If you would like to read the other parts in this article series please go to:
- Intune and Exchange ActiveSync (Part 1)
- Intune and Exchange ActiveSync (Part 2)
- Intune and Exchange ActiveSync (Part 3)
- Intune and Exchange ActiveSync (Part 4)
- Intune and Exchange ActiveSync (Part 5)
- Intune and Exchange ActiveSync (Part 6)
- Intune and Exchange ActiveSync (Part 8)
Conditional Access Policies
Now that we have a Compliance Policy in place, it is time to create a Conditional Access Policy, which will vary depending if we are using Exchange Online or Exchange on-premises.
Conditional Access Policies for Exchange Online use the following logic to evaluate whether a device should be allowed or blocked from accessing Exchange Online:
Figure 1
Please note that if we have not deployed a compliance policy and then enable the Exchange Online policy, all targeted devices will be reported as compliant. Also, regardless of the compliance state, all users who are targeted by the policy will be required to enroll their devices with Intune.
To enable the Exchange Online policy:
- In the Microsoft Intune administration console, click Policy > Conditional Access > Exchange Online Policy:
Figure 2
- On the Exchange Online Policy page, select Block email apps from accessing Exchange Online if the device is noncompliant;
- Under Targeted Groups, select the AD security groups to which the policy will be applied;
- Under Exempted Groups, select the AD security groups that will be exempt from this policy. If a device is in both the targeted and exempted groups, it will be exempt from the policy;
- Under Unsupported Platforms, select whether to allow or block access to email when a device is not supported to be managed by Intune and is managed by Exchange ActiveSync;
- Click Save.
For Exchange Online:
- After a user creates an email account, the device will be blocked immediately;
- If a blocked user enrolls the device with Intune (or remediates noncompliance), email access will be unblocked within 2 minutes;
- If the user un-enrolls their device, email will be blocked after approximately 24 hours.
Conditional Access Policies for Exchange on-premises use a different logic to evaluate whether to allow or block devices from accessing on-premises Exchange (or Office 365 Dedicated):
Figure 3
To enable the Exchange on-premises policy:
- In the Microsoft Intune administration console, click Policy > Conditional Access > Exchange On-premises policy:
Figure 4
- Configure the policy containing the settings you require:
Figure 5
- When you are done, click Save.
The settings on the screenshot above are as follows:
Setting |
Description |
Block email apps from accessing Exchange On-premises if the device is noncompliant or not enrolled to Microsoft Intune |
When we select this option, devices that are not managed by Intune or are not compliant with a compliance policy that was deployed to them will be blocked from accessing Exchange unless they have been defined as exempt. |
Targeted Groups |
Select one or more Intune user groups. Members of this group must enroll their device with Intune to be able to access Exchange. |
Exempted Groups |
Select one or more Intune user groups that will be exempt from the conditional access policy. Settings in this list override those in the Targeted Groups list. |
Platform Exceptions |
Click Add Rule to configure a rule that defines access levels for specified mobile device families and models. These devices can be of any type, so device types that are unsupported by Intune can be configured here as well. |
Default Rule |
When a device not covered by any of the other rules is detected, we can choose to allow it to access Exchange, block it or quarantine it so we can decide later what to do. The default rule will apply to all device types, so device types that are unsupported by Intune will be affected as well. |
User Notification |
Specify the text to include when Exchange sends an email to users whose devices have been quarantined or blocked. HTML tags can be used to format how the text will appear in the email message. Exchange server wraps the custom user notification text with the following text: Your phone won’t be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server. Additionally, information about the blocked device will be listed in the email message. Note that the notification is delivered to the user’s Exchange mailbox. However, it will not be delivered immediately to the device that is blocked. Other email clients that the user has access to via their web browser or on other devices they own will receive this notification. |
Table 1
For Exchange on-premises:
- After a user sets up an Exchange ActiveSync profile, it might take from 1 to 3 hours for the device to be blocked (if it is not managed by Intune);
- If a blocked user then enrolls the device with Intune (or remediates noncompliance), email access will be unblocked within 2 minutes;
- If the user un-enrolls from Intune it might take from 1 to 3 hours for the device to be blocked.
