Protect Company Data and Emails on Mobile Devices with Intune More and more, companies are allowing employees to increase their productivity by accessing email,

documents, and company resources through their mobile devices. However, the amount of confidential

data that is stored within corporate emails and documents presents a significant security risk for

companies.

You can use conditional access in Intune to help secure email and email data depending on the

conditions you specify. Conditional access lets you manage access to Microsoft Exchange on-premises

and Exchange Online.

Introduction Protecting your company's data is vitally important, and is an increasingly challenging task as more

employees are using their mobile devices to access company resources, including email and email

attachments. As an IT administrator, you want to make sure that company data is protected even when

those mobile devices are not within the company’s physical location.

The Microsoft Enterprise Mobility Suite (EMS) solves this challenge by delivering comprehensive

protection of corporate email and documents across four layers – Identity, Device, Application, and

Data. Among other capabilities, EMS ensures that employees can access corporate email only from

devices that are managed by Microsoft Intune and compliant with IT policies.

You can implement conditional access by configuring two policy types in Intune:

Compliance policies are optional policies you can deploy to users and devices and evaluate

settings like passcode and encryption. The conditional access policies set in Intune ensure that

the devices can only access email if they are compliant with the compliance policies you set.

If no compliance policy is deployed to a device, then any applicable conditional access policies

will treat the device as compliant.

Conditional access policies are configured for a particular service, and define rules such as

which Azure Active Directory security user groups or Intune user groups will be targeted and

how devices that cannot enroll with Intune will be managed.

Note

Intune groups are not security groups. Rather, they are a collection of users that you can create

by using the Intune admin console.

Unlike other Intune policies, you do not deploy conditional access policies. Instead, you configure these

once, and they apply to all targeted users.

When devices do not meet the conditions you configure, the user is guided through the process of

enrolling the device and/or fixing the issue that prevents the device from being compliant.

Evaluating your desired implementation With all of the different design and configuration options for managing mobile devices, it’s difficult to

determine which combination will best meet the needs of your company. The Mobile Device

Management Design Considerations Guide helps you understand mobile device management design

requirements and details a series of steps and tasks that you can follow to design a solution that best fits

the business and technology needs for your company.

High level end-user experience After the solution is implemented, end-users will be able to access the company email only on managed

and compliant devices. Access can be revoked at any time if the device becomes noncompliant.

Specifically, the conditional access policies set in Intune ensure that the devices can only access email if

they are compliant with the compliance policies you set. Actions such as copy and paste or saving to

personal cloud storage services can be restricted using mobile application management policies. Azure

Rights Managements service can be used to ensure that the sensitive email data, and forwarded

attachments, can only be read by intended recipients. The end-user experience is described in more

detail in the End-user Experience section, later in this article.

Using conditional access with Intune Use conditional access in Microsoft Intune to help secure email and other services depending on

conditions you specify.

Prerequisites You can control access to Exchange Online and Exchange on-premises from the following mail apps:

The built-in app for Android 4.0 and later, Samsung Knox 4.0 Standard and later

The built-in app for iOS 7.1 and later

The built-in app for Windows Phone 8.1 and later

The mail application on Windows 8.1 and later

The Microsoft Outlook app for Android and iOS (for Exchange Online only)

Before you start using conditional access, ensure that you have the correct requirements in place:

For Exchange Server on-premises

Conditional access to Exchange on-premises supports:

Windows 8 and later (when enrolled with Intune)

Windows Phone 8 and later

Any iOS device that uses an Exchange ActiveSync (EAS) email client

Android 4 and later.

Additionally:

Your Exchange version must be Exchange 2010 or later. Exchange server Client Access Server

(CAS) configuration is supported.

If your Exchange environment is in a CAS server configuration, then you must configure the on-

premises Exchange connector to point to any one of the CAS servers.

Exchange ActiveSync can be configured with certificate based authentication, or user credential

entry.

You must use the on-premises Exchange connector which connects Intune to Microsoft

Exchange Server on-premises. This lets you manage devices through the Intune console (see

Mobile device management with Exchange ActiveSync and Microsoft Intune).

Make sure that you are using the latest version of the on-premises Exchange connector. The on-

premise Exchange connector available to you in the Intune console is specific to your Intune

tenant and cannot be used with any other tenant.

You should also ensure that the exchange connector for your tenant is installed on exactly one

machine and not on multiple machines. If you have a CAS server environment that includes a

mix of machines running both Exchange Server 2010 and 2013, you must configure the

exchange connector to point to the 2013 CAS server.

For Exchange Online

Conditional access to Exchange Online supports devices that run:

Windows 8.1 and later (when enrolled with Intune)

Windows 7.0 or later (when domain joined)

Windows Phone 8.1 and later

iOS 7.1 and later

Android 4.0 and later, Samsung Knox Standard 4.0 and later

Additionally, devices must be registered with the Azure Active Directory Device Registration Service

(AAD DRS).

AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have

already deployed the ADFS Device Registration Service will not see registered devices in their on-

premises Active Directory.

You must use an Office 365 subscription that includes Exchange Online (such as E3) and users

must be licensed for Exchange Online.

The optional Microsoft Intune Service to Service Connector connects Intune to Microsoft

Exchange Online and helps you manage device information through the Intune console (see

Mobile device management with Exchange ActiveSync and Microsoft Intune). You do not need

Tip

Important

to use the connector to use compliance policies or conditional access policies, but is required to

run reports that help evaluate the impact of conditional access.

If you configure the connector, some Exchange ActiveSync policies from Intune might be visible in the

Office console but are not set as default policies and do not affect devices.

Do not configure the Service to Service Connector if you intend to use conditional access for

both Exchange Online and Exchange on-premises.

Deployment Steps for using Exchange on-premises with Intune

Step 1: Install and configure the Microsoft Intune on-premises Exchange Server connector. This step will help you configure your on-premises infrastructure with Exchange on-premises.

You can only set up one Exchange connection per Intune account. If you try to configure an

additional connection, it will replace the original connection with the new one.

Requirements

To prepare to connect Intune to your Exchange Server, you must first fulfill the following requirements.

You may have already fulfilled these requirements when you set up Intune.

Requirement More information

Set the Mobile Device Management Authority to Intune Set mobile device management authority

as Microsoft Intune

Verify you have hardware requirements for the on-

premises connector

Requirements for the On-Premises

Connector

Configure a user account with permission to run the

designated list of Windows PowerShell cmdlets

Powershell Cmdlets for On-Premises

Exchange Connector (see below)

Powershell Cmdlets for On-Premises Exchange Connector: You must create an Active Directory user

account that is used by the Intune Exchange Connector. The account must have permission to run the

following Exchange Server cmdlets:

Clear-ActiveSyncDevice

Get-ActiveSyncDevice

Get-ActiveSyncDeviceAccessRule

Get-ActiveSyncDeviceStatistics

Get-ActiveSyncMailboxPolicy

Get-ActiveSyncOrganizationSettings

Get-ExchangeServer

Get-Recipient

Set-ADServerSettings

Set-ActiveSyncDeviceAccessRule

Note

Note

Set-ActiveSyncMailboxPolicy

Set-CASMailbox

New-ActiveSyncDeviceAccessRule

New-ActiveSyncMailboxPolicy

Remove-ActiveSyncDevice

1. In the Intune administrator console, choose ADMIN.

2. In the navigation pane, under Mobile Device Management, expand Microsoft Exchange and

then choose Setup Exchange Connection.

3. Choose Download On-Premises Connector.

4. The On-Premises Connector software is contained in a compressed (.zip) folder that can be

opened or saved. In the File Download dialog box, choose Save to store the compressed folder

to a secure location.

Important

Do not rename or move the extracted files or the On-Premises Connector software installation

will not succeed.

5. Extract the files in Exchange_Connector_Setup.zip into a secure location.

6. After the files are extracted, double-click Exchange_Connector_Setup.exe to install the On-

premises Connector.

Important

If the destination folder is not a secure location, you should delete the certificate file

WindowsIntune.accountcert after you install the On-Premises Connector.

7. In the Exchange server field of the Microsoft Intune Exchange Connector window, select On-

premises Exchange Server.

Provide either the server name or fully qualified domain name of the Exchange server

that hosts the Client Access server role.

Provide the credentials of the account that you configured to run the Exchange Server

PowerShell cmdlets.

Provide administrative credentials necessary to send notifications to a user’s Exchange

mailbox. These notifications are configurable via Conditional Access policies using

Intune. For more information on these policies see Enable access to company resources

with Microsoft Intune.

Ensure that the Autodiscover service and Exchange Web Services are configured on the

Exchange Client Access Server. For more information, see Client Access server.

In the Password field, provide the password for this account to enable Intune to access

the Exchange Server.

8. Choose Connect.

It may take a few minutes while the connection is set up. During configuration, the Exchange

Connector stores your proxy settings to enable access to the Internet. If your proxy settings

change, you will have to reconfigure the Exchange Connector in order to apply the updated

proxy settings to the Exchange Connector.

After the Exchange Connector sets up the connection, mobile devices associated with users that are

managed in Intune are automatically synchronized and added to the Microsoft Intune administrator

console. This synchronization may take some time to complete.

To view the status of the connection and the last successful synchronization attempt, in the

Microsoft Intune administrator console choose ADMIN, expand Mobile Device Management, and then

choose Microsoft Exchange.

Step 2: Create compliance policies and deploy to users. Ensure that you have created and deployed a compliance policy to all devices that the Exchange

conditional access policy will be targeted to.

1. In the Microsoft Intune administration console, choose Policy > Compliance Policies > Add.

2. On the Create Policy page, configure the settings you require:

Setting name More information Supported platforms

Name Enter a unique name for the compliance policy. All

Description Provide a description that gives an overview of

the compliance policy.

All

Require a

password to

unlock mobile

devices

Require users to enter a password before they

can access their device.

Windows

Phone 8 and

later

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Allow simple

passwords

Let users create simple passwords such as

‘1234’ or ‘1111’.

Windows

Phone 8 and

later

iOS 6 and later

Minimum password length1

Specifies the minimum number of digits or characters that the user’s password must contain.

Windows

Phone 8 and

later

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Setting name More information Supported platforms

Standard 4.0

and later

Required password type

Specifies whether users must create an Alphanumeric, or a Numeric password.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Minimum number of character sets1

If Required password type is set to Alphanumeric, this setting specifies the minimum number of character sets that the password must contain.

The four character sets are:

Lowercase letters

Uppercase letters

Symbols

Numbers

Setting a higher number for this setting will require users to create more complex passwords.

For iOS devices, this setting refers to the number of special characters (for example, !, #, &) that must be included in the password.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Password quality Configures password requirements for Android devices. Choose from:

Low security biometric

Required

At least numeric

At least alphabetic

At least alphanumeric

Alphanumeric with symbols

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Minutes of inactivity before password is required

Specifies the idle time before the user must re-enter their password.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Password Select the number of days before the user’s Windows

Setting name More information Supported platforms

expiration (days) password expires and they must create a new one.

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Remember password history

Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Prevent reuse of previous passwords

If Remember password history is selected, specify the number of previously used passwords that cannot be re-used.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Require a password when the device returns from an idle state

This setting should be used together with the in the Minutes of inactivity before password is required setting. The end-users will be prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.

Windows 10

Mobile

Require Requires the device to be encrypted in order to Windows

Setting name More information Supported platforms

encryption on mobile device

connect to resources.

Devices that run Windows Phone 8 are automatically encrypted.

Important

Devices that run iOS are encrypted when you configure the setting Require a password to unlock mobile devices.

Phone 8 and

later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Device must not be jailbroken or rooted

If enabled, jailbroken (iOS), or rooted (Android) devices will not be compliant.

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Email account must be managed by Intune

When this option is selected, the device will be reported as noncompliant if the user has set up an email account on the device that matches an Intune email profile that was deployed to the device by an IT admin. Intune cannot overwrite the user-provisioned profile, and therefore cannot manage it.

To ensure compliance, the user must remove the existing email settings, then, Intune can install the managed email profile.

For details about email profiles, see Configure access to corporate email using email profiles with Microsoft Intune.

iOS 6 and later

Select the email profile that must be managed by Intune

If Email account must be managed by Intune is selected, choose Select to choose the Intune email profile that devices must be managed by. The email profile must be present on the device.

iOS 6 and later

Require automatic updates

Select Yes to require automatic updates. Windows 8.1

and later

Require automatic updates – Minimum classification of updates to install automatically

Choose the classification of updates that will be installed automatically:

Important – Installs all updates

classified as important.

Recommended – Installs all updates

classified as important or

recommended

3. Windows 8.1

and later

1 For devices that run Windows and are secured with a Microsoft Account, the compliance policy will fail

to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number

of character sets is more than 2.

3. When you are finished, choose Save Policy.

You will be given the option to deploy the policy now, or you can choose to deploy it later. The new

policy displays in the Compliance Policies node of the Policy workspace.

To deploy the compliance policy

1. In the Policy workspace, select the policy you want to deploy, then choose Manage

Deployment.

2. In the Manage Deployment dialog box, select one or more groups to which you want to deploy

the policy, then choose Add > OK.

You can deploy to users and/or devices. Use Active Directory groups that you have already

created and synced to Intune, or create these groups manually in the Intune console. For more

information, see Use groups to manage users and devices with Microsoft Intune.

Ensure that you have created and deployed a compliance policy to all devices that the Exchange

conditional access policy will be targeted.

Use the status summary and alerts on the Overview page of the Policy workspace to identify issues with

the policy that require your attention. Additionally, a status summary appears in the Dashboard

workspace.

If you have not deployed a compliance policy and then enable an Exchange conditional access

policy, all targeted devices will be allowed access.

View devices that do not conform to a compliance policy

1. In the Intune administration console, choose Groups > All Devices.

2. Double-click the name of a device in the list of devices.

3. Choose the Policy tab to see a list of the policies for that device.

4. From the Filters drop-down list, select Does not conform to compliance policy.

When conflicts occur due to multiple Intune settings being applied to a device, the following rules apply:

If the conflicting settings are from an Intune configuration policy and a compliance policy, the

settings in the compliance policy take precedence over the settings in the configuration policy,

even if the settings in the configuration policy are more secure.

If you have deployed multiple compliance policies, the most secure of these policies will be

used.

Step 3: Identify users who will be impacted by conditional access policy. After the Exchange Server connector is successfully configured, it begins to inventory devices that are

not yet enrolled to Intune, but are connecting to your organization’s Exchange resources using Exchange

Active Sync. To view the mobile device inventory report:

Important

Important

1. Navigate to Reports -> Mobile Device Inventory Reports.

2. Select the device groups for which you plan to roll out the conditional access policy, as well as

filter by OS status.

3. Once you’ve selected the criteria that meets your organization’s needs, choose View Report.

The Report Viewer opens in a new window.

For more information about how to run reports, see Understand Microsoft Intune operations by using

reports.

After you run the report, examine these four columns to determine whether a user will be blocked:

Management Channel – Indicates whether the device is managed by Intune, Exchange

ActiveSync, or both.

AAD Registered – Indicates whether the device is registered with Azure Active Directory (known

as Workplace Join).

Compliant – Indicates whether the device is compliant with any compliance policies you

deployed.

Exchange ActiveSync ID – iOS and Android devices are required to have their Exchange

ActiveSync ID associated with the device registration record in Azure Active Directory. This

happens when the user selects the Activate Email link in the quarantine email.

Devices that are part of a targeted group will be blocked from accessing Exchange unless the column

values match those listed in the following table:

Management channel AAD

registered

Compliant Exchange

ActiveSync ID

Resulting

action

Managed by Microsoft Intune and

Exchange ActiveSync

Yes Yes A value is

displayed

Email access

allowed

Any other value No No No value is

displayed

Email access

blocked

You can export the contents of the report and use the Email Address column to help you inform users

that they will be blocked.

Step 4: Configure user groups for the conditional access policy. You target conditional access policies to different groups of users depending on the policy types. These

groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a

policy, each device they use must be compliant in order to access email.

For the Exchange on-premises policy – You specify Intune user groups. You can configure Intune user

groups in the Groups workspace of the Intune console.

You can specify two group types in each policy:

Targeted groups – User groups to which the policy is applied

Exempted groups – User groups that are exempt from the policy (optional)

If a user is in both groups, they will be exempt from the policy.

Only the groups which are targeted by the conditional access policy are evaluated for Exchange access.

Step 5: Configure the conditional access policy for Exchange on-premises. The following flow is used by conditional access policies for Exchange on-premises environment to

evaluate whether to allow or block devices.

1. In the Microsoft Intune administration console, choose Policy > Conditional Access > Exchange

On-premises Policy.

2. Configure the policy with the settings you require:

Setting More information

Block email apps from accessing Exchange On-premises if the device is noncompliant or not enrolled to Microsoft Intune

When you select this option, devices that are not managed by Intune or are not compliant with a compliance policy that was deployed to them are blocked from accessing Exchange services unless they have been defined as exempt.

Default rule override - Always allow enrolled and compliant devices to access Exchange

When you check this option, devices that are enrolled in Intune and compliant with the compliant policies are allowed to access Exchange. This rule overrides the Default Rule, which means that even if you set the Default Rule to quarantine or block access, enrolled and compliant devices will still be able to access Exchange.

Targeted Groups Select the Intune user groups that must enroll their device with Intune before they can access Exchange. These are the groups you configured in Step 4.

Exempt Groups Select the Intune user groups that are exempt from the conditional access policy. These are the groups you configured in Step 4.

Settings in this list override those in the Targeted Groups list.

Platform Exceptions Choose Add Rule to configure a rule that defines access levels for specified mobile device families and models.

Because these devices can be of any type, you can also configure device types that are unsupported by Intune.

Default Rule For a device that is not covered by any of the other rules, you can choose to allow it to access Exchange, block it, or quarantine it.

When you set the rule to allow access, for devices that are enrolled and compliant, email access is granted automatically for iOS, Windows, and Samsung Knox devices. The end-user does not have to go through any process to get their email. On

Setting More information

Android devices that are not Knox based, end-users will get a quarantine email which includes a guided walkthrough to verify enrollment and compliance before they can access email.

If you set the rule to block access or quarantine it, all devices are blocked from getting access to exchange regardless of whether they are already enrolled in Intune or not. To prevent enrolled and compliant devices from being affected by this rule, check the Default Rule Override.

Tip

If your intention is to first block all devices before

granting access to email, checking the Block access, or

Quarantine rule can be useful.

The default rule will apply to all device types, so device types you configure as platform exceptions and that are unsupported by Intune are also affected.

User Notification In addition to the notification email sent from Exchange, Intune sends an email that you can configure which contains steps to unblock the device.

You can edit the default message and use HTML tags to format how the text appears.

Note

Because the Intune notification email containing remediation instructions is delivered to the user’s Exchange mailbox, in the event that the user’s device gets blocked before they receive the email message, they can use an unblocked device or other method to access Exchange and view the message.

This is especially true when the Default Rule is set to block or quarantine. In this case, the end-user will have to go to their app store, download the Microsoft Company Portal app and enroll their device. This is applicable to iOS, Windows, and Samsung Knox devices. For Android devices that are not Knox-based, the IT admin will need to send the quarantine email to an alternate email account, which then the end-user has to copy to their blocked device to complete the enrollment and compliance process.

3. When you are done, choose Save.

You do not have to deploy the conditional access policy, it takes effect immediately.

After a user sets up an Exchange ActiveSync profile, it might take from 1-3 hours for the

device to be blocked (if it is not managed by Intune).

If a blocked user then enrolls the device with Intune (or remediates noncompliance), email

access will be unblocked within 2 minutes.

If the user un-enrolls from Intune it might take from 1-3 hours for the device to be blocked.

Deployment Steps for using Exchange Online with Intune

Step 1: Create compliance policies and deploy to users. Ensure that you have created and deployed a compliance policy to all devices that the Exchange

conditional access policy will be targeted to.

1. In the Microsoft Intune administration console, choose Policy > Compliance Policies > Add.

2. On the Create Policy page, configure the settings you require:

Setting name More information Supported platforms

Name Enter a unique name for the compliance policy. All

Description Provide a description that gives an overview of

the compliance policy.

All

Require a

password to

Require users to enter a password before they

can access their device.

Windows

Phone 8 and

Setting name More information Supported platforms

unlock mobile

devices

later

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Minimum password length1

Specifies the minimum number of digits or characters that the user’s password must contain.

Windows

Phone 8 and

later

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Required password type

Specifies whether users must create an Alphanumeric, or a Numeric password.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Minimum number of character sets1

If Required password type is set to Alphanumeric, this setting specifies the minimum number of character sets that the password must contain.

The four character sets are:

Lowercase letters

Uppercase letters

Symbols

Numbers

Setting a higher number for this setting will require users to create more complex passwords.

For iOS devices, this setting refers to the number of special characters (for example, !, #, &) that must be included in the password.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Password quality Configures password requirements for Android devices. Choose from:

Low security biometric

Required

At least numeric

At least alphabetic

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Setting name More information Supported platforms

At least alphanumeric

Alphanumeric with symbols

Minutes of inactivity before password is required

Specifies the idle time before the user must re-enter their password.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Password expiration (days)

Select the number of days before the user’s password expires and they must create a new one.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Remember password history

Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Prevent reuse of previous passwords

If Remember password history is selected, specify the number of previously used passwords that cannot be re-used.

Windows

Phone 8 and

later

Windows RT

and Windows

RT 8.1

Setting name More information Supported platforms

Windows 8.1

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Require a password when the device returns from an idle state

This setting should be used together with the in the Minutes of inactivity before password is required setting. The end-users will be prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.

Windows 10

Mobile

Require encryption on mobile device

Requires the device to be encrypted in order to connect to resources.

Devices that run Windows Phone 8 are automatically encrypted.

Important

Devices that run iOS are encrypted when you configure the setting Require a password to unlock mobile devices.

Windows

Phone 8 and

later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Device must not be jailbroken or rooted

If enabled, jailbroken (iOS), or rooted (Android) devices will not be compliant.

iOS 6 and later

Android 4.0

and later

Samsung

KNOX

Standard 4.0

and later

Email account must be managed by Intune

When this option is selected, the device will be reported as noncompliant if the user has set up an email account on the device that matches an Intune email profile that was deployed to the device by an IT admin. Intune cannot overwrite the user-provisioned profile, and therefore cannot manage it.

To ensure compliance, the user must remove the existing email settings, then, Intune can install the managed email profile.

For details about email profiles, see Configure access to corporate email using email profiles with Microsoft Intune.

iOS 6 and later

Select the email profile that must be managed by

If Email account must be managed by Intune is selected, choose Select to specify the Intune email profile that will manage devices. The

iOS 6 and later

Setting name More information Supported platforms

Intune email profile must be present on the device.

Require automatic updates

Select Yes to require automatic updates. Windows 8.1

and later

Require automatic updates – Minimum classification of updates to install automatically

Choose the classification of updates that will be installed automatically:

Important – Installs all updates

classified as important.

Recommended – Installs all updates

classified as important or

recommended

Windows 8.1

and later

1 For devices that run Windows and are secured with a Microsoft Account, the compliance policy will fail

to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number

of character sets is more than 2.

3. When you are finished, choose Save Policy.

You will be given the option to deploy the policy now, or you can choose to deploy it later. The new

policy displays in the Compliance Policies node of the Policy workspace.

To deploy the compliance policy

1. In the Policy workspace, select the policy you want to deploy, then choose Manage

Deployment.

2. In the Manage Deployment dialog box, select one or more groups to which you want to deploy

the policy, then choose Add > OK.

You can deploy to users and/or devices. Use Active Directory groups that you have already

created and synced to Intune, or create these groups manually in the Intune console. For more

information, see Use groups to manage users and devices with Microsoft Intune.

Ensure that you have created and deployed a compliance policy to all devices that the Exchange

conditional access policy will be targeted to.

Use the status summary and alerts on the Overview page of the Policy workspace to identify issues with

the policy that require your attention. Additionally, a status summary appears in the Dashboard

workspace.

