By
Published
Sep 08 2018 07:41 AM
5,594
Views
First published on CloudBlogs on Oct 29, 2015
This following is an update of an existing blog post that discusses the new quarantine experience that shipped in September 2015 for Intune Standalone and October 2015 for System Center Configuration Manager (hybrid) . The article below was authored by Murali Krishna Hosabettu Kamalesha who is a Program Manager with our Intune group. ===== Microsoft Intune allows organizations to conditionally block access to corporate resources on devices that are not protected by Intune. Intune now supports conditional access for on-premises Microsoft Exchange Server. In this post we focus on how to set up conditional access policies using Intune and walk through the end user experience once they have been blocked from email. Requirements for conditional access can be found in our TechNet documentation about enabling access to company resources .
Once the report is generated by Microsoft Intune, the Report Viewer will open in a new window. From here, you will need to examine the following 4 columns to determine whether or not a user will be blocked. More information about what each of these columns mean is provided below:
To re-iterate, once you enable conditional access, devices in a Target group for which the columns have the above values are allowed to access Exchange. All other devices in that Target group will be blocked from accessing Exchange.
You may wish to reach out to the users of those devices before enforcing conditional access. To easily retrieve each user’s email address, you can export this report to Microsoft Excel via the
Export
link and filter the list to only those rows with the column values as described above. You can then retrieve the email addresses from the
Email Address
column.
TIP
Microsoft Office has a neat feature called “Mail Merge” which lets you easily send e-mails to users by importing names, addresses, and other information directly from your Excel spreadsheet into your email message. Check out
this article
on how to do this.
Below is more information about what each of these 4 columns mean.
Management Channel
The value in this column determines whether a device is managed by Microsoft Intune:
3. [Optional] Define advanced Exchange ActiveSync settings
These settings are global Exchange settings that allow you to allow, block, or quarantine devices based on platform, as well as set a global Exchange default rule. Advanced Exchange ActiveSync settings can be used in conjunction with conditional access settings. Examples of this configuration can be found in the “Configuration Examples” section below.
4. Set the notification users receive once their device is blocked due to conditional access policy.
When a user’s device is blocked due to conditional access policy, they will need to follow a series of steps to enroll their device and unblock access to email on that device. Intune will send an email containing enrollment instructions to the user’s mailbox before the device is blocked.
This email is preconfigured in Microsoft Intune and can be altered to suit your company’s needs. The “End User Experience” section below has more information about this workflow. This email message can be configured in the
User Notification
section in the
Intune admin console
as shown below.
NOTE
In addition to the email sent by Intune, Exchange will also always send a notification to the user's mailbox once the device is blocked. See the “End user experience” section for the format of this email message.
NOTE
Because these email messages are sent to the user’s mailbox (as opposed to a specific device) they will be available on all email clients that the user has access to, for example, via the web browser or on other devices that the user owns.
5. Monitor the status of blocked devices
After conditional access policy is enforced, you can monitor the status of blocked devices using the
Mobile Device Inventory
report discussed in step 2, as well as the
Blocked devices from Exchange
tile on the Microsoft Intune dashboard.
Once these 5 steps are used in conjunction with one another, the conditional access policy is defined. This allows for different types of conditional access configurations, depending on your organization’s needs. Below are some configuration examples.
Configuration Examples
NOTE
In the following sections the term “Intune protected” is used. An Intune protected device is one that satisfies all of the requirements described in
“Step 2 - Identify users who will be impacted by conditional access policy”
section above.
1. Basic Configuration
A basic conditional access configuration simply blocks devices that are not protected by Microsoft Intune. In this configuration, no advanced Exchange ActiveSync settings are set.
2. Advanced Configuration
If your organization chooses to setup the advanced Exchange ActiveSync settings, a more complex configuration is possible. This allows flexibility for conditional access policies depending on the nature of your organization.
Some example configurations follow.
Example 1: Require enrollment to Intune, and only allow certain platforms
A strict organization may wish to only allow certain platforms, and block all others. For example, Contoso is an iOS-only organization, which wants to make sure that all iOS devices accessing company resources are protected by Microsoft Intune. To accomplish this, they specifically
allow
iOS devices, and
block
all other devices by default. This means all device types besides iOS (including device types not supported for management by Microsoft Intune) will be blocked. iOS devices will still need to be protected by Microsoft Intune to gain access to Contoso’s Exchange resources.
In summary:
Example 2: Require enrollment to Intune, but always block certain platforms
A more lenient organization than in example 1 may wish to only block certain platforms, and allow all others (while still ensuring they’re protected by Microsoft Intune). For example, Contoso is an organization that wants to block Android devices, and make sure that all other devices accessing company resources are protected by Microsoft Intune. To accomplish this, they specifically
block
Android devices, and
allow
all other devices by default. This means all device types besides Android (including device types not supported for management by Microsoft Intune) will be allowed, once managed.