In order to view devices that do not conform to a compliance policy, follow these steps:
- In the Microsoft Intune administration console, click Groups;
- Open the Policy tab for any device that is compatible with compliance policies;
- From the Filters drop-down list, select Does not conform to compliance policy.
To view devices that were blocked from accessing Exchange, on the Intune dashboard, a tile named Blocked Devices from Exchange shows the number of blocked devices and links to more information.
User Experience
At this stage we have Conditional Access configured. So it is time we now look at the user experience. Let us start with a Windows Phone device that already had a mail profile created (for an Exchange Online mailbox) before conditional access was put in place. The user has access to all the emails in his/hers mailbox until conditional access was configured. Once we enable Conditional Access, the user will receive a notification from Intune (top email):
Figure 6
If we open the email, it explains that to access Exchange the device has to be enrolled and it provides information on how to do it:
Figure 7
From here, the process is identical to what we have already seen.
Let us now look at a new email profile on an iOS device (iPad) for the same account above. After creating the new profile, we only get to see Intune’s notification and not any of the other emails that are already in the mailbox:
Figure 8
As before, the notification informs the user that the device needs to be enrolled and explains how to do it:
Figure 9
From here, the process is identical to what we have already seen:
Figure 10
Next, let us look at an Android device which, like the Windows Phone, already had a mail profile created before conditional access was enabled. The user has access to all the emails in his/hers mailbox until conditional access was configured. At that time, the user will receive a notification from Intune (top email):
Figure 11
As before, the notification informs the user that the device needs to be enrolled and explains how to do it:
Figure 12
As we haven’t looked at enrolling an Android device, let us do it from start to finish. By clicking on the link above we are taken to management portal website where we click on Get the app to download the Company Portal app:
Figure 13
We are taken to the Google Play store where we can download and install the app:
Figure 14
Once installed, click OPEN:
Figure 15
On the Company Portal app, the enrollment process begins. Click Next:
Figure 16
We then enter our credentials and click Sign in:
Figure 17
Once signed in, we are informed of what Intune will be able to perform on our device:
Figure 18
After clicking ACTIVATE, we need to install a digital certificate. Simply click OK to accept the default name:
Figure 19
The device is then enrolled:
Figure 20
Once enrolled, we have access to the Company Portal:
Figure 21
And we finally get access to our email:
Figure 22
Let us say that in the meantime the Compliance Policy gets updated and our device is no longer compliant. In this case, a stronger passcode is required, so we are informed of that:
Figure 23
Going to the Company Portal we can see that our device is no longer compliant:
Figure 24
And by clicking in VIEW we can see exactly why this is the case:
Figure 25
We can also check the same from other devices. For example, if we go back to the iPad we configured a minute ago for this account, go to Devices, we can see that the Android device is no longer compliant:
Figure 26
Once more, we can also see exactly what that is:
Figure 27
The same thing applies to the Intune console as well:
Figure 28
Here we can see that one device has one or more errors:
Figure 29
And we can easily get to the bottom of what the problem(s) is:
Figure 30
Figure 31
Figure 32
If, on the other hand, we look at the iPad, we can see that it is fully compliant:
Figure 33
We can also look into the Mobile Device Details of this user to see the status of any EAS devices the user has connected to Exchange. In this case, we see the three devices we have just configured are allowed to connect to Exchange as they are all enrolled and compliant:
Figure 34
One thing I noticed was that, for example, the iPad would force me to set a passcode (and would not let me do anything else before setting one). The Android would still let me access my corporate email even without a PIN… It certainly blocked my phone from accessing the email while it was not enrolled, but after enrolling I could access my email without setting a PIN – I would just get two constant reminders that my device is not compliant, but nothing enforced…
Conclusion
In this article we concluded exploring Intune’s Conditional Access feature. In the next and final part of this article series, we will look at Remote Wipe, Remote Lock and Passcode Reset.
If you would like to read the other parts in this article series please go to:
I noticed that you used Outlook for your Android test. Is it your experience too that Android’s GMail app is not working for the process where the user is prompted with the email to enroll in order to continue or gain access to email? That’s what it seems like but I can’t find this in writing.
Hi Jeremy,
I only used the default mail app, not the Outlook one. I’m afraid I didn’t test with the Gmail app…
Regards, Nuno