Deploying Enterprise Solutions for Protecting Email Data on Mobile
Devices More and more, companies are allowing employees to increase their productivity by accessing email,
documents, and company resources through their mobile devices. However, the amount of confidential
data that is stored within corporate emails and documents presents a significant security risk for
companies.
This guide is intended for you, the IT professional, to help determine and then deploy the best solution
for your company to enforce conditional access in one of the configurations as described below. This will
let employees use their mobile devices to access corporate email while still protecting your company’s
data.
Introduction Protecting your company's data is vitally important, and is an increasingly challenging task as more
employees are using their mobile devices to access company resources, including email and email
attachments. As an IT administrator, you want to make sure that company data is protected even when
those mobile devices are not within the company’s physical location.
The Microsoft Enterprise Mobility Suite (EMS) solves this challenge by delivering comprehensive
protection of corporate email and documents across four layers – Identity, Device, Application, and
Data. Among other capabilities, EMS ensures that employees can access corporate email only from
devices that are managed by Microsoft Intune and compliant with IT policies.
Protecting corporate email involves two main objectives:
Allow only compliant devices to access your company’s email: An important step to protecting
corporate data is restricting access to devices that don’t use a strong password, are not
jailbroken, or not encrypted. Microsoft Intune gives you the ability to set conditions that your
users must meet to gain access to your company resources. This is known as conditional access.
Protecting the content in email and attachments: While conditional access allows you to make
sure only compliant devices are able to access email, there is still the question of protecting the
content in the email and email attachments. The content can be copied, moved, saved to a
different location, or shared with another user. EMS solves this problem using mobile
application management policies.
Managed apps are apps that have mobile application management policies applied to them that
make them compliant with your company’s security requirements. With these apps, you have
direct control over deployment, ongoing management like inventory or updates, and selective
wipe of the apps and their associated data. Additionally, through a set of mobile application
management (MAM) policies, Intune lets you modify the functionality of apps, and restrict
sharing of data. For more details on how this solution works and architecture details see Protect
corporate email and documents.
You can create and deploy an email profile, then set a compliance policy that specifies that
email profiles must be managed by Intune (recommended). This gives you the ability to wipe
email from retired devices, and it ensures that for iOS, attachments can only be opened in
applications managed by Intune. See Create compliance policies and deploy to users in the
deployment steps in this article.
Solutions covered in this article This section provides a high-level overview of each solution – Configuration Manager with Intune
implementation, Intune by itself, mobile application management, and Azure rights management
service.
Manage access to email using Conditional access
You can use a hybrid of Configuration Manager with Intune, or just use Intune by itself, along
with Exchange Online or Exchange Server on-premises to manage and enforce conditional
access on all types of PCs and mobile devices, regardless of their location. Enforcing conditional
access in this type of environment lets you enable the user to be more productive, while still
keeping company data secure.
Protect email attachments and data using the MAM solution
You can enforce mobile application management (MAM) policies in Intune to modify the
functionality of apps that you deploy in your company. For example, you can restrict cut, copy
and paste operations within a managed app, or configure an app to open all web links inside a
managed browser. This ensures that these apps are in line with your company compliance and
security policies.
Azure rights management service for data loss prevention policies
Azure Rights Management (Azure RMS) uses encryption, identity, and authorization policies to
help secure your files and email across multiple devices, such as phones, tablets, and PCs.
Information can be protected both within your company and outside your company because
protection remains with the data, even when it leaves your company’s boundaries.
Evaluating your desired implementation With all of the different design and configuration options for managing mobile devices, it’s difficult to
determine which combination will best meet the needs of your company. The Mobile Device
Management Design Considerations Guide helps you understand mobile device management design
requirements and details a series of steps and tasks that you can follow to design a solution that best fits
the business and technology needs for your company.
High level end-user experience After the solution is implemented, end-users will be able to access the company email only on managed
and compliant devices. Once they have the ability to access the email on the devices, the company data
is protected and contained within the app ecosystem and only available to the intended users. Access
can be revoked at any time if the device becomes noncompliant.
Specifically, the conditional access policies set in Intune ensure that the devices can only access email if
they are compliant with the compliance policies you set. Actions such as copy and paste or saving to
Note
personal cloud storage services can be restricted using mobile application management policies. Azure
Rights Managements service can be used to ensure that the sensitive email data, and forwarded
attachments, can only be read by intended recipients. The end-user experience is described in more
detail in the End-user Experience section, later in this article.
Using conditional access with Intune and Configuration Manager In this solution, you are already using System Center Configuration Manager and Microsoft Exchange
Server – with on-premises, Exchange Online, or a hybrid deployment of both – in your company to
manage email access. This solution combines your existing Configuration Manager environment with
Intune to safely manage email access on all types of devices, regardless of their location.
Exchange Server on-premises If you are already using System Center Configuration Manager and Exchange in your on-premises
infrastructure, you can incorporate Intune to manage email access and protect email data on mobile
devices. The high-level process for implementing this solution is as follows:
Configure the On-Premises Intune Exchange Connector through the Configuration Manager
console, which will let Configuration Manager communicate with the Exchange Server that hosts
the mobile devices’ mailboxes.
Run a full synchronization of the Exchange Server Connector to discover users and to inventory
all of the mobile device Exchange ActiveSync IDs (EASIDs) that are connecting to Exchange
Server on-premises.
Create user collections for groups of users that will either be targeted or exempted from the
conditional access policy. Then create the compliance policies that define the rules and settings
that a device must comply with in order to be considered compliant by conditional access
polices.
Begin enforcing conditional access.
Conditional access control flow for Exchange Server on-premises This diagram shows the control flow for clients attempting to access email in Exchange on-premises.
Microsoft Intune: Manages the compliance and conditional access policies for the device
Microsoft Azure Active Directory: Authenticates user and provides device compliance status
Configuration Manager: Manages device enrollment and provides reporting
Exchange on-premises: Enforces access to email based on the device state
Prerequisites Before you proceed, make sure your environment includes these requirements for implementing this
solution.
If you have already configured Configuration Manager to manage mobile devices through the Intune
service, you can proceed to the Deployment Steps.
Verify that you meet the hardware requirements for the on-premises connector.
Verify that you are running System Center 2012 R2 Configuration Manager SP1 with cumulative
update 1 or later.
Ensure that the Exchange Web Services (EWS) endpoint is configured properly for discovery. If
necessary, contact your Configuration Manager Support team for a tool that can help identify
EWS connection issues. EWS lets developers interact with Exchange mailboxes and contents by
using standard HTTP.
Install and assign Exchange services to a valid digital certificate purchased from a trusted public
certificate authority.
Note
Configure an account (local or domain admin) with permission to run the following Exchange
Server cmdlets (See Configure Exchange cmdlet permissions for Windows Intune Exchange
Connector for help in configuring the account):
Clear-ActiveSyncDevice
Get-ActiveSyncDevice
Get-ActiveSyncDeviceAccessRule
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncMailboxPolicy
Get-ActiveSyncOrganizationSettings
Get-ExchangeServer
Get-Recipient
Set-ADServerSettings
Set-ActiveSyncDeviceAccessRule
Set-ActiveSyncMailboxPolicy
Set-CASMailbox
New-ActiveSyncDeviceAccessRule
New-ActiveSyncMailboxPolicy
Remove-ActiveSyncDevice
If you try to install or use the Exchange Server connector without the required cmdlets, you will
see an error logged with the message Invoking cmdlet <cmdlet> failed in the EasDisc.log file on the
site server computer.
Deployment Steps Follow these steps to deploy the Exchange on-premises solution:
Step 1: Ensure that Intune Connector role is installed
Make sure that the Intune Connector role is installed so that Configuration Manager can interact with
Intune. See Manage Mobile Devices with Configuration Manager and Intune for more information.
Step 2: Install and configure an Exchange Server connector
1. In the Configuration Manager console, click Administration, expand Hierarchy Configuration,
and then right-click Exchange Server Connectors.
Note
Configuration Manager supports only one connector in an Exchange organization.
Important
Before you install the Exchange Server connector, confirm that Configuration Manager supports the
version of Microsoft Exchange that you are using. For more information, see Supported
Configurations for Configuration Manager.
2. Click Add Exchange Server to open the Add Exchange Server wizard.
3. On the General page, specify the address of your on-premises Exchange Server.
Select Specify Exchange Client Access Server if you want to limit user discovery to a specific
Active Directory forest.
4. For the Exchange Server Connector Account, specify the administrator account that you
configured to run the Exchange Server PowerShell cmdlets.
In the Specify the account for sending notifications field, set the account that will be used to
send quarantine email notifications to users that are blocked by Configuration Manager
conditional access. The account you specify must have a valid mailbox on the Exchange server
and should be named in such a way that users will recognize the email notification as coming
from your company IT department.
Click Next.
Important
You must specify this account. Otherwise, conditional access will fail.
5. Specify when and how mobile devices are discovered and managed.
Set the number of minutes that pass before the Exchange connector queries the Exchange
Server for device connections that have been discovered since the previous full
synchronization (default 240).
Specify the number of days that a mobile device must be inactive before the exchange
connector will remove its entry (default 180).
Specify whether the exchange connector will discover all devices (the default) or just those
in a specified organizational unit. You can click Add to select an Active Directory collection of
users to be targeted with conditional access.
Click Next.
Note
Changing the delta synchronization will increase the load on the Exchange server and in
most cases is not necessary since conditional access is typically rolled out to users that
already access Exchange.
6. You can edit the Exchange ActiveSync policies already deployed on the Exchange Server, such as
password length and complexity. Any edits you make to the policies on this page of the wizard
will override existing EAS policies.
You can also enable the option External mobile device management to ensure that the mobile
devices continue to receive email from Exchange after Configuration Manager enrolls them. We
recommend that you set this option to Allowed.
Click Next.
Review the settings on the Summary page and then click Next to complete the installation of the
Exchange Server Connector.
You can verify the installation of the Exchange Server connector by using status messages and by
reviewing the log files.
To confirm that Site Component Manager successfully installed the Exchange Server
connector, look for the status ID 1015 for the SMS_EXCHANGE_CONNECTOR component. If
Configuration Manager cannot successfully install the connector (for example, because the
specified Client Access Server computer is offline), Configuration Manager retries the
installation every 60 minutes until the installation succeeds or you remove the Exchange
Server connector.
On the site server computer, search for the SiteComp.log file, and then in the log file, search
for Component SMS_EXCHANGE_CONNECTOR flagged for installation. A successful
installation is logged with the following text: STATMSG: ID=1015.
Step 3: Run a full synchronization to discover users.
1. In the Configuration Manager console, click Administration, expand Hierarchy Configuration,
and then select Exchange Server Connectors.
2. Select the Exchange Server Connector that you installed in Step 2.
3. Click Synchronize Now.
This full synchronization can take several hours to complete, depending on the number of devices. A full
synchronization will run once every 24 hours by default. A delta synchronization discovers device
connections since the previous full synchronization and occurs per the interval you set during
installation of the Exchange Server Connector. This ensures that new users and new Exchange users are
discovered quickly so that conditional access can be applied.
Using the Configuration Manager Trace Log Tool, you can open the EasDisc.log file (located in the
Microsoft Configuration Manager/Logs folder where you installed Configuration Manager) to verify that
the connector is running and querying for device connections. After full sync completes, it will inventory
all of the mobile device Exchange ActiveSync IDs (EASIDs) that are connecting to Exchange on-premises.
Step 4: Create user collections.
Determine the Intune user groups for whom the conditional access policy will be targeted. Then, create
user collections for groups of users that will either be targeted or exempted from the conditional access
policy. You will specify these groups when you enforce conditional access later on.
1. In the Configuration Manager console, expand Overview and then click User Collections.
2. Click Create User Collection.
3. Follow the steps in the Create User Collection Wizard to create one or more user collections,
depending on how you want to enforce conditional access.
Step 5: Create compliance policies and deploy to users.
Compliance policies define the rules and settings that a device must comply with in order to be
considered compliant by conditional access polices. Follow these steps to create compliance policies.
1. In the Configuration Manager console, click Assets and Compliance, expand Overview, expand
Compliance Settings, and then click Compliance Policies.
2. On the Home tab, in the Create group, click Create Compliance Policy to open the Create
Compliance Policy Wizard.
3. Follow the steps in the Create Compliance Policy Wizard to specify the rules a device must
adhere to and the platforms that will be supported.
4. After the compliance policy is created, select the compliance policy name in the list and click
Deploy.
Step 6: Configure conditional access policy.
First, decide how and when you want to enforce conditional access and which employees will be
affected. Then, follow these steps to configure the conditional access policy for Exchange on-premises:
1. In the Configuration Manager console, click Assets and Compliance.
2. Expand Compliance Settings, expand Conditional Access, and then click On-Premises Exchange.
Note
If you want the ability to remove all corporate email from an iOS device after it is no longer part
of your company, you must create and deploy an email profile and then set the compliance
policy that specifies that Email profile must be managed by Intune. The email profile must be
deployed to the same set of users that you target with this compliance policy.
If you specify this compliance policy, a user who has already set up their email account must
manually remove it and then Intune will add it back in through the registration process
described below in End-user Experience.
3. On the Home tab, in the On-Premises Exchange group, click Configure Conditional Access
Policy.
4. On the General page of the Configure Conditional Access Policy Wizard, specify your Intune
tenant domain name. This is the suffix of the tenant ID you used to set up the Intune connector.
For example, if the tenant ID you used to set up the Intune connector is
[email protected], then the domain name you enter on this page of the wizard is
corpemail.contoso.com.
Click Next.
5. On the Targeted Collections page, add one or more user collections. In order to access
Exchange, users in these collections must enroll their devices with Intune and also be compliant
with any compliance policies you deployed.
Click Next.
6. On the Exempted Collections page, add any user collections that you want to be exempt from
the conditional access policy. Users in these groups do not need to enroll their devices with
Intune and do not need to be compliant with any deployed compliance policies in order to
access Exchange.
If a user appears in both the targeted and exempted lists, they will be exempt from the
conditional access policy.
Click Next.
7. On the Edit User Notification page, configure the email that Intune sends to users with
instructions about how to unblock their device (in addition to the email that Exchange sends).
You can edit the default message and use HTML tags to format how the text appears. You can
also send an email in advance to your employees notifying them of the upcoming changes and
providing them with instructions about enrolling their devices.
Click Next.
8. On the Summary page, review your settings, and then complete the wizard.
Step 7: Monitor enrollments and enforce conditional access
If you already have a significant number of users enrolled in Intune and compliant, you can start
enforcing conditional access by rolling it out to about 500 users per day. This will take about 4 to 5
months for 70,000 users. This will let you sort out any issues that might arise without restricting email
access to too many users at the same time.
If you don’t have a large number of users already enrolled in Intune, conditional access provides them
with a guided experience for enrollment, as described in End-user Experience.
Verification Steps Using the Configuration Manager Trace Log Tool, open the EasDisc.log file (located in the Microsoft
Configuration Manager/Logs folder where you installed Configuration Manager). Search the log file for
“Exchange Connector” to find information about whether the Exchange Connector is running and how
many devices are connected.
The Configuration Manager Trace Log Tool is included in the System Center 2012 R2 Configuration
Manager Toolkit.
Reporting You can use the Configuration Manager console to view specific information about devices that have
been discovered by the Exchange Connector. For devices on which conditional access is enforced, you
can view the current status of each device, the last time the device was connected with the Exchange
server, and so on.
In the Configuration Manager console, click Assets and Compliance and then click Devices. You can view
the current status of each device (Blocked or Allowed) in the Exchange Access State column. Add this
column if not already shown by right-clicking in the column title bar area. You can also view the last
successful synchronization time for each device as reported by Exchange by adding the Last Success
Sync Time To Exchange Server column.
If you are running SQL Server Reporting Services (SSRS), you can view a conditional access report that
shows the compliance state of devices, whether there is an Exchange connector installed and running,
and the EAS Access state. It will also provide information about Active Directory registration, EAS
activation, as well as the device owner.
To view SSRS reports, you must have a reporting role installed on the primary server:
1. In Configuration Manager, click Administration Hierarchy configuration Site
Configuration Servers and Site System Roles.
2. Select a server and click Add Site System Role to open the Add Site System Role wizard.
3. On the System Role Selection page, select the Reporting services point checkbox. The reporting
services point displays reports related to client management.
4. Click Next.
The following shows the deployment status of the configuration policy:
Latency
A device is blocked as soon as it is discovered by the Exchange connector. The latency of blocking
depends on the configured intervals for Full synchronization and delta synchronization and the time in
between these intervals when the device connects to the Exchange server. By default, a Full
synchronization occurs every 24 hours while a delta synchronization occurs every 240 minutes. During
this latency period, a device might be considered compliant.
Exchange Online If you are already using System Center Configuration Manager and Exchange Online, you can
incorporate Intune to manage email access and protect email data on mobile devices. The high-level
process for implementing this solution is as follows:
Create the compliance policies that define the rules and settings that a device must comply with
in order to be considered compliant by conditional access polices.
Begin enforcing conditional access.
Optionally, configure the Exchange Server connector for Exchange Online
This connector is required for reporting purposes only. It is not required to enable conditional
access.
Conditional access control flow for Exchange Online This diagram shows the control flow for clients attempting to access email in Exchange Online. A and B
can be performed prior to enforcing conditional access.
Microsoft Intune: Manages the compliance and conditional access policies for the device
Microsoft Azure Active Directory: Authenticates user and provides device compliance status
Configuration Manager: Manages device enrollment and provides reporting, if enabled
Exchange Online: Enforces access to email based on the device state
Prerequisites Before you proceed, make sure your environment includes these requirements for implementing this
solution.
Install and assign Exchange services to a valid digital certificate purchased from a trusted public
certificate authority.
Verify that you are running System Center 2012 R2 Configuration Manager SP1 with cumulative
update 1 or later.
Configure a user account with permission to run the following Exchange Server cmdlets (See
Configure Exchange cmdlet permissions for Windows Intune Exchange Connector for help in
configuring the account):
Clear-ActiveSyncDevice
Get-ActiveSyncDevice
Get-ActiveSyncDeviceAccessRule
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncMailboxPolicy
Get-ActiveSyncOrganizationSettings
Get-ExchangeServer
Get-Recipient
Set-ADServerSettings
Set-ActiveSyncDeviceAccessRule
Set-ActiveSyncMailboxPolicy
Set-CASMailbox
New-ActiveSyncDeviceAccessRule
New-ActiveSyncMailboxPolicy
Remove-ActiveSyncDevice
Deployment Steps Follow these steps to deploy the Exchange Online solution:
Step 1: Create compliance policies and deploy to users.
