Microsoft Intune allows organizations to conditionally block access to corporate resources on devices that are not protected by Intune. In this release, admins now have the ability to set up conditional access for on-premises Microsoft Exchange Server. In this blog post, we will focus on how to set up conditional access policies using Intune and walk through the end user experience once they have been blocked from email.Requirements for conditional access can be found in our TechNet documentation about enabling access to company resources.
Intune Admin Experience
Step 1: Set up the Microsoft Intune On-Premises Exchange Connector
The Exchange Connector is required to enforce conditional access to your Exchange resources. Instructions to set up the Exchange Connector can be found here.
Step 2: Evaluate the Impact of Conditional Access on Users
Once the Exchange Connector is successfully configured, it will begin to inventory those devices which are not yet enrolled to Microsoft Intune, but are connecting to your organization’s Exchange resources. To begin the mobile device inventory report, navigate to Reports -> Mobile Device Inventory Reports.
From here, you can select the device groups for which you plan to roll out the conditional access policy, as well as filter by OS status. Once you’ve decided on the criteria that meets your organization’s needs, select View Report.
Once the report is generated by Microsoft Intune, the Report Viewer will open in a new window. From here, you can examine the Management Channel column to determine whether a device is managed by Microsoft Intune:
- Managed by Exchange ActiveSync means a device is accessing Exchange, but is not yet enrolled into Microsoft Intune
- Managed by Microsoft Intune means a device is enrolled into Microsoft Intune, but not yet accessing Exchange
- Managed by Microsoft Intune and Exchange ActiveSync means a device is both enrolled into Microsoft Intune and accessing Exchange
Once conditional access is enforced in step 3, those devices marked as Managed by Exchange ActiveSync will be blocked, if they are part of a Target group (more information in step 3).
You may wish to reach out to the users of those devices before enforcing conditional access. To easily retrieve each user’s email address, you can export this report to Microsoft Excel via the Export link.
From there, you can filter the Management Channel column to include only those devices that are marked as Managed by Exchange ActiveSync, and retrieve those email addresses from the Email Address column.
Step 3: Enforce
Enforcement of conditional access is accomplished in five steps.
1. Define the Microsoft Intune user groups to which the conditional access policy is targeted to.
Only these user groups will receive the conditional access policy and be required to enroll their devices to Microsoft Intune to gain access to Exchange.
2. Define the Microsoft Intune user groups that should be exempt from the conditional access policy.
These user groups will not be required to enroll their devices to Microsoft Intune to gain access to Exchange. If you want a subset of users in the target groups defined above to always be allowed access to Exchange even if they’re not managed by Intune (i.e. V.P.’s), you can create another user group for those users and add that group to the exempted group list.
3. [Optional] Define advanced Exchange ActiveSync settings
These settings are global Exchange settings that allow you to allow, block, or quarantine devices based on platform, as well as set a global Exchange default rule. Advanced Exchange ActiveSync settings can be used in conjunction with conditional access settings. Examples of this configuration can be found in the “Configuration Examples” section below.
4. Set the notification users receive once their device is blocked due to conditional access policy.
This notification is preconfigured in Microsoft Intune, and you can alter it to suit your company’s needs.
Note: The notification is delivered to the user’s Exchange mailbox. However, it will not be delivered immediately on the device that is blocked. Other email clients that that user has access to via their web browser or on other devices they own will receive this notification.
Exchange server wraps the custom user notification text with text that informs the user which device is being blocked. Here is the format of this message:
Your phone won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.
<<Here is where the custom user notification from Microsoft Intune is located>>
Information about your mobile phone:
Device model: | iPhone5C1 |
Device type: | iPhone |
Device ID: | ApplF2LJMQ5XDTTN |
Device OS: | iOS 7.1.1 11D201 |
Device user agent: | iOS/7.1.1 (11D201) dataaccessd/1.0 |
Device IMEI: | |
Exchange ActiveSync version: | 14.1 |
Device access state: | Blocked |
Device access state reason: | Individual |
The custom notification can be configured here, in the User Notification section:
5. Monitor the status of blocked devices
After conditional access policy is enforced, you can monitor the status of blocked devices using the Mobile Device Inventory report discussed in step 2, as well as the Blocked devices from Exchange tile on the Microsoft Intune dashboard.
Once these 5 steps are used in conjunction with one another, the conditional access policy is defined. This allows for different types of conditional access configurations, depending on your organization’s needs.
Configuration Examples
1. Basic Configuration
A basic conditional access configuration simply blocks devices that are not enrolled into Microsoft Intune. In this configuration, no advanced Exchange ActiveSync settings are set.
2. Advanced Configuration
If your organization chooses to setup the advanced Exchange ActiveSync settings, a more complex configuration is possible. This allows flexibility for conditional access policies depending on the nature of your organization.
Some example configurations follow.
Example 1: Require enrollment to Intune, and only allow certain platforms
A strict organization may wish to only allow certain platforms, and block all others. For example, Contoso is an iOS-only organization, which wants to make sure that all iOS devices accessing company resources are protected by Microsoft Intune. To accomplish this, they specifically allow iOS devices, and block all other devices by default. This means all device types besides iOS (including device types not supported for management by Microsoft Intune) will be blocked. iOS devices will still need to enroll to Microsoft Intune to gain access to Contoso’s Exchange resources.
In summary:
- Only enrolled iOS devices should have access
- Block all other devices by default
- Unsupported devices should not have access
Example 2: Require enrollment to Intune, but always block certain platforms
A more lenient organization than in example 1 may wish to only block certain platforms, and allow all others (while still ensuring they’re protected by Microsoft Intune). For example, Contoso is an organization that wants to block Android devices, and make sure that all other devices accessing company resources are protected by Microsoft Intune. To accomplish this, they specifically block Android devices, and allow all other devices by default. This means all device types besides Android (including device types not supported for management by Microsoft Intune) will be allowed, once managed.
In summary:
- All device types require enrollment to Microsoft Intune to have access
- Android devices should always be blocked
- Unsupported devices should have access
End User Experience
The following table illustrates the time it takes for an end user to be allowed or blocked from Exchange depending on their device state:
Step | Device State Change | Access to EAS | Time |
1 | Sets up EAS email profile | Blocked | 1 - 3 hours |
2 | Enrolls into Microsoft Intune | Unblocked | 0 - 5 minutes |
3 | Unenrolls from Microsoft Intune | Blocked | 1 - 3 hours |
Once a device is blocked, the EAS client is rejected from communicating with the Exchange server to send or receive emails. The user notification that can be configured in the Advanced Exchange ActiveSync Settings will not appear in this device’s EAS email client. It will appear in their EAS mailbox, accessible through other devices or a web browser. The following is an example of the experience on iOS:
Here is an example of the type of notification the user’s mailbox will receive if their device is blocked:
Your phone won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.
To re-gain access to your email follow the following steps:
1. Enroll your device for mobile device management
2. View device compliance problems that need your attention in the Company Portal
Information about your mobile phone:
Device model: | iPhone5C1 |
Device type: | iPhone |
Device ID: | ApplF2LJMQ5XDTTN |
Device OS: | iOS 7.1.1 11D201 |
Device user agent: | iOS/7.1.1 (11D201) dataaccessd/1.0 |
Device IMEI: | |
Exchange ActiveSync version: | 14.1 |
Device access state: | Blocked |
Device access state reason: | Individual |
TechNet Documentation Update
As part of the recent update to Microsoft Intune, a series of new technical articles are now available on TechNet, including documentation on these new conditional access capabilities. Visit the What’s New section of the Documentation Library for Microsoft Intuneto see all of the articles that have been recently published. You can read more about conditional access in the enable access to company resources section.
Watch Conditional Access Webinar
Also, make sure to register to watch our recent webinar on this topic. This 30-minute webinar provides more information on these new conditional access capabilities and includes a demo of both the end user and IT experiences. We also spent time answering some great attendee questions. Register here to view a recording of this webinar and don’t forget to check out the rest of our Enterprise Mobility Suite webinar series.
I hope that you’ve found this blog post useful. Please bookmark this blog and check back often as we plan to post new content weekly! Also, if you’re not yet using Intune, sign up for a free 30-day trial today!
- Joey Glocke, Program Manager