the enrollment and

compliance verification process.









Call the help desk.







2. When the user tries to access email, they see a quarantine email informing them that

compliance issues must be fixed before they can get access. When the user selects the hyperlink

in the quarantine email, it redirects them to the Company Access Setup screen in the Intune

Company portal (via default browser and Google Play) where it shows that the device is not

compliant.


accessing email.


resolved.

5. If the issue is fixed, the user chooses Continue to complete the process. Email access should

become available again within a few minutes.

protect company data and emails on mobile devices with ... · protect company data and emails on...

Documents