X

Intune and Exchange ActiveSync (Part 1)

If you would like to read the other parts in this article series please go to:

Introduction

Intune is a Microsoft cloud-based management solution that was first introduced back in 2011. Its purpose is to help organizations manage and protect computers and mobile devices in order to secure company’s information assets, while allowing users to access company email, data and applications.

Intune can manage 1) Mobile devices including phones and tablets running Android 2.3.4 and later (including Samsung KNOX), iOS 6.0 and later, Windows Phone 8.0 and later, and Windows RT operating systems; 2) Computers running a professional edition of Windows Vista, Windows 7, Windows 8 or Windows 8.1. Computers running Windows 8.1 can be managed as mobile devices or as computers using the Intune client software.

We can configure and run Intune in two different ways:

  • Intune stand-alone. As a cloud-based solution, we can use any Silverlight-enabled web browser to manage Intune without any on-premises IT infrastructure (although we can have a DirSync/AADSync on-premises to synchronize user accounts into Azure Active Directory (AD) which Intune uses as we will later see);
  • Intune with System Center Configuration Manager. Intune can be integrated with System Center 2012 Configuration Manager (SCCM), allowing organizations to manage all of its devices through a single console, the Configuration Manager Admin Console, further extending both Intune’s and SCCM’s management capabilities.

In this article series we will look at using Intune stand-alone to manage mobile devices from an Exchange ActiveSync (EAS) perspective. But with EAS and its Allow/Block/Quarantine lists, do we really need Intune?! Exchange ActiveSync mailbox policies are designed to secure mobile devices, but Windows Intune goes beyond that by focusing on Mobile Device Management (MDM) and we can use it to provide health alerts for users’ mobile devices or even to deliver applications. More importantly, we will see in this article series how to block unmanaged or non-compliant devices from connecting to our Exchange environment using ActiveSync.

In this article series we will be covering the following topics:

  • Sign Up for Intune;
  • Preparing for Mobile Device Management;
  • Company Portal;
  • Preparing to Manage Windows Phone Devices;
  • Preparing to Manage iOS Devices;
  • Preparing to Manage Android Devices;
  • Adding Intune Users and Assigning Licenses;
  • Intune Groups;
  • Intune Mobile Device Security Policies;
  • Enrolling Mobile Devices;
  • Creating Email Profiles;
  • Managing Devices using Exchange ActiveSync in Microsoft Intune;
  • Conditional Access;
  • Remote Wipe, Remote Lock and Passcode Reset.

Sign Up for Intune

Whether we have to sign up or sign in depends on whether our organization already has a Microsoft Online Services account, an Enterprise Agreement or equivalent volume licensing agreement with Microsoft.

If we do not have a Microsoft Online Services account, as is provided when we sign a volume licensing agreement with Microsoft or subscribe to Office 365, we need to sign up for a new account. This might also be the case if we want to trial Intune for evaluation purposes only and we plan to discard it after or redo the Intune service setup.

To sign up or sign in to Intune navigate to the Intune Sign up page:


Figure 1

On this page we have two options:

  • Subscribe using our Microsoft Online Services account by clicking Sign in. When we use the same account for multiple services, those services use the same Azure AD infrastructure and are tenants of Azure AD;
  • Subscribe to Intune only. If we do not yet subscribe to a cloud service, then we need to complete the form to subscribe to Intune.

For this article I will be using my existing Office 365 account to trial Intune. As such, I click on Sign in and enter my Office 365 admin credentials:


Figure 2

I am then taken to the Microsoft Intune trial order:


Figure 3

After clicking on Try now I receive a confirmation of my “order”:


Figure 4

And once I click Continue I am taken to the Microsoft Intune Account Portal:


Figure 5

In the Intune Account Portal we can add and manage: users, groups, our subscription and our domain(s). But before we do this, there are a few things we should do first, so we will come back to this portal at a later stage. This “pre-requisites” will be performed using the Microsoft Intune Administration Console, the console through which we do most of Intune’s configuration. Hopefully in the future both this console and the account portal will be in one single place...

As part of the sign in/up process, we also receive a confirmation email with the accounts we can use to login into the service and details regarding the trial start and end dates:


Figure 6

Preparing for Mobile Device Management

Before we can enroll and manage mobile devices, we have to prepare Intune by selecting the appropriate mobile device management authority. The mobile device management authority setting determines whether we will be managing mobile devices using Intune or SCCM with Intune integration. As I have mentioned, in this article we will be using Intune without SCCM integration so the setting should be set to Microsoft Intune.

As a warning, you should consider carefully whether you want to manage mobile devices using Intune only or SCCM with Intune integration. After you set the mobile device management authority to either of these options, it can only be changed again by raising a support case with Microsoft. As such, it is best if you make the right choice first time around.

To configure the mobile device management authority:

  1. Go to the Microsoft Intune Administration Console. If you are still in the Microsoft Intune Account Portal, click Admin Console at the top of the page:


Figure 7

  1. Click ADMIN > Mobile Device Management:


Figure 8

  1. Click Set Mobile Device Management Authority;
  2. Check the Use Microsoft Intune to manage my mobile devices box and then click OK:


Figure 9

  1. The Mobile Device Management Authority should now be set to Intune:


Figure 10

In the same screen we can also see that some mobile devices, such as Windows Phone 8.1 and Android, are ready to be enrolled, but not iOS devices for example:


Figure 11

These are the pre-requisites I mentioned earlier. Before we check what needs to be done so we can manage all types of mobile devices (Windows Phone, iOS and Android), let us have a quick look at another important component of Intune, the Company Portal.

Company Portal

Intune supports “bring your own device” (BYOD) by letting users enroll their devices through the Microsoft Intune Company Portal. The Company Portal is an app that runs natively on each device and allows users to add their personal devices to the service so they can be managed and allowed to connect to Exchange for example. Additionally, users view and remove/wipe their managed devices or even locate contact information for the organization’s IT team. The Company Portal also helps users search, browse and install apps made available to them by their organization through Intune (theses apps can be installed without requiring a connection to the corporate network).

The Intune Company Portal can be customized for your company. In the Microsoft Intune administration console click ADMIN > Company Portal and configure the following settings:

  • Company name;
  • IT department contact name;
  • IT department phone number;
  • IT department email address;
  • Additional information;
  • Company privacy statement URL;
  • Support website URL (not displayed);
  • Website name (displayed to user);
  • Color and background,


Figure 12

Later in this article series we will install and explore the Company Portal from an end-user mobile device.

Conclusion

In the first part of this article series, we looked at what Intune is, how to sign up and to prepare to manage mobile devices. In the next part we will look at what needs to be done before we can start managing Windows Phone, iOS and Android devices.

If you would like to read the other parts in this article series please go to: