Intune and Exchange ActiveSync (Part 7)

By /

If you would like to read the other parts in this article series please go to:

Conditional Access Policies

Now that we have a Compliance Policy in place, it is time to create a Conditional Access Policy, which will vary depending if we are using Exchange Online or Exchange on-premises.

Conditional Access Policies for Exchange Online use the following logic to evaluate whether a device should be allowed or blocked from accessing Exchange Online:

Image
Figure 1

Please note that if we have not deployed a compliance policy and then enable the Exchange Online policy, all targeted devices will be reported as compliant. Also, regardless of the compliance state, all users who are targeted by the policy will be required to enroll their devices with Intune.

To enable the Exchange Online policy:

  1. In the Microsoft Intune administration console, click Policy > Conditional Access > Exchange Online Policy:

Image
Figure 2

  1. On the Exchange Online Policy page, select Block email apps from accessing Exchange Online if the device is noncompliant;
  2. Under Targeted Groups, select the AD security groups to which the policy will be applied;
  3. Under Exempted Groups, select the AD security groups that will be exempt from this policy. If a device is in both the targeted and exempted groups, it will be exempt from the policy;
  4. Under Unsupported Platforms, select whether to allow or block access to email when a device is not supported to be managed by Intune and is managed by Exchange ActiveSync;
  5. Click Save.

For Exchange Online:

  • After a user creates an email account, the device will be blocked immediately;
  • If a blocked user enrolls the device with Intune (or remediates noncompliance), email access will be unblocked within 2 minutes;
  • If the user un-enrolls their device, email will be blocked after approximately 24 hours.

Conditional Access Policies for Exchange on-premises use a different logic to evaluate whether to allow or block devices from accessing on-premises Exchange (or Office 365 Dedicated):

Image
Figure 3

To enable the Exchange on-premises policy:

  1. In the Microsoft Intune administration console, click Policy > Conditional Access > Exchange On-premises policy:

Image
Figure 4

  1. Configure the policy containing the settings you require:

Image
Figure 5

  1. When you are done, click Save.

The settings on the screenshot above are as follows:

Setting

Description

Block email apps from accessing Exchange On-premises if the device is noncompliant or not enrolled to Microsoft Intune

When we select this option, devices that are not managed by Intune or are not compliant with a compliance policy that was deployed to them will be blocked from accessing Exchange unless they have been defined as exempt.

Targeted Groups

Select one or more Intune user groups. Members of this group must enroll their device with Intune to be able to access Exchange.

Exempted Groups

Select one or more Intune user groups that will be exempt from the conditional access policy.

Settings in this list override those in the Targeted Groups list.

Platform Exceptions

Click Add Rule to configure a rule that defines access levels for specified mobile device families and models.

These devices can be of any type, so device types that are unsupported by Intune can be configured here as well.

Default Rule

When a device not covered by any of the other rules is detected, we can choose to allow it to access Exchange, block it or quarantine it so we can decide later what to do.

The default rule will apply to all device types, so device types that are unsupported by Intune will be affected as well.

User Notification

Specify the text to include when Exchange sends an email to users whose devices have been quarantined or blocked. HTML tags can be used to format how the text will appear in the email message.

Exchange server wraps the custom user notification text with the following text:

Your phone won’t be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.

Additionally, information about the blocked device will be listed in the email message.

Note that the notification is delivered to the user’s Exchange mailbox. However, it will not be delivered immediately to the device that is blocked. Other email clients that the user has access to via their web browser or on other devices they own will receive this notification.

Table 1

For Exchange on-premises:

  • After a user sets up an Exchange ActiveSync profile, it might take from 1 to 3 hours for the device to be blocked (if it is not managed by Intune);
  • If a blocked user then enrolls the device with Intune (or remediates noncompliance), email access will be unblocked within 2 minutes;
  • If the user un-enrolls from Intune it might take from 1 to 3 hours for the device to be blocked.

In order to view devices that do not conform to a compliance policy, follow these steps:

  1. In the Microsoft Intune administration console, click Groups;
  2. Open the Policy tab for any device that is compatible with compliance policies;
  3. From the Filters drop-down list, select Does not conform to compliance policy.

To view devices that were blocked from accessing Exchange, on the Intune dashboard, a tile named Blocked Devices from Exchange shows the number of blocked devices and links to more information.

