X

Intune and Exchange ActiveSync (Part 5)

If you would like to read the other parts in this article series please go to:

Managing Devices using ActiveSync in Intune

For Intune to be able to directly manage mobile devices, users need to enroll their devices into Intune. For mobile devices that have not yet been enrolled, we can enable Exchange ActiveSync management using the Exchange connector. Exchange devices can be managed in both on-premises servers and on Office 365. The Exchange connector, as the name suggests, connects Intune with our Exchange deployment and lets us manage mobile devices through the Intune console, where we have the ability to perform the following operations:

  • Deploy policies to user groups to help secure corporate data that is stored on mobile devices such as password, encryption and attachments;
  • Define mobile device access rules by device family and device model to control which mobile devices can access Exchange ActiveSync;
  • Enroll, rename and un-enroll devices;
  • Wipe mobile devices.

To prepare to connect Intune to our on-premises Exchange, we must first fulfill the following requirements:

  • Set the Mobile Device Management Authority to Intune (we already did this at the beginning of this article series);
  • Verify we meet the requirements for the on-premises connector. The connector can be installed on a server that runs Windows Server 2008 SP2 64 bit or above. It requires, Exchange 2010 SP1 or later, full installation of Microsoft .NET Framework 4 and PowerShell 2.0 or above;
  • We must create an AD user account that is used by the Intune Exchange Connector. The account must have permission to run the following PowerShell Exchange cmdlets (in my case I have created an account named Intune):
    • Get-ActiveSyncOrganizationSettings, Set-ActiveSyncOrganizationSettings
    • Get-CasMailbox, Set-CasMailbox
    • Get-ActiveSyncMailboxPolicy, Set-ActiveSyncMailboxPolicy, New-ActiveSyncMailboxPolicy, Remove-ActiveSyncMailboxPolicy
    • Get-ActiveSyncDeviceAccessRule, Set-ActiveSyncDeviceAccessRule, New-ActiveSyncDeviceAccessRule, Remove-ActiveSyncDeviceAccessRule
    • Get-ActiveSyncDeviceStatistics
    • Get-ActiveSyncDevice
    • Get-ExchangeServer
    • Get-ActiveSyncDeviceClass
    • Get-Recipient
    • Clear-ActiveSyncDevice, Remove-ActiveSyncDevice
    • Set-ADServerSettings
    • Get-Command

To set up a connection that enables Intune to communicate with the Exchange server that hosts the mobile devices’ mailboxes, we must download and configure the On-Premises Connector tool from the Intune administrator console. To do so:

  1. Open the Microsoft Intune administration console;
  2. In the workspace shortcuts pane, click ADMIN;
  3. In the navigation pane, under Mobile Device Management, expand Microsoft Exchange and then click Set Up Exchange Connection:


Figure 1

  1. On the Set Up Exchange Connection page, click Download On-Premises Connector:


Figure 2

  1. The On-Premises Connector software is contained in a compressed (.zip) folder that can be opened or saved. In the File Download dialog box, click Save to store the compressed folder to a secure location.

Next, we proceed with installing it. Please note that the connector can only be installed once per Intune subscription, and only on one computer. If you attempt to install it a second time, you will replace the initial Exchange connection.

  1. Extract the files in Exchange_Connector_Setup.zip into a secure location;
  2. After the files are extracted, double-click Exchange_Connector_Setup.exe to install the On-Premises Connector:


Figure 3

  1. In the Welcome screen, click Next:


Figure 4

  1. Click Install to start the installation process:


Figure 5

  1. And finally click Finish to complete the installation:


Figure 6

Very straightforward. Next, the configuration wizard starts:


Figure 7

  1. In the Exchange server field, we select the Exchange server environment type, either On-premises Exchange Server or Hosted Exchange Server for Office 365;
  2. For an on-premises Exchange server, we provide either the server name or fully qualified domain name of the Exchange server that hosts the Client Access server role (do not use a load balanced name such as mail.domain.com!);
  3. Next we provide the credentials necessary to connect to Exchange (the service account we created earlier);
  4. Provide administrative credentials necessary to send notifications to a user’s Exchange mailbox. These notifications are configurable via Conditional Access policies using Intune. Ensure that the Autodiscover service and Exchange Web Services are configured on the Exchange Client Access Server;
  5. Finally, we click Connect. It may take a few minutes while the connection is set up:


Figure 8

After the Exchange Connector sets up the connection, mobile devices associated with users that are managed in Intune are automatically synchronized and added to the Microsoft Intune administrator console. This synchronization may take some time to complete.

To view the status of the connection and the last successful synchronization attempt, in the Intune administrator console click the ADMIN workspace, and under Mobile Device Management, click Microsoft Exchange. In the next screenshot we can see that a successful synchronization happened approximately a minute ago:


Figure 9

We can also check under Mobile Device Management:


Figure 10

At this stage I already had an Android device connected to my on-premises Exchange environment. As such, if we go to the Dashboard, we can see that Android device listed:


Figure 11

If we click on Android we get further details. On the screenshot below we can see that the device is being Managed by Exchange ActiveSync:


Figure 12

If we check the policy currently applied to the device, we can see that all settings are being applied (the device conforms with the policy):


Figure 13

Now, let us go to REPORTS and click on Mobile Device Inventory Reports:


Figure 14

Under Select devices groups, make sure All Devices is present and click on View Report. From this report, we can see the difference between devices managed directly by Intune, or by Intune through Exchange ActiveSync:


Figure 15

So how is Intune managing these devices?! Let us move into our on-premises environment to find out. On the on-premises Exchange server, Intune has created a new mobile device mailbox policy:


Figure 16

If we look into its properties, we can verify that its settings...


Figure 17

...are the same as the settings in the policy we created previously in Intune:


Figure 18

Let us do a quick test and update our Intune policy to require a 5-digit numeric password instead of just 4:


Figure 19

After a few seconds, we go back to our on-premises server and we can see that the mobile device mailbox policy has changed (compare the modified property):


Figure 20

If we expand it we can see that it has indeed been automatically updated by Intune:


Figure 21

If I go back to my Android device (still connecting to my on-premises Exchange), I am forced to update my PIN to a 5-digit PIN instead of 4:


Figure 22

This means that my on-premises mailbox must have that mobile device mailbox policy assigned to it, which it has indeed:


Figure 23

Conclusion

In this article we saw how we can use Intune together with Exchange ActiveSync to manage mobile devices that have not been enrolled with Intune. In the next part of this article series, we will look at Intune’s Conditional Access feature.

If you would like to read the other parts in this article series please go to: