Intune and Exchange ActiveSync (Part 4)

If you would like to read the other parts in this article series please go to:

Enrolling Mobile Devices

Now that we have everything set up and configured, we can inform users that device enrollment is available by telling them to go to their device OS Store and install the Company Portal (remember that users enroll and manage their mobile devices using the Company Portal app). Each device operating system has its own Company Portal app:

  • Android – users install the Company Portal app from Microsoft Corporation available on Google Play;
  • iOS – Users install the Company Portal app from Microsoft Corporation available in the App Store;
  • Windows Phone – users install the Company Portal app from Microsoft Corporation available in the Windows Phone store. Alternatively they can also sign in to workplace which will deploy the Company Portal;
  • Windows 8.1 and Windows RT 8.1 – Users download the Company Portal app from the Windows Store.

When users open the Company Portal they will be asked for credentials. If we do not create a public domain CNAME, Windows and Windows Phone users are prompted for the server address and must type After logging in, users can then view their Enrolled Devices.

If this is their first time in the portal, or if we required acceptance of a new version of terms and conditions, users will be asked to accept those terms. This is not affected by whether the device is enrolled or not. The user either accepts or declines. If they accept, they can continue to the portal. If they decline they are asked to confirm that they want to decline, and are then provided with a link to instructions on how to un-enroll. They are not automatically unenrolled, and until they un-enroll we can still manage the device.

At this point the process differs for devices that have not yet been enrolled, depending on the operating system of the device:

  • For Windows devices and Windows Phone 8.1, the Company Portal will remind the user to enroll. Windows      Phone 8.1 will have a link to enrollment settings, and Windows will have a link to help content that describes how to enroll;
  • For iOS and Android devices, the user is led through the enrollment process.

But let us see the exact user experience from start to finish. In this case, let us use an iPad:

  1. First we go to the Apple Store and download and install the Company Portal app:

Figure 1

  1. Once installed, we open the app, type our credentials and click on Sign in:

Figure 2

  1. The app verifies our credentials and tries to log us into Intune:

Figure 3

  1. Once in, we are taken through the process of enrolling the device. We click on Enroll:

Figure 4

  1. We are then taken to Settings where we need to install a new Management Profile:

Figure 5

  1. The warning lets us know what this management profile will allow administrators (Intune) to do on the device:

Figure 6

  1. Then we click on Trust:

Figure 7

  1. And once the process is completed, we click on Done:

Figure 8

  1. We are then taken back to the Company Portal with a notification stating that the device has been enrolled successfully and that we can now access our company email:

Figure 9

If you recall, in the previous part of this article series, we created a Mobile Device Security Policy that required devices to have a numeric passcode of at least 4 digits. Because on this iPad I do not have any passcode, I am now forced to configure one within one hour!

Figure 10

I could postpone it for 60 minutes but after that I would not be able to do anything on the iPad until I configure one. Once I configure a passcode and go back to the Company Portal, I can see that my iPad is in full compliance with all the settings we configured previously:

Figure 11

If we go to the iPad’s settings, more specifically to the Passcode section:

Figure 12

We can see that a passcode is required and that we can use a simple passcode (numeric) as long as it is at least 4 digits (just like we configured in our security policy):

Figure 13

As expected, we are not allowed to turn the passcode off because of the settings Intune pushed to this device:

Figure 14

Going back to the Company Portal, we can see all the devices the user has enrolled under the same account as well as the IT contact for the organization (as configured in the first part of this article series):

Figure 15

If we go back to the dashboard of the Intune administration console we can see that we already have 2 mobile devices enrolled:

Figure 16

Figure 17

If we click on iPad, for example, we get more details on this device (or devices if we had more than one iPad enrolled). We can see its operating system, its model, free storage, if there are any issues with any policy that is applied to it, and more:

Figure 18

If we click in View Properties we get further details regarding this particular device such as information about its Hardware:

Figure 19

We can also view information regarding any Policy applied to it. Here we can see if all the settings we previously configured in our Mobile Device Security Policy are applied:

Figure 20

Creating Email Profiles

Another useful feature of Intune is Email profiles. These help us create, deploy and monitor Exchange ActiveSync email settings on devices, letting users access the corporate email on their devices without any required setup on their part.

Unfortunately, at the time of writing this article, Android devices do not yet support this feature… We can use email profiles to configure the following devices:

  • Windows Phone 8 and later;
  • iOS 5 and later;
  • Samsung KNOX Standard (4.0 and later).

Besides configuring the email account itself on the device, we can also configure synchronization settings such as how much email to sync and the content types to synchronize (depending on the device type).

We can secure email profiles using one of two methods:

  • Certificates: we can choose a Simple Certificate Enrollment Protocol (SCEP) certificate profile that we have previously created in Intune. This is known as the identity certificate and is used to authenticate against a trusted certificate profile (or a root certificate) we created to establish that the user’s device is allowed to connect. The trusted certificate is deployed to the computer that authenticates the email connection, typically, the Exchange server;
  • Username and password: the user authenticates to the Exchange server by providing their username and password. The password is not contained in the email profile, so the user will need to supply this when they connect.

SCEP certificate profiles are out of scope for this article series, so let us look at the second option. To create an email profile:

  1. In the Microsoft Intune administration console, click POLICY > Add Policy;
  2. For this example, let us configure the iPad we used previously. Select Email Profile (iOS 5 and later):

Figure 21

  1. We can only create and deploy a custom email profile policy (recommended settings are not available). Click Create Policy;
  2. Configure the policy as required. A few important settings are:
  • Authentication method: we can choose Username and Password or Certificates, as explained earlier;
  • Use SSL: use Secure Sockets Layer (SSL) communication when sending and receiving emails, and communicating with the Exchange Server;
  • Allow messages to be moved to other email accounts: allow users to move email messages between different accounts they have configured on their device;
  • Allow email to be sent from third-party applications: allow users to send email from apps other than the default email app.

Figure 22

  1. When you are finished, click Save Policy;
  2. When asked to deploy the policy, click Yes:

Figure 23

  1. In my case I selected All Mobile Devices for simplicity reasons, but in production environments we would likely create a group just for the devices or users we wanted to target:

Figure 24

  1. The new policy displays in the Configuration Policies node of the POLICY workspace:

Figure 25

After successful deployment, users’ devices will be provisioned with the correct settings to access corporate email:

Figure 26

If we go into the Company Email profile that got created by Intune we can see it is configured to synchronize the last 3 days of email as per our policy:

Figure 27

All there is left for us to do is enter the password (as explained earlier this is not configured by the Intune Email Profile for obvious reasons):

Figure 28


In this fourth part we started to enroll mobile devices and created an Email Profile to automatically configure iOS devices. In the next part we will look at managing devices using Exchange ActiveSync in Intune.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

Scroll to Top