Note: This blog post has been updated to include details on the new end-user experience introduced in August 2015.
In December, we released a service update for Microsoft Intune that enables admins to set up conditional access to Exchange Online for mobile devices, and we have just released a new Configuration Manager Extension for Microsoft Intune that enables this same functionality for customers using System Center Configuration Manager connected to Intune (hybrid). This blog post describes how this feature works in both deployment scenarios: Intune standalone and hybrid.
This feature enables Intune tenants to restrict Exchange ActiveSync (EAS) access to Exchange Online to only those users who have enrolled their devices for management. For many organizations who seek to enable a Bring Your Own Device (BYOD) strategy, protecting data on mobile devices becomes key. Email is especially important because it is the most common form of organizational data that is accessed on mobile devices. By requiring that only managed and compliant devices be allowed to synchronize email, organizations can provide an extra layer of data protection. Check out this demo video on conditional access to email and read below for more information.
How the solution works
EAS clients attempting to access mail in Exchange Online will be evaluated for two basic properties:
Is the device managed and registered with Azure Active Directory?
Is the device compliant?
To get to this state, the device on which the EAS client is running will need to enroll with Intune, perform an operation called workplace join (which on most platforms happens automatically with enrollment), and be evaluated for device policy. These states are written by Intune into Azure Active Directory, and then read by Exchange Online the next time the EAS client tries to get email. If the device is not registered, the user will get a message in their inbox with instructions on how to do this (we call it enrolling). If the device is not compliant, the user will get a different message in their inbox that redirects them to the Intune web portal where they can get info on the compliance problem as well as how to remediate it.
Deploying the solution
Deploying the Exchange Online conditional access feature boils down to two fundamental steps:
Step 1: Define and deploy a compliance policy
A compliance policy defines what it means for a device to be compliant in order to access Exchange Online. Intune will compute whether a device meets these criteria and will then set a property in Azure Active Directory, which is then consumed by Exchange. We have separated this from Configuration Policies (security settings and resource access profiles) in order to make it super clear as to what rules will actually result in a user getting blocked from their email.
A Compliance Policy can require that a device have passcode settings applied, encryption enabled, not be jailbroken or rooted, and to have an email profile managed by Intune. If a device is capable of remediating a setting, it will, however if autoremediation is not possible then the device will be marked as anot compliant and it will be blocked from Exchange until the user remediates the issue.
Full details about each of these rules can be found in this TechNet article.
To create a Compliance Policy in the Intune console, go to Policy > Compliance Policies and select Add…
To create a Compliance Policy in the Configuration Manager console, go to Assets and Compliance > Compliance Settings > Compliance Policies and select Create Compliance Policy.
Step 2: Configure the Exchange Online policy
Now you need to tell Exchange Online that you wish to enforce conditional access. This is done by configuring the Exchange Online policy, which configures a policy in Azure Active Directory to require that only managed and compliant devices may access Exchange through Exchange ActiveSync.
You must also specify which Azure Active Directory security groups will be subjected to this policy. If you need to configure your security groups you can do so in either the Office 365 admin center or the Intune account portal. Additionally, you may specify security groups that should be exempted from this policy. This is an optional step, however it is recommended if you have particular users who may fall in to one of your targeted security groups who you do not want to be blocked.
Finally, you can choose whether to allow or block devices that are not capable of enrolling with Intune (see the list of supported platforms at the beginning of this article). One thing to note is that Exchange ActiveSync allow/block/quarantine rules will not apply to devices who belong to users included in this policy. For example, if I put user John’s EAS client into quarantine using the Exchange Online admin console, and then add a group that John belongs to in the Exchange Online conditional policy, John will be allow to access email so long as his device is enrolled and compliant; the quarantine rule defined in Exchange will not apply.
Once this policy is configured, users who belong to any of the targeted groups will be required to enroll their device with Intune. Additionally, those users’ devices must be compliant with any deployed compliance policies. Note that the targeting for compliance policies is against Intune groups, whereas targeting for conditional access policies is against Azure Active Directory security groups.
To configure the Exchange Online conditional access policy, go to Policy > Conditional Access > Exchange Online Policy.
This policy must be configured in the Intune console. Configuration Manager hybrid customers can access this location by going to Assets and Compliance > Conditional Access > Exchange Online and select Configure Conditional Access Policy in the Intune console. Log in using the same credentials that were used to set up the connector between Configuration Manager and Microsoft Intune.
In a future blog post, I will provide more detail on how monitoring and reporting works for this feature, but for now, I want to highlight one report that will be useful to Intune standalone customers. Note that for this to work, you will need the Service to Service connector to be deployed (found under Admin > Microsoft Exchange > Set Up Exchange Connector, click
Prior to enabling Conditional Access, you will want to notify affected users who are already accessing email through an EAS client. A convenient way to do this is to run a report called the Mobile Device Inventory Report, export this into a spreadsheet, find all of the non-registered and non-compliant devices, and sent those users an email.
To do this, go to Reports > Mobile Device Inventory Reports and click View Report.
Once the report is generated, click the little Export button in the top right, and choose .csv format to open it in Excel.
Then look for all devices that are not managed by Intune or not compliant. You can copy the users’ email addresses right into the To: field in Outlook.
Note: For ConfigMgr Hybrid customers, reporting for Conditional Access will come as an update in a later version of System Center Configuration Manager. Reporting is not available in the Configuration Manager Extension for Intune.
End user experience
Once the above steps are in place, users belonging to the security groups specified in the Exchange Online conditional access policy will start getting quarantined from email. This will take effect immediately for any Exchange ActiveSync client set up after the policy is saved. Existing EAS clients will be quarantined approximately six hours later.
Users will see a single mail in their mailbox, telling them that they must enroll in Intune. The contents of the email and the steps required vary by platform.
iOS and Android
When a user follows the link in the email, he or she will visit a page that prompts the user to view the Company Portal. The following Android screenshots show this experience.
The user is instructed to install the Company Portal app from the app store, and to go through the device enrollment process. Note that the latest Company Portal app is required in order to support this new flow, so if users have already enrolled in Intune they will need update the app when taken to the Apple App Store or Google Play Store. After enrollment, the user is shown which compliance issues need to be remediated. All non-compliance issues are shown in a list, and the user can select “How to resolve this” to view step-by-step instructions. Once all compliance issues have been addressed, the user then taps the Check Compliance button to have the device re-evaluated. At this point, all steps are shown as complete and the user can now start (or resume) receiving email.
The workflow for Windows Phone users is similar, however there is no requirement for the Company Portal app to be installed. Instead, the process is driven through the Intune Company Portal website. Here are some screenshots to illustrate the workflow.
For additional technical resources on Conditional Access in Microsoft Intune, visit TechNet here. Also, if you’re interested in learning about conditional access for on-premises Exchange using Intune, check out this blog post here. And if you’re not yet using Intune, sign up for a free 30-day trial today!
Chris Green, Senior Program Manager