In summary:
Enrollment and compliance checks within the new Company portal app
The company portal app has been updated to provide a new enrollment and compliance check experience. Clicking on the “Get Started Now” link in the quarantine email launches the company portal app. The app walks the user through the enrollment and compliance check process. Below are screenshots showing enrollment/ compliance checks.
Enrollment
Compliance check and remediation
Exchange quarantine notification
Exchange will also send a notification to the mailbox once the device is blocked. The following is an example of the experience on Android.
TechNet Documentation Update
As part of the recent update to Microsoft Intune, a series of new technical articles are now available on TechNet, including documentation on these new conditional access capabilities. Visit the
What’s New
section of the
Documentation Library for Microsoft Intune
to see all of the articles that have been recently published. You can read more about conditional access in the
enable access to company resources
section.
Watch Conditional Access Webinar
Also, make sure to
register to watch
our recent webinar on this topic. This 30-minute webinar provides more information on these new conditional access capabilities and includes a demo of both the end user and IT experiences. We also spent time answering some great attendee questions. Register
here
to view a recording of this webinar and don’t forget to check out the rest of our
Enterprise Mobility Suite webinar series
.
Watch Demo Video on Conditional Access to Email
Additionally, you can watch a demo video on conditional access to email
here
.
I hope that you’ve found this blog post useful. Please bookmark this blog and check back often as we plan to post new content regularly! Also, if you’re not yet using Intune,
sign up
for a free 30-day trial today!
Murali Krishna Hosabettu Kamalesha | Program Manager | Microsoft
Get the latest System Center news on
Facebook
and
Twitter
:
This following is an update of an existing blog post that discusses the new quarantine experience that shipped in September 2015 for Intune Standalone and October 2015 for System Center Configuration Manager (hybrid) . The article below was authored by Murali Krishna Hosabettu Kamalesha who is a Program Manager with our Intune group. ===== Microsoft Intune allows organizations to conditionally block access to corporate resources on devices that are not protected by Intune. Intune now supports conditional access for on-premises Microsoft Exchange Server. In this post we focus on how to set up conditional access policies using Intune and walk through the end user experience once they have been blocked from email. Requirements for conditional access can be found in our TechNet documentation about enabling access to company resources .
The Intune Admin Experience
Step 1: Install and set up the latest Microsoft Intune On-Premises Exchange Connector The Exchange Connector is required to enforce conditional access to your Exchange resources. Instructions to set up the Exchange Connector can be found here . NOTE It is important that you have the latest version of the Exchange Connector installed. Download and installation instructions for the Exchange Connector can be found in the TechNet article linked to above. Step 2: Identify users who will be impacted by conditional access policy The next step is to identify users who will be impacted by the conditional access policy that you plan to deploy so that you can notify them in advance. Here is how you can identify such users: Once the Exchange Connector is successfully configured, it will begin to inventory those devices which are not yet enrolled to Microsoft Intune, but are connecting to your organization’s Exchange resources using Exchange Active Sync. To begin the mobile device inventory report, navigate to Reports -> Mobile Device Inventory Reports . From here, you can select the device groups for which you plan to roll out the conditional access policy, as well as filter by OS status. Once you’ve decided on the criteria that meets your organization’s needs, select View Report .
Once the report is generated by Microsoft Intune, the Report Viewer will open in a new window. From here, you will need to examine the following 4 columns to determine whether or not a user will be blocked. More information about what each of these columns mean is provided below:
- Management Channel
- AAD Registered
- Compliant
- Exchange ActiveSync ID
| Can device access Exchange? | Management Channel | AAD Registered | Compliant | Exchange ActiveSync ID |
| Yes (Un-blocked) | Managed by Microsoft Intune and Exchange Active Sync | Yes | Yes | Has a value |
| No (Blocked) | Anything else | No | No | Doesn’t have a value |
- Managed by Exchange ActiveSync means a device is accessing Exchange, but is not yet enrolled into Microsoft Intune
- Managed by Microsoft Intune means a device is enrolled into Microsoft Intune, but not yet accessing Exchange
- Managed by Microsoft Intune and Exchange ActiveSync means a device is both enrolled into Microsoft Intune and could potentially access Exchange if the other two criteria (AAD Registered and Compliant status) are met.
3. [Optional] Define advanced Exchange ActiveSync settings
These settings are global Exchange settings that allow you to allow, block, or quarantine devices based on platform, as well as set a global Exchange default rule. Advanced Exchange ActiveSync settings can be used in conjunction with conditional access settings. Examples of this configuration can be found in the “Configuration Examples” section below.
4. Set the notification users receive once their device is blocked due to conditional access policy.
When a user’s device is blocked due to conditional access policy, they will need to follow a series of steps to enroll their device and unblock access to email on that device. Intune will send an email containing enrollment instructions to the user’s mailbox before the device is blocked.
This email is preconfigured in Microsoft Intune and can be altered to suit your company’s needs. The “End User Experience” section below has more information about this workflow. This email message can be configured in the
User Notification
section in the
Intune admin console
as shown below.
