Microsoft Intune Conditional Access was first released in December 2014. It is particularly cool. Now we can fight Shadow IT and block access to corporate resources from un-managed devices. Many enhancements have been made to the service since.
Have a look at the following TechNet library document:
Control access to Exchange and Office 365 with conditional access in Microsoft Intune
Use Conditional access in Microsoft Intune to secure email and other services depending on conditions you specify.
When devices do not meet the conditions, the user is guided though the process of enrolling the device and fixing the issue that is preventing the device from being compliant.
To implement conditional access, you configure two policy types in Intune:
- Compliance policies are optionally deployed to users and devices to define the rules and settings that the device must comply with in order to be allowed access to services. These rules include passcode, encryption, whether the device is jailbroken or rooted, and whether email on the device is managed by a Intune policy. If a compliance policy is not deployed, then the conditional access policy will treat the device as compliant.
- Conditional access policies are configured for a particular service, and define rules such as which Azure Active Directory security groups or Intune groups will be targeted and how devices that cannot enroll with Intune will be managed.
The currently supported scenarios are:
- Exchange On-Premise (Exchange 2010 and later)
- Exchange Online
- SharePoint Online
- Exchange Online (very recent)
In this blog I have concentrated on configuring an Exchange On-premise conditional access solution (because I don't have Exchange or SharePoint Online labs). I will demonstrate how to carry out the following:
- Install the Microsoft Intune Exchange Connector
- Create an Exchange On-premises policy
- User testing and experience
See here for more information
Set up mobile device management using Exchange ActiveSync in Microsoft Intune
1. Microsoft Intune Exchange Connector
If your instance of Exchange Server is on-premises, you must download, install, and set up the Microsoft Intune On-Premises Connector on a computer in your infrastructure.
See here for the requirements:
Requirements for the On-Premises Connector
You must create an Active Directory user account that is used by the Intune Exchange Connector. The account must have permission to run the following required Exchange PowerShell cmdlets:
- Get-ActiveSyncOrganizationSettings, Set-ActiveSyncOrganizationSettings
- Get-CasMailbox, Set-CasMailbox
- Get-ActiveSyncMailboxPolicy, Set-ActiveSyncMailboxPolicy, New-ActiveSyncMailboxPolicy, Remove-ActiveSyncMailboxPolicy
- Get-ActiveSyncDeviceAccessRule, Set-ActiveSyncDeviceAccessRule, New-ActiveSyncDeviceAccessRule, Remove-ActiveSyncDeviceAccessRule
- Clear-ActiveSyncDevice, Remove-ActiveSyncDevice
I assigned my account way more permissions than I needed (OK in a lab, not so clever in production).
Navigate to Administration > Microsoft Exchange > Set Up Exchange Connection. Select to "Download On-Premises Connector".
See the Connector executable and Intune certificate files. Note that these two files must be present in the installation folder.
Double click Exchange_Connector_Setup to launch the Microsoft Intune Exchange Connector Setup Wizard". Click Next to continue.
Review the terms and click Next to Install.
The Connector installs.
The setup has completed. Click Finish to start the Connector.
Welcome to the "Microsoft Intune Exchange Connector". Enter the required details:
- Exchange Client Access Server name
- Domain account that you created earlier
- Optional email address
The connection is being created.
The connection has been created. We are told where we can see the synchronization status.
Note that you can update the connector details if you need to. I have added an email address here.
Back in the Intune Portal we can see that the connection has been created but the initial sync has not been run. Click "Run Full Sync" to kick that off.
Synchronization is in progress.
After synchronization has been completed we can run a Mobile Device Inventory Report. This will tell us the bad news. Which of my devices are un-managed but are still accessing Exchange? We need to contact these users to make arrangements for enrolling these devices. Once we apply a conditional access policy these users will lose access to email.
2. Create an Exchange On-premises policy
It's very easy to create the Conditional Access policy. Navigate to Policy > Conditional Access > Exchange On-premises Policy.
Check the box "Block email apps from accessing Exchange On-premises if the device is non-compliant or not enrolled".
Select the Targeted Groups (in other words the groups that should receive the policy). In my lab I chose "All Users".
Select the Exempted Groups. The policy will not apply to these users. If a user is in both targeted and exempted groups the policy will not apply. I have chosen a group "Excluded from Conditional Access".
The default rule should be "Allow the devices to access Exchange".
See that you can customise the User Notification". Save the policy.
See that I have allowed only Mike and Pat to be exempt from the policy (as they are VIPs and have to be treated differently).
3. User testing and experience
I am testing on an un-managed Android device. Remember we have allowed Pat to be exempt from the Conditional Access Policy. Therefore he should be allowed to connect to Exchange........
.....and he can.
Good for Pat.
Gerry is not so lucky. He is not a VIP so the policy will apply.
He cannot connect to Exchange.
He actually receives an email to his mailbox explaining the situation and telling him that he is trying to access Exchange with an un-managed device. Perfect.
Gerry then installs the Intune Company Portal and enrolls the device.........
.....and finally can access his email.