Compliance policies define the rules and settings that a device must comply with in order to be
considered compliant by conditional access policies. Follow these steps to create and deploy compliance
policies.
1. In the Configuration Manager console, click Assets and Compliance, expand Overview, expand
Compliance Settings, and then click Compliance Policies.
2. On the Home tab, in the Create group, click Create Compliance Policy to open the Create
Compliance Policy Wizard.
3. Follow the steps in the Create Compliance Policy Wizard to specify the rules a device must
adhere to and the platforms that will be supported.
Note
If you want the ability to remove all corporate email from an iOS device after it is no longer part
of your company, you must create and deploy an email profile and then set the compliance
policy that specifies that Email profile must be managed by Intune. The email profile must be
deployed to the same set of users that you target with this compliance policy.
If you specify this compliance policy, a user who has already set up their email account must
remove it and then Intune will add it back in through the Intune registration process
described below in End-user Experience.
4. After the compliance policy is created, highlight the name in the list and click Deploy.
Step 2: Configure conditional access policy.
First decide when you want to enforce conditional access and which employees will be affected. Then,
follow these steps to enable the conditional access policy for Exchange Online.
1. In the Configuration Manager console, click Assets and Compliance.
2. Expand Compliance Settings, expand Conditional Access, and then click Exchange Online.
3. On the Home tab, in the Links group, click Configure Conditional Access Policy in the Intune
Console. You might need to supply the user name and password of the account used to connect
Configuration Manager with any global administrator for the Intune service.
The Intune admin console opens.
Note
Conditional access policy must be configured in the Intune console. The following steps begin by
accessing the Intune console through Configuration Manager. If prompted, log in using the same
credentials that were used to set up the connector between Configuration Manager and Intune.
4. In the Intune administration console, click Policy > Conditional Access > Exchange Online Policy.
5. On the Exchange Online Policy page, select Enable conditional access policy for Exchange
Online. If you check this, a device must be compliant. If this is not checked then conditional
access is not applied.
Note
If you have not deployed a compliance policy and then enable the Exchange Online policy, all
targeted devices are reported as compliant.
Regardless of the compliance state, all users who are targeted by the policy will be required to
enroll their devices with Intune.
6. Under Application access, for apps that use modern authentication, you have two ways of
choosing which platforms the policy should apply. Supported platforms include Android, iOS,
Windows, and Windows Phone.
All platforms
This will require that any device used to access Exchange Online, to be enrolled in
Intune and compliant with the policies. Any client application using modern
authentication is subject to the conditional access policy, and if the platform is currently
not supported by Intune, access to Exchange Online is blocked
Selecting the All platforms option means that Azure Active Directory will apply this
policy to all authentication requests, regardless of the platform reported by the client
application. All platforms will be required to enrolled and become compliant, except for:
o Windows devices will be required to be enrolled and compliant, domain joined
with on-premises Active Directory, or both.
o Unsupported platforms like Mac OS. However, apps using modern
authentication coming from these platforms will be still be blocked.
You may not see this option if you are not already using conditional access for PCs. Use
the Specific platforms instead. Conditional access for PCs is not currently available to all
Tip
Intune customers. You can find out more information about known issues as well as
how to get access to this feature at the Microsoft Connect site.
Specific platforms
Conditional access policy will apply to any client app that is using modern
authentication on the device platforms you specify.
7. Under Outlook web access (OWA), you can choose to allow access to Exchange Online only
through the supported browsers: Safari (iOS), and Chrome (Android). Access from other
browsers will be blocked. The same platform restrictions you selected for Application access for
Outlook also apply here.
On Android devices, users must enable the browser access. To do this the end-user must enable
the “Enable Browser Access” option on the enrolled device as follows:
a. Launch the Company Portal app.
b. Go to the Settings page from the triple dots (…) or the hardware menu button.
c. Press the Enable Browser Access button.
d. In the Chrome browser, sign out of Office 365 and restart Chrome.
8. On iOS and Android platforms, To identify the device that is used to access the service, Azure
Active Directory will issue a Transport layer security ( TLS) certificate to the device. The device
displays the certificate with a prompt to the end-user to select the certificate as seen in the
screenshots below. The end-user must select this certificate before they can continue to use the
browser.
Under Exchange ActiveSync apps, you can choose to block noncompliant devices from accessing
Exchange Online. You can also select whether to allow or block access to email when the device
is not running a supported platform. Supported platforms include Android, iOS, Windows, and
Windows Phone.
9. Under Targeted Groups, select the Active Directory security groups of users to which the policy
will apply.
Note
For users that are in the Targeted groups, the Intune polices will replace Exchange rules and
policies.
Exchange will only enforce the Exchange allow, block and quarantine rules, and Exchange
policies if:
The user is not licensed for Intune.
The user is licensed for Intune, but the user does not belong to any security groups targeted
in the conditional access policy.
10. Under Exempted Groups, select the Active Directory security groups of users that are exempt
from this policy. If a user is in both the targeted and exempted groups, they will be exempt from
the policy and will have access to their email.
11. When you are finished, click Save.
You do not have to deploy the conditional access policy, it takes effect immediately.
After a user creates an email account, the device is blocked immediately.
If a blocked user enrolls the device with Intune (or remediates noncompliance), email access
is unblocked within 2 minutes.
If the user un-enrolls their device, email is blocked after about 6 hours.
Step 3: (Optional) Install and configure an Exchange Server connector
The Exchange Server Connector is only required for reporting purposes. It is not required to enable
conditional access, although we do highly recommend it.
1. In the Configuration Manager console, click Administration, expand Hierarchy
Configuration, and then click Exchange Server Connectors.
2. Click Add Exchange Server to open the Add Exchange Server wizard.
3. In the General page of the Add Exchange Server wizard, specify the service address of Exchange
Online for the Hosted Exchange Server field.
4. For the Exchange Server Connector Account, specify the administrator account that you
configured to run the Exchange Server PowerShell cmdlets.
In the Specify the account for sending notifications field, set the account that will be used to
send quarantine email notifications to clients that are blocked by Configuration Manager
conditional access. The account you specify must have a valid mailbox on the Exchange server.
Click Next.
Important
It is mandatory that you specify this account. Otherwise, conditional access will fail.
5. Specify when and how mobile devices are discovered and managed.
Set the number of minutes that pass before the Exchange connector queries the Exchange
Server for device connections that have been discovered since the previous full
synchronization (default 240).
Specify the number of days that a mobile device must be inactive before the exchange
connector will remove its entry (default 180).
Specify whether the exchange connector will discover all devices (the default) or just those
in a specified organizational unit. You can click Add to select an Active Directory collection of
users to be targeted with conditional access.
Note
Changing the delta synchronization will increase the load on the Exchange server and in
most cases is not necessary since conditional access is typically rolled out to users that
already access Exchange.
Click Next.
6. You can edit the Exchange ActiveSync policies already deployed on the Exchange Server,
such as password length and complexity. Any edits you make to the policies on this page of
the wizard will override existing EAS policies.
You can also enable the option External mobile device management to ensure that the
mobile devices continue to receive email from Exchange after Configuration Manager
enrolls them. We recommend that you set this option to Allowed.
Click Next.
Review the settings on the Summary page and then click Next to complete the installation of the
Exchange Server Connector.
Verification Steps If you configured the optional Exchange Server connector for this solution, you can use the
Configuration Manager Trace Log Tool to open the EasDisc.log file (located in the Microsoft
Configuration Manager/Logs folder where you installed Configuration Manager). Search the log file for
“Exchange Connector” to find information about whether the Exchange Connector is running and how
many devices are connected.
The Configuration Manager Trace Log Tool is included in the System Center 2012 R2 Configuration
Manager Toolkit.
Reporting If you configured the optional Exchange Server connector, you can use the Configuration Manager
console to view specific information about devices that have been discovered by the Exchange
Connector. For devices on which conditional access is enforced, you can view the current status of each
device, the last time the device was connected with the Exchange server, and so on.
In the Configuration Manager console, click Assets and Compliance and then click Devices. You can view
the current status of each device (Quarantined or Allowed) in the Exchange Access State column. Add
this column if not already shown by right-clicking in the column title bar area. You can also view the last
successful synchronization time for each device as reported by Exchange by adding the Last Success
Sync Time To Exchange Server column.
If you are running SQL Server Reporting Services (SSRS), you can view a conditional access report that
shows the compliance state of devices, whether there is an Exchange connector installed and running,
and the EAS Access state. It will also provide information about Active Directory registration, EAS
activation, as well as the device owner.
To view SSRS reports, you must have a reporting role installed on the primary server:
1. In Configuration Manager, click Administration Hierarchy configuration Site
Configuration Servers and Site System Roles.
2. Select a server and click Add Site System Role to open the Add Site System Role wizard.
3. On the System Role Selection page, select the Reporting services point checkbox. The reporting
services point displays reports related to client management.
4. Click Next.
The following shows the deployment status of the configuration policy:
Latency
Devices that use modern authentication have conditional access applied immediately. For devices
connecting through the EAS protocol, there can be a lag time of up to six hours before conditional access
is enforced, based on the default setting. During that time, a device might be considered compliant.
Coexistence of Exchange Server on-premises and Exchange Online An environment in which Exchange on-premises and Exchange Online are both used to manage email
profiles offers companies the ability to extend the feature-rich experience and administrative control
they have with their existing on-premises Microsoft Exchange organization to the cloud. This "hybrid"
type of deployment provides the seamless look and feel of a single Exchange organization between an
on-premises Exchange Server 2013 organization and Exchange Online in Microsoft Office 365. In
addition, this type of deployment can serve as an intermediate step to moving completely to an
Exchange Online organization.
If you are already using Configuration Manager along with a coexistence of Exchange on-premises and
Exchange Online, you can incorporate Intune to manage email access and protect email data on mobile
devices. You can implement this solution by following the instructions above for implementing each
solution separately.
Prerequisites To configure a coexistence type of environment that implements both Exchange on-premises and
Exchange Online, your existing Exchange organization must meet certain requirements. If you don't
meet these requirements, you won't be able to complete the steps necessary to configure a hybrid
deployment between your on-premises Exchange organization and the Exchange Online organization in
Microsoft Office 365.
See Hybrid deployment prerequisites to review the requirements for creating and configuring this type
of environment.
Deployment Steps To deploy a coexistence solution, follow the steps above for deploying both the Exchange on-premises
and Exchange Online solutions.
End-user Experience Following is an overview of the end-user experience after conditional access is enabled and an end user
tries to access email on their mobile device.
Windows Phone
1. If a user is already enrolled in Intune and is compliant, they will see no difference on Windows
devices; they will continue to get access to email. Users who have not yet enrolled in Intune will
receive a quarantine email similar to this sample:
The user clicks Get started now to begin enrolling their device.
Note
The enrollment process and the screens the user sees will be slightly different depending on the
version of OS running on the end-user device.
2. On the Company Access Setup screen, the user clicks Begin to start setting up their device and
checking whether it is compliant.
3. On the Enroll Your Device screen, the user clicks Confirm Enrollment to start enrolling their
device.
During enrollment, the Mobile Device Management profile is installed to allow you, the IT
administrator, to remotely manage the device. The user might be prompted to accept a
certificate authorizing Workplace Join.
The user signs in using their email address they use with Office. After they are signed in, they
might need to click Confirm Enrollment once more to continue enrolling their device.
4. The device is checked to verify that it is enrolled.
The user then completes the enrollment process by selecting their device and clicking Select. If
their device is not displayed, they can choose I don’t see my device listed to try again.
5. The device is checked to verify that it is complaint with company policies.
If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid
password) and then click Check Compliance to continue.
6. After compliance is verified, the user sees that enrollment is being activated.
7. Enrollment is activated and the user clicks Continue to complete the process…
8. …and the process completes! The user clicks Done to exit setup.
After the user is enrolled and compliance is verified, email access should become available
within a few minutes.
If the user follows those steps to enroll and become compliant and still cannot access their email on
their mobile device, they can follow these additional steps to try and fix the issue:
First, verify that their device is enrolled. If not, the user follows the steps above.
Verify that the device is compliant by clicking Check Compliance. If a compliance error is
identified, the user can follow the instructions specific to their mobile device about how to
resolve it, such as resetting their password.
Call the help desk.
If a device becomes noncompliant
Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was
previously compliant is later deemed to be noncompliant (for example, a compliance policy was added
or changed), the user can follow these steps to get their device back in compliance:
1. The user receives notification in email or on their device that the device is noncompliant. At this
time, the device is quarantined in Exchange.
2. If the user tries to access email, they are redirected back to the Company Access Setup screen
from the Intune Company portal where it shows that they are out of compliance.
3. The user clicks Continue and is shown the compliance issue that is preventing them from
accessing email.
4. After they have fixed the issue, they click Check Compliance to verify that the problem is
resolved.
5. If the issue is fixed, the user clicks Continue to complete the process. Email access should
become available again within a few minutes.
iOS
Note
The enrollment process and the screens the user sees will be slightly different depending on the
version of OS running on the end-user device.
1. If a user is already enrolled in Intune and is compliant, they will see no difference on iOS devices;
they will continue to get access to email. If the user is not yet enrolled, they will see a
quarantine message similar to this when they launch their mail app:
The user clicks Get started now to begin enrolling their device.
2. The user is prompted to install the Intune Company Portal app from the respective app store.
After it installs, the user opens the app and signs in using their company credentials.
3. On the Company Access Setup screen, the user clicks Begin to start setting up their device and
checking whether it is compliant.
4. On the Device Enrollment screen, the user clicks Enroll to start enrolling their device.
During enrollment, the Mobile Device Management profile is installed to allow you, the IT
administrator, to remotely manage the device. The user enters their password if prompted.
5. On the Company Access Setup screen, the user clicks Continue to start checking compliance on
the device.
If there is a compliance issue, the user is prompted to resolve the issue (such as by creating a
valid password) and then click Check Compliance to continue.
After the device is fully compliant, the user clicks Continue to proceed.
After the user is enrolled and compliance is verified, email access should become available
within a few minutes.
If the user follows those steps to enroll and become compliant and still cannot access their email on
their mobile device, they can follow these additional steps to try and fix the issue:
First, verify that their device is enrolled. If not, the user follows the steps above.
Verify that the device is compliant by clicking Check Compliance. If a compliance error is
identified, the user can follow the instructions specific to their mobile device about how to
resolve it, such as resetting their password.
Call the help desk.
If a device becomes noncompliant
Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was
previously compliant is later deemed to be noncompliant (for example, a compliance policy was added
or changed), the user can follow these steps to get their device back in compliance:
1. The user receives notification in email or on their device that the device is noncompliant. At this
time, the device is quarantined in Exchange.
2. If the user tries to access email, they are redirected back to the Company Access Setup screen
from the Intune Company portal where it shows that they are out of compliance.
3. The user clicks Continue and is shown the compliance issue that is preventing them from
accessing email.
4. After they have fixed the issue, they click Check Compliance to verify that the problem is
resolved.
5. If the issue is fixed, the user clicks Continue to complete the process.
Email access should become available again within a few minutes.
Android
1. When they try to access email, the user first receives a quarantine email similar to this sample:
The user clicks Get started now to begin enrolling their device.
Note
The enrollment process and the screens the user sees will be slightly different depending on the
version of OS running on the end-user device.
2. The user is prompted to install the Intune Company Portal app from the respective app store.
After it installs, the user opens the app and signs in using their company credentials.
Note
If a user has not set a default browser for their device, they will be prompted during device
enrollment and during enrollment activation to allow a link to open a browser window.
When prompted, they must select the same browser each time or the enrollment process
will fail.
3. On the Company Access Setup screen, the user clicks Begin to start setting up their device and
checking whether it is compliant.
4. On the Device Enrollment screen, the user clicks Enroll to start enrolling their device.
5. Users must activate the device administrator by clicking Activate when prompted or the device
enrollment procedure will cancel.
Device enrollment begins. Depending on the device, a certificate installation prompt or a
Samsung KNOX Privacy Policy prompt might appear during enrollment. These are necessary to
allow you, the IT administrator, to remotely manage the device. The device is enrolled to Intune
and establishes a device identity with Azure Active Directory.
6. After enrollment is completed successfully, the user clicks Continue to start checking
compliance on the device.
If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid
password) and then click Check Compliance to continue.
7. After the device is fully compliant, the user clicks Continue to initiate enrollment activation. This
will connect the AAD device identity with the EAS ID provided by Exchange.
8. Enrollment activation will complete and the user clicks Done to exit the enrollment and
compliance verification process.
Note
On Android, the default browser will appear for a few seconds during enrollment activation.
If the user has not already selected a default browser, they are prompted to choose a
browser. While completing Company Access Setup, the same browser must be selected by
the user whenever prompted.
After the user is enrolled and compliance is verified, email access should become available
within a few minutes.
If the user follows those steps to enroll and become compliant and still cannot access their email on
their mobile device, they can follow these additional steps to try and fix the issue:
First, verify that their device is enrolled. If not, the user follows the steps above.
Verify that the device is compliant by clicking Check Compliance. If a compliance error is
identified, the user can follow the instructions specific to their mobile device about how to
resolve it, such as resetting their password.
Call the help desk.
If a device becomes noncompliant
Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was
previously compliant is later deemed to be noncompliant (for example, a compliance policy was added
or changed), the user can follow these steps to get their device back in compliance:
1. The user receives notification in email or on their device that the device is noncompliant. At this
time, the device is quarantined in Exchange.
2. When the user tries to access email, they see a quarantine email informing them that
compliance issues must be fixed before they can get access. When the user clicks on the
hyperlink in the quarantine email, it redirects them to the Company Access Setup screen in the
Intune Company portal (via default browser and Google Play) where it shows that the device is
not compliant.
3. The user clicks Continue and is shown the compliance issue that is preventing them from
accessing email.
4. After they have fixed the issue, they click Check Compliance to verify that the problem is
resolved.
5. If the issue is fixed, the user clicks Continue to complete the process. Email access should
become available again within a few minutes.