If you have not deployed a compliance policy and then enable an Exchange conditional access

policy, all targeted devices will be allowed access.

View devices that do not conform to a compliance policy

1. In the Intune administration console, choose Groups.

2. Double-click the name of a device in the list of devices.

3. Choose the Policy tab to see a list of the policies for that device.

Important

4. From the Filters drop-down list, select Does not conform to compliance policy.

When conflicts occur due to multiple Intune settings being applied to a device, the following rules apply:

If the conflicting settings are from an Intune configuration policy and a compliance policy, the

settings in the compliance policy take precedence over the settings in the configuration policy,

even if the settings in the configuration policy are more secure.

If you have deployed multiple compliance policies, the most secure of these policies will be

used.

Step 2: Evaluate the effect of the conditional access policy. If you have configured a connection between Intune and Exchange by using the Service to Service

Connector, you can use the Mobile Device Inventory Reports to identify EAS mail clients that will be

blocked from accessing Exchange after you configure the conditional access policy.

To view the status of the connection and the last successful synchronization attempt, in the

Microsoft Intune administrator console:

1. In the Microsoft Intune administration console, choose ADMIN, expand Mobile Device

Management, and then choose Microsoft Exchange.

2. If there is no Service to Service Connector installed, expand Microsoft Exchange, choose Set Up

Exchange Connection > Set Up Service to Service Connector.

The Service to Service Connector will automatically configure and synchronize with your Hosted

Exchange environment.

To view the mobile device inventory report:

1. Choose Reports > Mobile Device Inventory Reports.

2. Select the device groups for which you plan to roll out the conditional access policy, as well as

filter by OS status.

3. After you’ve selected the criteria that meets your organization’s needs, choose View Report.

The Report Viewer opens in a new window

For more information about how to run reports, see Understand Microsoft Intune operations by using

reports.

After you run the report, examine these four columns to determine whether a user will be blocked:

Management Channel – Indicates whether the device is managed by Intune, Exchange

ActiveSync, or both.

AAD Registered – Indicates whether the device is registered with Azure Active Directory (known

as Workplace Join).

Compliant – Indicates whether the device is compliant with any compliance policies you

deployed.

Exchange ActiveSync ID – iOS and Android devices are required to have their Exchange

ActiveSync ID associated with the device registration record in Azure Active Directory. This

happens when the user selects the Activate Email link in the quarantine email.

Devices that are part of a targeted group will be blocked from accessing Exchange unless the column

values match those listed in the following table:

Management channel AAD

registered

Compliant Exchange

ActiveSync ID

Resulting

action

Managed by Microsoft Intune and

Exchange ActiveSync

Yes Yes A value is

displayed

Email access

allowed

Any other value No No No value is

displayed

Email access

blocked

You can export the contents of the report and use the Email Address column to help you inform users

that they will be blocked.

Step 3: Configure user groups for the conditional access policy. You target conditional access policies to different groups of users depending on the policy types. These

groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a

policy, each device they use must be compliant in order to access email.

For the Exchange Online policy – You specify Azure Active Directory security user groups. You can

configure these groups in the Office 365 admin center, or the Intune console.

You can specify two group types in each policy:

Targeted groups – User groups to which the policy is applied

Exempted groups – User groups that are exempt from the policy (optional)

If a user is in both groups, they will be exempt from the policy.

Only the groups which are targeted by the conditional access policy are evaluated for Exchange access.

Step 4: Configure the conditional access policy for Exchange Online The following flow is used by conditional access policies for Exchange Online to evaluate whether to

allow or block devices.

To access email, the device must:

Enroll with Intune

Register the device in Azure Active Directory (this happens automatically when the device is

enrolled with Intune.

The device state is stored in Azure Active Directory which grants or blocks access to email, based on the

evaluated conditions.

If a condition is not met, the user will be presented with one of the following messages when they log in:

If the device is not enrolled, or registered in Azure Active Directory, a message is displayed with

instructions about how to install the company portal app and enroll.

If the device is not compliant, a message is displayed that directs the user to the Intune web

portal where they can find information about the problem and how to remediate it.

The message is displayed on the device for Exchange Online users.

Intune conditional access rules override, allow, block and quarantine rules that are defined in the

Exchange Online admin console.

1. In the Intune administration console, choose Policy > Conditional Access > Exchange Online

Policy.

2. On the Exchange Online Policy page, select Enable conditional access policy for Exchange

Online. If you check this, a device must be compliant. If this is not checked then conditional

access is not applied.

Note

If you have not deployed a compliance policy and then enable the Exchange Online policy, all

targeted devices are reported as compliant.

Regardless of the compliance state, all users who are targeted by the policy will be required to

enroll their devices with Intune.

3. Under Apps using modern authentication, you can choose to restrict access only to devices that

are compliant for each platform. Windows devices must either be domain joined, or be enrolled

in Intune and compliant.