NOTE
In addition to the email sent by Intune, Exchange will also always send a notification to the user's mailbox once the device is blocked. See the “End user experience” section for the format of this email message.
NOTE
Because these email messages are sent to the user’s mailbox (as opposed to a specific device) they will be available on all email clients that the user has access to, for example, via the web browser or on other devices that the user owns.
5. Monitor the status of blocked devices
After conditional access policy is enforced, you can monitor the status of blocked devices using the
Mobile Device Inventory
report discussed in step 2, as well as the
Blocked devices from Exchange
tile on the Microsoft Intune dashboard.
Once these 5 steps are used in conjunction with one another, the conditional access policy is defined. This allows for different types of conditional access configurations, depending on your organization’s needs. Below are some configuration examples.
Configuration Examples
NOTE
In the following sections the term “Intune protected” is used. An Intune protected device is one that satisfies all of the requirements described in
“Step 2 - Identify users who will be impacted by conditional access policy”
section above.
1. Basic Configuration
A basic conditional access configuration simply blocks devices that are not protected by Microsoft Intune. In this configuration, no advanced Exchange ActiveSync settings are set.
2. Advanced Configuration
If your organization chooses to setup the advanced Exchange ActiveSync settings, a more complex configuration is possible. This allows flexibility for conditional access policies depending on the nature of your organization.
Some example configurations follow.
Example 1: Require enrollment to Intune, and only allow certain platforms
A strict organization may wish to only allow certain platforms, and block all others. For example, Contoso is an iOS-only organization, which wants to make sure that all iOS devices accessing company resources are protected by Microsoft Intune. To accomplish this, they specifically
allow
iOS devices, and
block
all other devices by default. This means all device types besides iOS (including device types not supported for management by Microsoft Intune) will be blocked. iOS devices will still need to be protected by Microsoft Intune to gain access to Contoso’s Exchange resources.
In summary:
- Only Intune protected iOS devices should have access
- Block all other devices by default
- Unsupported devices should not have access
Example 2: Require enrollment to Intune, but always block certain platforms
A more lenient organization than in example 1 may wish to only block certain platforms, and allow all others (while still ensuring they’re protected by Microsoft Intune). For example, Contoso is an organization that wants to block Android devices, and make sure that all other devices accessing company resources are protected by Microsoft Intune. To accomplish this, they specifically
block
Android devices, and
allow
all other devices by default. This means all device types besides Android (including device types not supported for management by Microsoft Intune) will be allowed, once managed.
In summary:
- All device types require enrollment to Microsoft Intune to have access
- Android devices should always be blocked
- Unsupported devices should have access
The End User Experience
Once conditional access is enforced, devices in the target group are blocked and the EAS clients on those devices are rejected from communicating with the Exchange server to send or receive emails. Users who open EAS email clients on these devices see a “Quarantine email message” in their mailbox informing them that their device has been blocked along with instructions to unblock their device. Starting October 2015, we are updating the quarantine experience to be simpler and easier to follow for end users. Below are screenshots of the enrollment experience. NOTE If you use System Center Configuration Manager for your conditional access deployment, then you will need to install a hotfix on top of System Center 2012 Configuration Manager Service Pack 2 and Cumulative Update 1. More details about the hotfix can be found here . The new quarantine email Below is a screenshot of the new quarantine email. It consists of a single link through which users can kick of the enrollment process.
Enrollment and compliance checks within the new Company portal app
The company portal app has been updated to provide a new enrollment and compliance check experience. Clicking on the “Get Started Now” link in the quarantine email launches the company portal app. The app walks the user through the enrollment and compliance check process. Below are screenshots showing enrollment/ compliance checks.
Enrollment
Compliance check and remediation
Exchange quarantine notification
Exchange will also send a notification to the mailbox once the device is blocked. The following is an example of the experience on Android.
TechNet Documentation Update
As part of the recent update to Microsoft Intune, a series of new technical articles are now available on TechNet, including documentation on these new conditional access capabilities. Visit the
What’s New
section of the
Documentation Library for Microsoft Intune
to see all of the articles that have been recently published. You can read more about conditional access in the
enable access to company resources
section.
Watch Conditional Access Webinar
Also, make sure to
register to watch
our recent webinar on this topic. This 30-minute webinar provides more information on these new conditional access capabilities and includes a demo of both the end user and IT experiences. We also spent time answering some great attendee questions. Register
here
to view a recording of this webinar and don’t forget to check out the rest of our
Enterprise Mobility Suite webinar series
.
Watch Demo Video on Conditional Access to Email
Additionally, you can watch a demo video on conditional access to email
here
.
I hope that you’ve found this blog post useful. Please bookmark this blog and check back often as we plan to post new content regularly! Also, if you’re not yet using Intune,
sign up
for a free 30-day trial today!
Murali Krishna Hosabettu Kamalesha | Program Manager | Microsoft
Get the latest System Center news on
Facebook
and
Twitter
: