Intune in Kombination mit EAS

%3CLINGO-SUB%20id%3D%22lingo-sub-1073730%22%20slang%3D%22de-DE%22%3EIntune%20in%20combination%20with%20EAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073730%22%20slang%3D%22de-DE%22%3E%3CP%3EHello%20together%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esometimes%20a%20short%20question%20maybe%20someone%20has%20already%20implemented%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20Intune%20we%20want%20to%20provide%20users%20with%20an%20EAS%20account%20(exchange%20on%20premise)%2C%20which%20also%20works%20so%20far.%3C%2FP%3E%3CP%3EHowever%2C%20there%20is%20a%20requirement%20that%20the%20user%20is%20not%20allowed%20to%20set%20up%20any%20more%20mail%20accounts%20or%20an%20Apple%20ID.%20With%20the%20device%20restriction%20(block%20account%20change)%20this%20also%20works%2C%20but%20then%20also%20the%20impact%20is%20that%20the%20user%20in%20the%20work%20account%20cannot%20enter%20his%20Windows%20password%20(Exchange%20password)%20because%20he%20does%20not%20get%20into%20the%20settings.%20In%20the%20past%2C%20there%20was%20a%20pop-up%20in%20iOS%20if%20you%20had%20a%20mail%20account%20where%20the%20password%20was%20missing%20or%20incorrect.%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20an%20idea%20how%20to%20implement%20the%20whole%20thing%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1073730%22%20slang%3D%22de-DE%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1081465%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20in%20Kombination%20mit%20EAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1081465%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F493673%22%20target%3D%22_blank%22%3E%40BenjaminHemmerich%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehow%20are%20you%20pushing%20the%20EAS%20profile%3F%20I%20assume%20with%20an%20device%20configuration%20profile%2C%20is%20that%20correct%3F%20If%20so%2C%20the%20option%20%22Account%20modification%22%20set%20to%20block%20should%20be%20sufficient%20for%20your%20use-case.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20a%20user%20enrolls%20its%20device%20in%20Intune%20and%20opens%20the%20e.g.%20iOS%20Settings%2C%20a%20pop-up%20appears%20where%20the%20user%20is%20required%20to%20type%20in%20his%2Fher%20exchange%20password.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20this%20%22Account%20modification%22%20setting%20only%20applies%20to%20settings%26nbsp%3B%3CSPAN%3Eaccessible%20from%20the%20iOS%20settings%20app%2C%20such%20as%20Mail%2C%20Contacts%2C%20Calendar%2C%20Twitter%2C%20and%20more.%20This%20does%20not%20include%20apps%20such%20as%20Microsoft%20Outlook.%20This%20means%20users%20will%20still%20be%20able%20to%20add%20accounts%20in%20the%20Outlook%20app.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20am%20not%20sure%20if%20you%20can%20restrict%20adding%20new%20accounts%20for%20apps%20not%20supported%20by%20%22Account%20modification%22%20by%20using%20and%20creating%20app%20configuration%20policies%20for%20each%20of%20your%20targeted%20apps.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EEdit%3C%2FSTRONG%3E%3A%20for%20Android%20devices%20I%20found%20this%20%22%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fconfiguration%2Fdevice-restrictions-android-for-work%23work-profile-only%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAdd%20or%20remove%20account%3C%2FA%3E%22%20option.%20This%20option%20is%20available%20for%20Android%20Enterprise%20device%20configuration%20profiles.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20hope%20my%20input%20helps%20you.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3ELabinot%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hallo zusammen,

 

mal eine kurze Frage vielleicht hat das ja schon mal jemand umgesetzt.

 

Wir wollen mit Intune den Usern eine EAS Konto (exchange on premise) zur Verfügung stellen was auch soweit funktioniert.

Jedoch gibt es die Anforderung das der User keine weiteren Mail Konten bzw sich eine Apple ID einrichten darf. Mit der Geräteeinschränkung ( Kontoänderung blockieren) funktioniert das auch jedoch ist dann der Impact das der User im geschäftlichen Konto sein Windows Passwort (Exchange Kennwort) nicht eingeben kann, da er nicht in die Einstellungen kommt. Früher gab es im iOS mal ein PopUp wenn man ein Mail Konto hatte in dem das Passwort fehlt oder falsch war.

Hat jemand eine Idee wie man das ganze umsetzen kann?

 

Danke

1 Reply

Hi @BenjaminHemmerich 

 

how are you pushing the EAS profile? I assume with an device configuration profile, is that correct? If so, the option "Account modification" set to block should be sufficient for your use-case. 

 

After a user enrolls its device in Intune and opens the e.g. iOS Settings, a pop-up appears where the user is required to type in his/her exchange password. 

 

However, this "Account modification" setting only applies to settings accessible from the iOS settings app, such as Mail, Contacts, Calendar, Twitter, and more. This does not include apps such as Microsoft Outlook. This means users will still be able to add accounts in the Outlook app. 

 

I am not sure if you can restrict adding new accounts for apps not supported by "Account modification" by using and creating app configuration policies for each of your targeted apps. 

 

Edit: for Android devices I found this "Add or remove account" option. This option is available for Android Enterprise device configuration profiles.

 

I hope my input helps you. 

Best regards,

Labinot