In December, we released a service update for Microsoft Intune that enables admins to set up conditional access to Exchange Online for mobile devices, and we have just released a new Configuration Manager Extension for Microsoft Intune that enables this same functionality for customers using System Center Configuration Manager connected to Intune (hybrid). This blog post describes how this feature works in both deployment scenarios: Intune standalone and hybrid.
This feature enables Intune tenants to restrict Exchange ActiveSync (EAS) access to Exchange Online to only those users who have enrolled their devices for management. For many organizations who seek to enable a Bring Your Own Device (BYOD) strategy, protecting data on mobile devices becomes key. Email is especially important because it is the most common form of organizational data that is accessed on mobile devices. By requiring that only managed and compliant devices be allowed to synchronize email, organizations can provide an extra layer of data protection. Check out this demo video on conditional access to email and read below for more information.
(Please visit the site to view this video)
How the solution works
EAS clients attempting to access mail in Exchange Online will be evaluated for two basic properties:
Is the device managed and registered with Azure Active Directory?
Is the device is it compliant?
To get to this state, the device on which the EAS client is running will need to enroll with Intune, perform an operation called workplace join (which on most platforms happens automatically with enrollment), and be evaluated for device policy. These states are written by Intune into Azure Active Directory, and then read by Exchange Online the next time the EAS client tries to get email. If the device is not registered, the user will get a message in their inbox with instructions on how to do this (we call it enrolling). If the device is not compliant, the user will get a different message in their inbox that redirects them to the Intune web portal where they can get info on the compliance problem as well as how to remediate it.
Deploying the solution
Deploying the Exchange Online conditional access feature boils down to two fundamental steps:
Step 1: Define and deploy a compliance policy
A compliance policy defines what it means for a device to be compliant in order to access Exchange Online. Intune will compute whether a device meets these criteria and will then set a property in Azure Active Directory, which is then consumed by Exchange. We have separated this from Configuration Policies (security settings and resource access profiles) in order to make it super clear as to what rules will actually result in a user getting blocked from their email.
A Compliance Policy can require that a device have passcode settings applied, encryption enabled, not be jailbroken or rooted, and to have an email profile managed by Intune. If a device is capable of remediating a setting, it will, however if autoremediation is not possible then the device will be marked as anot compliant and it will be blocked from Exchange until the user remediates the issue.
Full details about each of these rules can be found in this TechNet article.
To create a Compliance Policy in the Intune console, go to Policy > Compliance Policies and select Add…
Image may be NSFW.
Clik here to view.
To create a Compliance Policy in the Configuration Manager console, go to Assets and Compliance > Compliance Settings > Compliance Policies and select Create Compliance Policy.
Image may be NSFW.
Clik here to view.
Step 2: Configure the Exchange Online policy
Now you need to tell Exchange Online that you wish to enforce conditional access. This is done by configuring the Exchange Online policy, which configures a policy in Azure Active Directory to require that only managed and compliant devices may access Exchange through Exchange ActiveSync.
You must also specify which Azure Active Directory security groups will be subjected to this policy. If you need to configure your security groups you can do so in either the Office 365 admin center or the Intune account portal. Additionally, you may specify security groups that should be exempted from this policy. This is an optional step, however it is recommended if you have particular users who may fall in to one of your targeted security groups who you do not want to be blocked.
Finally, you can choose whether to allow or block devices that are not capable of enrolling with Intune (see the list of supported platforms at the beginning of this article). One thing to note is that Exchange ActiveSync allow/block/quarantine rules will not apply to devices who belong to users included in this policy. For example, if I put user John’s EAS client into quarantine using the Exchange Online admin console, and then add a group that John belongs to in the Exchange Online conditional policy, John will be allow to access email so long as his device is enrolled and compliant; the quarantine rule defined in Exchange will not apply.
Once this policy is configured, users who belong to any of the targeted groups will be required to enroll their device with Intune. Additionally, those users’ devices must be compliant with any deployed compliance policies. Note that the targeting for compliance policies is against Intune groups, whereas targeting for conditional access policies is against Azure Active Directory security groups.
To configure the Exchange Online conditional access policy, go to Policy > Conditional Access > Exchange Online Policy.
Image may be NSFW.
Clik here to view.
This policy must be configured in the Intune console. Configuration Manager hybrid customers can access this location by going to Assets and Compliance > Conditional Access > Exchange Online and select Configure Conditional Access Policy in the Intune console. Log in using the same credentials that were used to set up the connector between Configuration Manager and Microsoft Intune.
Image may be NSFW.
Clik here to view.
Reporting
In a future blog post, I will provide more detail on how monitoring and reporting works for this feature, but for now, I want to highlight one report that will be useful to Intune standalone customers. Note that for this to work, you will need the Service to Service connector to be deployed (found under Admin > Microsoft Exchange > Set Up Exchange Connector, click
Prior to enabling Conditional Access, you will want to notify affected users who are already accessing email through an EAS client. A convenient way to do this is to run a report called the Mobile Device Inventory Report, export this into a spreadsheet, find all of the non-registered and non-compliant devices, and sent those users an email.
To do this, go to Reports > Mobile Device Inventory Reports and click View Report.
Image may be NSFW.
Clik here to view.
Once the report is generated, click the little Export button in the top right, and choose .csv format to open it in Excel.
Image may be NSFW.
Clik here to view.
Then look for all devices that are not managed by Intune or not compliant. You can copy the users’ email addresses right into the To: field in Outlook.
Note: For ConfigMgr Hybrid customers, reporting for Conditional Access will come as an update in a later version of System Center Configuration Manager. Reporting is not available in the Configuration Manager Extension for Intune.
End user experience
Once the above steps are in place, users belonging to the security groups specified in the Exchange Online conditional access policy will start getting quarantined from email. This will take effect immediately for any Exchange ActiveSync client set up after the policy is saved. Existing EAS clients will be quarantined approximately twenty four hours later.
Users will see a single mail in their mailbox, telling them that they must enroll with Intune. Here are two examples:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Users must follow the steps in order to enroll and register their devices, and to address any compliance issues.
Enrolling into Intune – This link will guide the user through the enrollment and Azure Active Directory registration process appropriate for the platform they are on. For example, users on iPads or iPhones will be redirected to the App Store from which they need to download and install the Company Portal app, and then enroll.
Activate your email – This step is required for all non-iOS devices. The action will ensure that Intune and Azure Active Directory are aware of the Exchange ActiveSync client.
Check to see if your device is compliant – Users will be redirected to the Intune web portal where they can view any non-compliance issues.
When the user is redirected to the Intune web portal they will see a list of compliance issues that Intune has identified based on the Compliance Policy that was deployed. The user can then view more details on how to remediate the issue using the “How to resolve this” link. Once the issue is remediated, the user must trigger another Intune policy evaluation by clicking the Check Compliance button.
Image may be NSFW.
Clik here to view.
Once the user’s device is enrolled, registered with Azure Active Directory, and compliant with all Compliance Policies, the quarantine mail will be removed and email will begin to flow.
Additional resources
For additional technical resources on Conditional Access in Microsoft Intune, visit TechNet here. Also, if you’re interested in learning about conditional access for on-premises Exchange using Intune, check out this blog post here. And if you’re not yet using Intune, sign up for a free 30-day trial today!
- Chris Green, Senior Program Manager
Image may be NSFW.Clik here to view.