User Experience

At this stage we have Conditional Access configured. So it is time we now look at the user experience. Let us start with a Windows Phone device that already had a mail profile created (for an Exchange Online mailbox) before conditional access was put in place. The user has access to all the emails in his/hers mailbox until conditional access was configured. Once we enable Conditional Access, the user will receive a notification from Intune (top email):

Image
Figure 6

If we open the email, it explains that to access Exchange the device has to be enrolled and it provides information on how to do it:

Image
Figure 7

From here, the process is identical to what we have already seen.

Let us now look at a new email profile on an iOS device (iPad) for the same account above. After creating the new profile, we only get to see Intune’s notification and not any of the other emails that are already in the mailbox:

Image
Figure 8

As before, the notification informs the user that the device needs to be enrolled and explains how to do it:

Image
Figure 9

From here, the process is identical to what we have already seen:

Image
Figure 10

Next, let us look at an Android device which, like the Windows Phone, already had a mail profile created before conditional access was enabled. The user has access to all the emails in his/hers mailbox until conditional access was configured. At that time, the user will receive a notification from Intune (top email):

Image
Figure 11

As before, the notification informs the user that the device needs to be enrolled and explains how to do it:

Image
Figure 12

As we haven’t looked at enrolling an Android device, let us do it from start to finish. By clicking on the link above we are taken to management portal website where we click on Get the app to download the Company Portal app:

Image
Figure 13

We are taken to the Google Play store where we can download and install the app:

Image
Figure 14

Once installed, click OPEN:

Image
Figure 15

On the Company Portal app, the enrollment process begins. Click Next:

Image
Figure 16

We then enter our credentials and click Sign in:

Image
Figure 17

Once signed in, we are informed of what Intune will be able to perform on our device:

Image
Figure 18

After clicking ACTIVATE, we need to install a digital certificate. Simply click OK to accept the default name:

Image
Figure 19

The device is then enrolled:

Image
Figure 20

Once enrolled, we have access to the Company Portal:

Image
Figure 21

And we finally get access to our email:

Image
Figure 22

Let us say that in the meantime the Compliance Policy gets updated and our device is no longer compliant. In this case, a stronger passcode is required, so we are informed of that:

Image
Figure 23

Going to the Company Portal we can see that our device is no longer compliant:

Image
Figure 24

And by clicking in VIEW we can see exactly why this is the case:

Image
Figure 25

We can also check the same from other devices. For example, if we go back to the iPad we configured a minute ago for this account, go to Devices, we can see that the Android device is no longer compliant:

Image
Figure 26

Once more, we can also see exactly what that is:

Image
Figure 27

The same thing applies to the Intune console as well:

Image
Figure 28

Here we can see that one device has one or more errors:

Image
Figure 29

And we can easily get to the bottom of what the problem(s) is:

Image
Figure 30

Image
Figure 31

Image
Figure 32

If, on the other hand, we look at the iPad, we can see that it is fully compliant:

Image
Figure 33

We can also look into the Mobile Device Details of this user to see the status of any EAS devices the user has connected to Exchange. In this case, we see the three devices we have just configured are allowed to connect to Exchange as they are all enrolled and compliant:

Image
Figure 34

One thing I noticed was that, for example, the iPad would force me to set a passcode (and would not let me do anything else before setting one). The Android would still let me access my corporate email even without a PIN… It certainly blocked my phone from accessing the email while it was not enrolled, but after enrolling I could access my email without setting a PIN – I would just get two constant reminders that my device is not compliant, but nothing enforced…

Conclusion

In this article we concluded exploring Intune’s Conditional Access feature. In the next and final part of this article series, we will look at Remote Wipe, Remote Lock and Passcode Reset.

If you would like to read the other parts in this article series please go to:

About The Author

Nuno Mota is an Exchange MVP working as a Microsoft Messaging Specialist for a financial institution. He is passionate about Exchange, Lync, Active Directory, PowerShell, and Security. Besides writing his personal Exchange blog, LetsExchange.blogspot.com, he regularly participates in the Exchange TechNet forums and is the author of the book “Microsoft Exchange Server 2013 High Availability.”

Read Next

2 thoughts on “Intune and Exchange ActiveSync (Part 7)”

  1. Jeremy B

    I noticed that you used Outlook for your Android test. Is it your experience too that Android’s GMail app is not working for the process where the user is prompted with the email to enroll in order to continue or gain access to email? That’s what it seems like but I can’t find this in writing.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top