This article has more detailed information on how modern authentication works.

Using Exchange Online with Configuration Manager and Intune, you can not only manage

mobile devices with conditional access, but also desktop computers as well.

You can set the following requirements:

Devices must be domain joined or compliant. PCs must either be domain joined or

compliant with the policies set in Intune. If a PC does not meet either of these requirements,

the user is prompted to enroll the device with Intune.

Note

Note

Devices must be domain joined. PCs must be domain joined to access Exchange Online. If a

PC is not domain joined, access to email is blocked and the user is prompted to contact the

IT admin.

Devices must be compliant. PCs must be enrolled in Intune and compliant. If a PC is not

enrolled, a message with instructions on how to enroll is displayed.

4. Under Exchange ActiveSync mail apps, you can choose to block email from accessing Exchange

Online if the device is noncompliant, and select whether to allow or block access to email when

Intune cannot manage the device.

5. Under Targeted Groups, select the Active Directory security groups of users to which the policy

will apply.

Note

For users that are in the Targeted groups, the Intune polices will replace Exchange rules and

policies.

Exchange will only enforce Exchange allow, block and quarantine rules, and Exchange policies if:

The user is not licensed for Intune.

The user is licensed for Intune, but the user does not belong to any security groups targeted

in the conditional access policy.

6. Under Exempted Groups, select the Active Directory security groups of users that are exempt

from this policy. If a user is in both the targeted and exempted groups, they will be exempt from

the policy and will have access to their email.

7. When you are finished, choose Save.

You do not have to deploy the conditional access policy, it takes effect immediately.

After a user creates an email account, the device is blocked immediately.

If a blocked user enrolls the device with Intune (or remediates noncompliance), email access

is unblocked within 2 minutes.

If the user un-enrolls their device, email is blocked after around 6 hours.

Reporting

Monitor the compliance and conditional access policies To view devices that are blocked from Exchange:

1. On the Intune dashboard, choose the Blocked Devices from Exchange tile to show the number

of blocked devices and links to more information.

End-user Experience Following is an overview of the end-user experience after conditional access is enabled and an end user

tries to access email on their mobile device.

Windows Phone

1. If a user is already enrolled in Intune and is compliant, they will see no difference on Windows

devices; they will continue to get access to email. Users who have not yet enrolled in Intune will

receive a quarantine email similar to this sample:

The user chooses Get started now to begin enrolling their device.

Note

The enrollment process and the screens the user sees will be slightly different depending on the

version of OS running on the end-user device.

2. On the Company Access Setup screen, the user chooses Begin to start setting up their device

and checking whether it is compliant.

3. On the Enroll Your Device screen, the user chooses Confirm Enrollment to start enrolling their

device.

During enrollment, the Mobile Device Management profile is installed to allow you, the IT

administrator, to remotely manage the device. The user might be prompted to accept a

certificate authorizing Workplace Join.

The user signs in using their email address they use with Office. After they are signed in, they

might need to choose Confirm Enrollment once more to continue enrolling their device.

4. The device is checked to verify that it is enrolled.

The user then completes the enrollment process by selecting their device and choosing Select. If

their device is not displayed, they can select I don’t see my device listed to try again.

5. The device is checked to verify that it is complaint with company policies.

If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid

password) and then choose Check Compliance to continue.

6. After compliance is verified, the user sees that enrollment is being activated.

7. Enrollment is activated and the user chooses Continue to complete the process…

8. …and the process completes! The user chooses Done to exit setup.

After the user is enrolled and compliance is verified, email access should become available

within a few minutes.

If the user follows those steps to enroll and become compliant and still cannot access their email on

their mobile device, they can follow these additional steps to try and fix the issue:

First, verify that their device is enrolled. If not, the user follows the steps above.

Verify that the device is compliant by choosing Check Compliance. If a compliance error is

identified, the user can follow the instructions specific to their mobile device about how to

resolve it, such as resetting their password.

Call the help desk.

If a device becomes noncompliant

Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was

previously compliant is later deemed to be noncompliant (for example, a compliance policy was added

or changed), the user can follow these steps to get their device back in compliance:

1. The user receives notification in email or on their device that the device is noncompliant. At this

time, the device is quarantined in Exchange.

2. If the user tries to access email, they are redirected back to the Company Access Setup screen

from the Intune Company portal where it shows that they are out of compliance.

3. The user chooses Continue and is shown the compliance issue that is preventing them from

accessing email.

4. After they have fixed the issue, they choose Check Compliance to verify that the problem is

resolved.

5. If the issue is fixed, the user chooses Continue to complete the process. Email access should

become available again within a few minutes.

iOS

1. If a user is already enrolled in Intune and is compliant, they will see no difference on iOS devices;

they will continue to get access to email. If the user is not yet enrolled, they will see a

quarantine message similar to this when they launch their mail app:

Note

The enrollment process and the screens the user sees will be slightly different depending on the

version of OS running on the end-user device.

The user chooses Get started now to begin enrolling their device.

2. The user is prompted to install the Intune Company Portal app from the respective app store.

After it installs, the user opens the app and signs in using their company credentials.

3. On the Company Access Setup screen, the user chooses Begin to start setting up their device

and checking whether it is compliant.

4. On the Device Enrollment screen, the user chooses Enroll to start enrolling their device.

During enrollment, the Mobile Device Management profile is installed to allow you, the IT

administrator, to remotely manage the device. The user enters their password if prompted.

5. On the Company Access Setup screen, the user chooses Continue to start checking compliance

on the device.

If there is a compliance issue, the user is prompted to resolve the issue (such as by creating a

valid password) and then choose Check Compliance to continue.

After the device is fully compliant, the user chooses Continue to proceed.

After the user is enrolled and compliance is verified, email access should become available

within a few minutes.

If the user follows those steps to enroll and become compliant and still cannot access their email on

their mobile device, they can follow these additional steps to try and fix the issue:

First, verify that their device is enrolled. If not, the user follows the steps above.

Verify that the device is compliant by choosing Check Compliance. If a compliance error is

identified, the user can follow the instructions specific to their mobile device about how to

resolve it, such as resetting their password.

Call the help desk.

If a device becomes noncompliant

Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was

previously compliant is later deemed to be noncompliant (for example, a compliance policy was added

or changed), the user can follow these steps to get their device back in compliance:

1. The user receives notification in email or on their device that the device is noncompliant. At this

time, the device is quarantined in Exchange.

2. If the user tries to access email, they are redirected back to the Company Access Setup screen

from the Intune Company portal where it shows that they are out of compliance.

3. The user chooses Continue and is shown the compliance issue that is preventing them from

accessing email.

4. After they have fixed the issue, they choose Check Compliance to verify that the problem is

resolved.

5. If the issue is fixed, the user chooses Continue to complete the process.

Email access should become available again within a few minutes.

Android

Note

The enrollment process and the screens the user sees will be slightly different depending on the

version of OS running on the end-user device.

1. When they try to access email, the user first receives a quarantine email similar to this sample:

The user chooses Get started now to begin enrolling their device.

2. The user is prompted to install the Intune Company Portal app from the respective app store.

After it installs, the user opens the app and signs in using their company credentials.

Note

If a user has not set a default browser for their device, they will be prompted during device

enrollment and during enrollment activation to allow a link to open a browser window. When

prompted, they must select the same browser each time or the enrollment process will fail.

3. On the Company Access Setup screen, the user chooses Begin to start setting up their device

and checking whether it is compliant.

4. On the Device Enrollment screen, the user chooses Enroll to start enrolling their device.

5. Users must activate the device administrator by choosing Activate when prompted or the device

enrollment procedure will cancel.

Device enrollment begins. Depending on the device, a certificate installation prompt or a

Samsung KNOX Privacy Policy prompt might appear during enrollment. These are necessary to

allow you, the IT administrator, to remotely manage the device. The device is enrolled to Intune

and establishes a device identity with Azure Active Directory.

After enrollment is completed successfully, the user chooses Continue to start checking

compliance on the device.

If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid

password) and then choose Check Compliance to continue.

7. After the device is fully compliant, the user chooses Continue to initiate enrollment activation.

This will connect the AAD device identity with the EAS ID provided by Exchange.

Note

On Android, the default browser will appear for a few seconds during enrollment activation. If

the user has not already selected a default browser, they are prompted to choose a browser.

While completing Company Access Setup, the same browser must be selected by the user

whenever prompted.

8. Enrollment activation will complete and the user chooses Done to exit the enrollment and

compliance verification process.

After the user is enrolled and compliance is verified, email access should become available

within a few minutes.

If the user follows those steps to enroll and become compliant and still cannot access their email on

their mobile device, they can follow these additional steps to try and fix the issue:

First, verify that their device is enrolled. If not, the user follows the steps above.

Verify that the device is compliant by choosing Check Compliance. If a compliance error is

identified, the user can follow the instructions specific to their mobile device about how to

resolve it, such as resetting their password.

Call the help desk.

If a device becomes noncompliant

Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was

previously compliant is later deemed to be noncompliant (for example, a compliance policy was added

or changed), the user can follow these steps to get their device back in compliance:

1. The user receives notification in email or on their device that the device is noncompliant. At this

time, the device is quarantined in Exchange.

2. When the user tries to access email, they see a quarantine email informing them that

compliance issues must be fixed before they can get access. When the user selects the hyperlink

in the quarantine email, it redirects them to the Company Access Setup screen in the Intune

Company portal (via default browser and Google Play) where it shows that the device is not

compliant.

3. The user chooses Continue and is shown the compliance issue that is preventing them from

accessing email.

4. After they have fixed the issue, they choose Check Compliance to verify that the problem is

resolved.

5. If the issue is fixed, the user chooses Continue to complete the process. Email access should

become available again within a few minutes.