Conditional Access for Exchange Online via Configuration Manager and Intune

Conditional Access for Exchange Online via Configuration Manager and Intune

BLOG-1000140Yesterday announced and today a new Intune Extension for Configuration Manager 2012 R2 was available. The extension enables us to set up conditional access for customers using Exchange Online, you are able to restrict Exchange ActiveSync for users that have their devices enrolled.

Let’s see how this works together with Exchange Online.

The first step is to enable and install the Conditional Access Extension in the Configuration Manager Console.

Enable the new extension

Enable the new extension

After enabling and installing the exentsion you see that two new nodes are added to the Configuration Manager 2012 R2 Console. Look below and you see Compliance Policies and Conditional Access.

New nodes in the console

New nodes in the console

After enabling the extension you are able to create and deploy a compliance policy which is supported by the following mobile device platforms;

  • Windows 8.1 and later
  • Windows Phone 8.1 and later
  • iOS 6.0 and later
  • Android 4.0 and later

Depending on the device type we are able to configure rules that can be remediated or not before access to Exchange Online is permitted;

Windows 8.1 and later:

  • PIN or password configuration can be remediated

Windows Phone 8.1 and later:

  • PIN or password configuration can be remediated
  • Device encryption can be remediated

iOS 6.0 and later:

  • PIN or password configuration can be remediated
  • Device encryption can be remediated by setting also PIN
  • Jailbroken device can be placed in quarantine
  • Email profile must be managed via Intune, if not the device is placed in quarantine

Android 4.0 and later:

  • PIN or password configuration can be placed in quarantine
  • Device encryption can be placed in quarantine
  • Jailbroken device can be placed in quarantine

Let’s see how we are able to configure a Conditional Access Policy and how we are able to deploy it to a device that is managed via Configuration Manager 2012 R2 that is connected to Microsoft Intune. First we need to create a Compliance Policy to configure in this demo.

Let’s first give the Compliance Policy a name.

BLOG-1000144

First step is to give the Compliance Policy a name

Select the Supported Platforms, in this case iPad iOS8

BLOG-1000145

Select the right platform

Next you need to configure the compliance settings for the device. The device must be compliant before access to Exchange Online is approved.

BLOG-1000147

You can add the managed email profile so that the devices are checked if this profile has been installed and if it is managed by Intune.

BLOG-1000148

Select the email profile

Next you can review the settings and click next to create the policy.

BLOG-1000149

After the compliance policy is created you need to deploy it via Configuration Manager.

The next step is that you need to setup Conditional Access in Microsoft Intune, so you need to logon with your tenant admin.

BLOG-1000151

Enable Block mail apps from accessing Exchange Online if the device is incompliant and configure the (Synced AD) groups that needs to be targeted with the conditional access.

BLOG-1000154
And configure the groups of users that are allowed to be incompliant.

BLOG-1000153Device Side

A quick look at the iPad that received the Compliance Policy.

IMG_0015

Hey there is already a non managed email profile available. You need to remove it! 🙂

IMG_0011

We need to configure a passcode, this is mandatory within 60 minutes

IMG_0012

No you cannot use 123456 😉

And of course when the device is not enrolled or compliant you will not be able to synchronize your email!

THe device is not compliant, enroll the device  to get managed

THe device is not compliant, enroll the device to get managed

Microsoft Intune side

When looking back at Microsoft Intune you see that three Exchange Devices are placed in Quarantine.

BLOG-1000156

Three devices are in Quarantine

 

BLOG-1000157

The devices that are in Quarantine

When you select one of the devices that are in quarantine you see why the device is in quarantine. The device called peter_iPad_1 is in quarantine because the Device is not managed by Microsoft Intune.

BLOG-1000158

Information about why the device is in Quarantine

After the device is compliant you see that the device is not in quarantine anymore. Access is granted and managed by Microsoft Intune.

Access is granted :)

Access is granted and managed by Microsoft Intune 🙂

Till next time!

Comments

 
Comments

Trackbacks for this post

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.

 
Read previous post:
Quick ConfigMgr 2012 R2 content troubleshooting tips

Last week I had a couple of content related issues at a customer after a Read more

Close